I am quite new to this Google app engine. I am learning things every day. I am have a forum on google app engine. But I want is to be having private or restricted parts. Some features should be locked for certain google account users, which are in some sort of access control list.
I plain words I can say, only those user who are in list of access can see the forum rest will be redirect to the "contact to admin" page.
As I am new I wanna know that is it something possible. if yes, how can I achieve it ? Thanks, Alok
If you need more granular, application-specific authorization logic, generally you would create a User model in the datastore that references the built-in UserProperty and also holds a list of roles or whatever else you need to check authorization.
To follow up Drew's reply, I use a similar system in my app, so my server code has something like the following class definition (simplified here for clarity)
class myUser(db.Model): user = db.UserProperty(required=True) rights = db.StringProperty(required=True, choices=set(["public", "private"])) created = db.DateTimeProperty(auto_now_add=True) lastaccess = db.DateTimeProperty(auto_now=True)
and then I have code like this where I handle queries
def checkUserRights(user): q = db.GqlQuery("SELECT * from myUser WHERE user = :1", user) u = q.get() if not u: # create a new 'public access' user if we haven't seen this person before u = myUser(user=user, rights="public") # always update the user record after the source is fetched (updates the lastaccess field) db.put( u ) return u.rights rights = checkUser(users.get_current_user()) if isPrivateArea and rights == "private": ....
This way I create a user for EVERY visitor, and then I have an admin interface to change the rights of selected users - you may decide, for example, to not create a record for every visitor
def checkUserRights(user): q = db.GqlQuery("SELECT * from myUser WHERE user = :1", user) u = q.get() if not u: # grant default public rights to anyone... return "public" # always update the user record after the source is fetched (updates the lastaccess field) db.put( u ) return u.rights
This is, of course, on a page where the app.yaml specifies "login: required"