diff options
| -rw-r--r-- | dashboard/app/access.go | 20 |
1 files changed, 19 insertions, 1 deletions
diff --git a/dashboard/app/access.go b/dashboard/app/access.go index 0e746aa20..79165bb16 100644 --- a/dashboard/app/access.go +++ b/dashboard/app/access.go @@ -59,6 +59,24 @@ func emailInAuthDomains(email string, authDomains []string) bool { return false } +func currentUser(c context.Context, r *http.Request) *user.User { + u := user.Current(c) + if u != nil { + return u + } + // Let's ignore err here. In case of the wrong token we'll return nil here (it means AccessPublic). + // Bad or expired tokens will also enable throttling and make the authorization problem visible. + u, _ = user.CurrentOAuth(c, "https://www.googleapis.com/auth/userinfo.email") + return u +} + +// accessLevel supports 2 authorization mechanisms. +// They're checked in the following order: +// 1. AppEngine authorization. To authenticate yourself, click "Sign-in" on the dashboard page. +// 2. OAuth2 bearer token generated by "gcloud auth print-access-token" call. +// +// OAuth2 token is expected to be present in "Authorization" header. +// Example: "Authorization: Bearer $(gcloud auth print-access-token)". func accessLevel(c context.Context, r *http.Request) AccessLevel { if user.IsAdmin(c) { switch r.FormValue("access") { @@ -69,7 +87,7 @@ func accessLevel(c context.Context, r *http.Request) AccessLevel { } return AccessAdmin } - u := user.Current(c) + u := currentUser(c, r) if u == nil || // Devappserver does not pass AuthDomain. u.AuthDomain != "gmail.com" && !isBrokenAuthDomainInTest || |