阅读背景:

正确保护GAE任务队列URL(不使用app.yaml)

来源:互联网 

I want to secure my Task Queue URLs against malicious access.

我希望保护我的任务队列URL免受恶意访问。

In the views that the Task Queue requests I've got:

在任务队列请求我的视图中:

if not users.is_current_user_admin():
    return HttpResponse(status=403)

But my Task Queues are receiving 403 errors! I was under the impression from this GAE documentation that the Task Queue user was gauranteed to be an admin. What gives?

但我的任务队列收到403错误!我在GAE文档的印象中认为Task Queue用户是一名管理员。是什么赋予了?

NOTE: I'm using DjangoNonRel so I can't specify the admin only url access in my app.yaml, I have to do it programmatically in the views.

注意:我正在使用DjangoNonRel,因此我无法在app.yaml中指定仅限admin的访问权限,我必须在视图中以编程方式执行此操作。

2 个解决方案

#1


10  

Tasks can bypass login: admin restrictions, however users.is_current_user_admin() will still return false, as there is technically no current user.

任务可以绕过登录:管理员限制,但是users.is_current_user_admin()仍将返回false,因为技术上没有当前用户。

Using Django-nonrel shouldn't stop you from protecting your tasks with app.yaml. Just add a protected handler above your Django catch-all:

使用Django-nonrel不应该阻止您使用app.yaml保护您的任务。只需在Django catch-all上面添加一个受保护的处理程序:

handlers:    

- url: /tasks/.+
  script: main.py
  login: admin

- url: .*
  script: main.py

Any URLs that start with /tasks/ will be accessible to the task queue and inaccessible to non-admin visitors, without changing how anything routes.

任何以/ tasks /开头的URL都可以被任务队列访问,非管理员访问者无法访问,而不会更改任何路由。

#2


4  

Your handlers can look for a task queue HTTP header, such as X-AppEngine-QueueName.

您的处理程序可以查找任务队列HTTP标头,例如X-AppEngine-QueueName。

From official GAE docs :

来自官方GAE文档:

Requests from the Task Queue service contain the following HTTP headers:

任务队列服务的请求包含以下HTTP标头:

X-AppEngine-QueueName
X-AppEngine-TaskName
X-AppEngine-TaskRetryCount
X-AppEngine-TaskExecutionCount
X-AppEngine-TaskETA

X-AppEngine-QueueName X-AppEngine-TaskName X-AppEngine-TaskRetryCount X-AppEngine-TaskExecutionCount X-AppEngine-TaskETA

These headers are set internally by Google App Engine. If your request handler finds any of these headers, it can trust that the request is a Task Queue request. If any of the above headers are present in an external user request to your app, they are stripped.

这些标头由Google App Engine在内部设置。如果您的请求处理程序找到任何这些标头,则它可以信任该请求是任务队列请求。如果上述任何标题存在于您的应用的外部用户请求中,则会将其删除。


分享到: