I am using AppEngine Cloud Endpoints with the Javascript client and Google+ Sign In, I am using endpoints.get_current_user(). Is there a way to check if the user is an AppEngine admin? Similar to users.is_current_user_admin() in users API.
Thanks
See Google Endpoints API + Chrome Extension returns None for endpoints.get_current_user().user_id() for a long description of the difference between ID tokens and Bearer tokens when performing auth.
If you aren't using an Android application, you can freely use Bearer tokens and not have to worry about some of the limitations of ID tokens.
Right next get_current_user(), the oauth library provides the oauth.is_current_user_admin() method. Exactly as get_current_user(), this method calls _maybe_call_get_oauth_user and then checks a simple environment variable.
As mentioned in the other answer:
The
oauth.get_current_user()call is only expensive IF it makes the RPC. The_maybe_call_get_oauth_usermethod stores the value from the last call, so callingoauth.get_current_user()a second time will incur no network/speed overhead other than the few nanoseconds to lookup a value from a Pythondict.
So if you are only using Bearer tokens, you could do the following
from google.appengine.api import oauth
from google.appengine.ext import endpoints
...
endpoints_user = endpoints.get_current_user()
if endpoints_user is None:
raise endpoints.UnauthorizedException(...)
is_admin = oauth.is_current_user_admin(known_scope)
if not is_admin:
# Throw a 403 FORBIDDEN
raise endpoints.ForbiddenException(...)
