Reputation: 13629
Marketplace app + Provisioning API: check if user is admin
I'm trying to check if a user is admin of their Google Apps domain, in an app installed from the Google Apps marketplace.
I added this to manifest.xml:
<Scope id="Provisioning API">
<Url>https://apps-apis.google.com/a/feeds/user/#readonly</Url>
<Reason>This application can list domain users to give them permissions.</Reason>
</Scope>
Then I set a test handler to get it working:
from google.appengine.ext import webapp
from google.appengine.ext.webapp import util
import gdata.alt.appengine
import gdata.apps.service
import gdata.auth
# App id, key and secret from the Google Apps Marketplace.
APPLICATION_ID = 'XXX'
CONSUMER_KEY = 'XXX'
CONSUMER_SECRET = 'XXX'
class SetupHandler(webapp.RequestHandler):
def get(self, *args):
# The domain where this app is installed.
domain = 'my_customer_domain.com'
# A username to check.
username = 'webmaster'
sig_method = gdata.auth.OAuthSignatureMethod.HMAC_SHA1
service = gdata.apps.service.AppsService(source='tipfy-com',
domain=domain)
service.SetOAuthInputParameters(sig_method, CONSUMER_KEY,
consumer_secret=CONSUMER_SECRET,
two_legged_oauth=True,
requestor_id=APPLICATION_ID)
service.ssl = True
service.debug = True
gdata.alt.appengine.run_on_appengine(service)
lookup_user = service.RetrieveUser(username)
if lookup_user.login.admin == 'true':
res = username + ' is an admin.'
else:
res = username + ' is not an admin.'
self.response.out.write(res)
app = webapp.WSGIApplication([
('/.*', SetupHandler),
], debug=True)
def main():
util.run_wsgi_app(app)
if __name__ == '__main__':
main()
But I get a 401 response ("Unknown authorization header"). I don't know what I'm doing incorrectly or how to debug it further.
- Is the manifest entry correct?
- Splitting
user.email()is ok to get the user's username and domain? (I debugged it and in my case it was: I got 'webmaster' and 'example.com', which was the user and Google Apps domain where the app was installed).
What am I missing?
Edit: For some reason, the admin panel didn't ask permission to grant access to the provided scopes. After I granted it, the code above worked. So take it as a working example!
Upvotes: 5
Views: 1376
Answers (3)
Reputation: 85
Admin apis [provisioning api etc.] are now available to editions of Google Apps.
http://googleappsdeveloper.blogspot.com/2011/12/more-administrative-apis-now-available.html
Upvotes: 0
Reputation: 3575
I met exactly the same problem, which keep giving me:
Unknown authorization header
Error 401
I'm using the free version of Google Apps, is this might be the root cause of this problem? As i know Provisioning API only supports premium account.
Upvotes: 0
Reputation: 2086
You don't have to re-add your app for the scopes work, just make sure in your GoogleApps admin dashboard, on the application settings, you "Grant access" and the Data Access is "Granted". Otherwise just grant that access.
Splitting user.email() works like a charm for me, because user.nickname() in localhost testing contains a full email, not like production (where it contains the username).
Make sure the user requesting is an admin.
Upvotes: 2
Related Questions
- Google Apps Admin API: need to specify account user for service account?
- Permission problems with Google Apps Marketplace
- How do I know if a Google Apps user is not an admin?
- Determine if a google user's domain has my marketplace app installed
- Google directory API Retrieve a user as a non-administrator.
- Google App Engine - find out if a user is an administrator
- Is there a way to check if the user is an admin in AppEngine Cloud Endpoints
- Migrate application developed with the Provisioning API to the new api (Admin SDK)
- Adding Permissions to Google Apps Marketplace Manifest
- Admin privileges from google apps user