I would like to ask what is the common way for handling role-based security with Google App Engine, Python?
In the app.yaml, there is the “login” section, but available values are only “admin” and “required”.
How do you normally handle role-based security?
- Create the model with two tables: Roles and UserRoles
- Import values for Roles table
- Manually add User to UserRoles
- Check if user is in the right Roles group
Any other idea or any other method for role-based security, please let us know!
I would do this by adding a ListProperty for roles to the model representing users. The list contains any roles a given user belongs to. This way if you want to know whether a given user belongs to a given role (I expect, the most common operation), it is a fast membership test.
You could put the role names directly into the lists as strings or add a layer of indirection to another entity specifying the details about the role so it is easy to change the details later. But, this has a runtime cost of an additional RPC to fetch the details about the role.
The downside to this method comes if you want to remove all users from a given role, or perform any other kind of global operation. I suppose you could mark a role ‘deleted’, but then you still have data cluttering up all your user models until you clean them up manually. So I am curious to hear what others suggest.