I want to secure my Task Queue URLs against malicious access.
In the views that the Task Queue requests I've got:
if not users.is_current_user_admin():
return HttpResponse(status=403)
But my Task Queues are receiving 403 errors! I was under the impression from this GAE documentation that the Task Queue user was gauranteed to be an admin. What gives?
NOTE: I'm using DjangoNonRel so I can't specify the admin only url access in my app.yaml, I have to do it programmatically in the views.
Tasks can bypass login: admin restrictions, however users.is_current_user_admin() will still return false, as there is technically no current user.
Using Django-nonrel shouldn't stop you from protecting your tasks with app.yaml. Just add a protected handler above your Django catch-all:
handlers:
- url: /tasks/.+
script: main.py
login: admin
- url: .*
script: main.py
Any URLs that start with /tasks/ will be accessible to the task queue and inaccessible to non-admin visitors, without changing how anything routes.