Is this a safe way of handling access in Google App Engine?
I want to give a few persons access to my google app. I can assume that they are using gmail, so is this a safe procedure?
I add their gmail to a database. I then extract their email like this and check if it is present in the database:
UserService userService = UserServiceFactory.getUserService();
User user = userService.getCurrentUser();
String email = user.getEmail();
//check if email is in database
Of course I handle the case where they are not logged in, and I understand that my app could be vulnerable in other parts of my code. But is this part safe?
Cheers,开发者_开发知识库
Use user.getUserId() instead of getEmail(). Users can change their email addresses but the UserIDs remain the same.
Yes, this is fine - you can trust the email address returned by the UserService
to be accurate - only the owner of that account can authenticate and return that value. As Fabrizio says, if you can you should store the user ID instead of the email, so that you are robust against your users changing their email address.
精彩评论