I'm trying to check if a user is admin of their Google Apps domain, in an app installed from the Google Apps marketplace.
I added this to manifest.xml:
<Scope id="Provisioning API">
<Url>https://apps-apis.google.com/a/feeds/user/#readonly</Url>
<Reason>This application can list domain users to give them permissions.</Reason>
</Scope>
Then I set a test handler to get it working:
from google.appengine.ext import webapp
from google.appengine.ext.webapp import util
import gdata.alt.appengine
import gdata.apps.service
import gdata.auth
# App id, key and secret from the Google Apps Marketplace.
APPLICATION_ID = 'XXX'
CONSUMER_KEY = 'XXX'
CONSUMER_SECRET = 'XXX'
class SetupHandler(webapp.RequestHandler):
def get(self, *args):
# The domain where this app is installed.
domain = 'my_customer_domain.com'
# A username to check.
username = 'webmaster'
sig_method = gdata.auth.OAuthSignatureMethod.HMAC_SHA1
service = gdata.apps.service.AppsService(source='tipfy-com',
domain=domain)
service.SetOAuthInputParameters(sig_method, CONSUMER_KEY,
consumer_secret=CONSUMER_SECRET,
two_legged_oauth=True,
requestor_id=APPLICATION_ID)
service.ssl = True
service.debug = True
gdata.alt.appengine.run_on_appengine(service)
lookup_user = service.RetrieveUser(username)
if lookup_user.login.admin == 'true':
res = username + '开发者_运维问答 is an admin.'
else:
res = username + ' is not an admin.'
self.response.out.write(res)
app = webapp.WSGIApplication([
('/.*', SetupHandler),
], debug=True)
def main():
util.run_wsgi_app(app)
if __name__ == '__main__':
main()
But I get a 401 response ("Unknown authorization header"). I don't know what I'm doing incorrectly or how to debug it further.
- Is the manifest entry correct?
- Splitting
user.email()
is ok to get the user's username and domain? (I debugged it and in my case it was: I got 'webmaster' and 'example.com', which was the user and Google Apps domain where the app was installed).
What am I missing?
Edit: For some reason, the admin panel didn't ask permission to grant access to the provided scopes. After I granted it, the code above worked. So take it as a working example!
You don't have to re-add your app for the scopes work, just make sure in your GoogleApps admin dashboard, on the application settings, you "Grant access" and the Data Access is "Granted". Otherwise just grant that access.
Splitting user.email()
works like a charm for me, because user.nickname()
in localhost testing contains a full email, not like production (where it contains the username).
Make sure the user requesting is an admin.
I met exactly the same problem, which keep giving me:
Unknown authorization header
Error 401
I'm using the free version of Google Apps, is this might be the root cause of this problem? As i know Provisioning API only supports premium account.
Admin apis [provisioning api etc.] are now available to editions of Google Apps.
http://googleappsdeveloper.blogspot.com/2011/12/more-administrative-apis-now-available.html
精彩评论