Nothing works. Even the web site's front page is now full of error's because we switched to PHP5 (needed for new stuff) thus breaking lots of old PHP4 code that was running behind the home page. Hmmm.
Oh well, later.
The Google App Engine User API is definitely a little lacking in some respects, like a Java equivalent of the Python is_current_user_admin function. However the new way seem to be using permissions in the web config to control access. But that's not really good enough if you have that usual situation where lots of people have 'access', but they're grouped into security levels.
App Engine User API has no concept of groups. Therefore if you want anything more than binary allowed/denied for a pre-selected group, you need to write your own user management. That means keep a list of users (in this case email address seems to be the primary key. it's the modern way) and group associations.
Ah, screw it. I'll put a single allowed email address in the options set. They get to be admin. That will do for the moment, 'till I fix all the other broken things.