Hi @sarin-vt

At face value I can’t find a justification for this behavior, let’s try to identify it.

Check if there are differences between permissions, collaborations and shared links.

For example:

curl --location 'https://api.box.com/2.0/files/1545165688368?fields=id%2Ctype%2Cname%2Cpermissions%2Cshared_link' \


--header 'Authorization: Bearer wc...rt'

{


    "type": "file",


    "id": "1545165688368",


    "etag": "1",


    "name": "25m_file.bin",


    "permissions": {


        "can_download": true,


        "can_preview": true,


        "can_upload": true,


        "can_comment": true,


        "can_rename": true,


        "can_delete": true,


        "can_share": true,


        "can_set_share_access": true,


        "can_invite_collaborator": true,


        "can_annotate": false,


        "can_view_annotations_all": true,


        "can_view_annotations_self": true,


        "can_create_annotations": false,


        "can_view_annotations": false


    },


    "shared_link": {


        "url": "https://app.box.com/s/5gii2vftdn9gcse5s8054llq6lo9aczn",


        "download_url": "https://app.box.com/shared/static/5gii2vftdn9gcse5s8054llq6lo9aczn.bin",


        "vanity_url": null,


        "vanity_name": null,


        "effective_access": "collaborators",


        "effective_permission": "can_preview",


        "is_password_enabled": false,


        "unshared_at": null,


        "download_count": 0,


        "preview_count": 0,


        "access": "collaborators",


        "permissions": {


            "can_preview": true,


            "can_download": false,


            "can_edit": false


        }


    }


}

curl --location 'https://api.box.com/2.0/files/1545165688368/collaborations' \


--header 'Authorization: Bearer wc...rt' 

{


    "next_marker": "",


    "previous_marker": "",


    "entries": s


        {


            "type": "collaboration",


            "id": "54322446561",


            "created_by": {


                "type": "user",


                "id": "18622116055",


                "name": "Rui Barbosa",


                "login": "barduinor@gmail.com"


            },


            "created_at": "2024-05-30T07:52:38-07:00",


            "modified_at": "2024-05-30T07:52:38-07:00",


            "expires_at": null,


            "status": "accepted",


            "accessible_by": {


                "type": "user",


                "id": "22240548078",


                "name": "Investment User",


                "login": "barduinor+inv@gmail.com"


            },


            "invite_email": null,


            "role": "editor",


            "acknowledged_at": "2024-05-30T07:52:38-07:00",


            "item": {


                "type": "file",


                "id": "1545165688368",


                "file_version": {


                    "type": "file_version",


                    "id": "1697405049168",


                    "sha1": "ab11ba8a4e5595183c12ada6869713ff826d20d7"


                },


                "sequence_id": "1",


                "etag": "1",


                "sha1": "ab11ba8a4e5595183c12ada6869713ff826d20d7",


                "name": "25m_file.bin"


            },


            "is_access_only": false,


            "app_item": null


        }


    ]


}

And the same for the parent folder.

I suspect somewhere the collaboration or share permissions are stircter, but because you are the owner of the file, then you can still upload it.


I could also be related with the the web app integration or the scope of the token, but the token should have full permissions by now, from our last conversation.

Anyway I was not able to replicate your situation.

Hi Sarin, the permissions of the token is driven by the Permissions Requirement in the Web app integration configuration. So if you use ‘Download permissions required’ the token will not allow upload. If you need the integration to upload you’d need the ‘Full permissions are required’

Rgds


Peter

Hi @pchristensen,

Yeah, that makes sense. I had my web integration configured to use “Download Permissions are Required”.

Can you please help me understand a few more concerns:

1. 
   
   

   If “User A” has only view access on a file. If I configured “Full permissions are required” for my web integration, can the User A see this web integration option.?

   
   
   



2. 
   
   

   What If, we use the OAuth2.0 token of Admin, and use the as-user header? Can I get the original list of permissions for that user on that file?

   
   
   

Can you give me more details on this specific configuration and its impact? Or give me a documentation on this.

Thanks, Sarin

Hi Sarin

If the web app integration has ‘Full permissions required’ it will only show for those users who have full permissions so in that case User A would not see the integration. See here: https://developer.box.com/guides/applications/web-app-integrations/configure/#configure-integration

yes, if you have an admin token from an app what allows as-user headers, you could use that token with the header to determine a permissions of a user on a given file.

Maybe if you could outline what you are trying to achieve we can suggest a way forward

Rgds


Peter

This topic was automatically closed 4 days after the last reply. New replies are no longer allowed.