dashboard/app: fix admin checks for dev_appserver

Admin checks broke at some point for local app runs
(the auth domain is overriden only in tests).
Restore proper checking for dev_appserver.

Fix TestUserAccessLevel to use production AuthDomain.
It does not run in the context of the dev_appserver,
so it can now test the actual production logic.

Author: dvyukov

dashboard/app/access.go

@@ -10,6 +10,7 @@ import (
 	"net/http"
 	"strings"
 
+	"google.golang.org/appengine/v2"
 	db "google.golang.org/appengine/v2/datastore"
 	"google.golang.org/appengine/v2/log"
 	"google.golang.org/appengine/v2/user"
@@ -79,14 +80,13 @@ func accessLevel(c context.Context, r *http.Request) AccessLevel {
 	return al
 }
 
-// trustedAuthDomain for the test environment is "".
-var trustedAuthDomain = "gmail.com"
-
 // userAccessLevel returns authorization flag and AccessLevel.
 // (True, AccessAdmin) means authorized, Admin access.
 // Note - authorize higher levels first.
 func userAccessLevel(u *user.User, wantAccess string, config *GlobalConfig) (bool, AccessLevel) {
-	if u == nil || u.AuthDomain != trustedAuthDomain {
+	// dev_appserver.py sets u.AuthDomain="".
+	// Note: dev_appserver.py is used not only in tests, but also when the app is run locally.
+	if u == nil || u.AuthDomain != "gmail.com" && !appengine.IsDevAppServer() {
 		return false, AccessPublic
 	}
 	if u.Admin {

dashboard/app/access_test.go

@@ -457,7 +457,9 @@ const (
 )
 
 func makeUser(a UserAuthorizationLevel) *user.User {
-	u := &user.User{}
+	u := &user.User{
+		AuthDomain: "gmail.com",
+	}
 	switch a {
 	case BadAuthDomain:
 		u.AuthDomain = "public.com"

dashboard/app/app_test.go

@@ -31,7 +31,6 @@ func init() {
 	os.Setenv("GAE_MODULE_VERSION", "1")
 	os.Setenv("GAE_MINOR_VERSION", "1")
 
-	trustedAuthDomain = "" // Devappserver environment value is "", prod value is "gmail.com".
 	obsoleteWhatWontBeFixBisected = true
 	notifyAboutUnsuccessfulBisections = true
 	ensureConfigImmutability = true