Does AppEngine's datastore.Get() not verify the namespace of the requested key?

I'm using namespaces with the datastore in go-appengine, roughly as follows:

func getThing() *Thing {
  nctx := appengine.Namespace(ctx, "whatever")

  thing := Thing{}
  key, err := datastore.Get(nctx, key, &thing)
  if err != nil {
    return nil, err
  }
  return thing, nil
}

Simple enough, right? Unfortunately, if it turns out that if nctx's namespace doesn't match the key's, it happily fetches the object anyway. And AFAICT, there's no way to manually get at the key's 'namespace' field to verify it manually. This matters for our app, because we have keys coming from a web client, which can in some edge cases be associated with the wrong namespace.

OTOH, if I do a query using Thing's key as an ancestor, the datastore (appropriately) returns an error because of the namespace mismatch between the ancestor's namespace and that of the context (of the form query namespace is 'bar' but ancestor namespace is 'foo').

Am I missing something about the intended constraints on datastore fetches/queries and namespaces, or does this just sound like a bug?

I assume you're passing around encoded keys, rather than just their IDs? If you create the key using datastore.NewKey then the context passed to that will set the namespace of the key (unless there's also a parent, in which case its namespace will be used).

With respect to the intention, this behaviour is equivalent to the python API - a key created from an urlsafe string can be fetched while a different namespace is set on the namespace_mananger, but the currently-set namespace is used if you create a key by specifying just the kind and id.

Having a getter for the namespace would be good though, so you could at least verify after unserializing...