Skip to main content
Solved

Why "can_upload" Permission is "false" for the Owner of the file

  • May 30, 2024
  • 5 replies
  • 154 views
S

I am using Box-Node-SDK to fetch details of a file in my drive.

As you can see in the below screenshot, I created the file and modified it multiple times.

Screenshot 2024-05-30 at 7.05.03 PM

We can clearly see that I am the owner of the file., in the file details.

Screenshot 2024-05-30 at 6.57.45 PM

But, when I fetch the File-Info using Node-Box-SDK. The “Permissions” object in the response shows “can_upload” as “false”.

I have created a Custom-Application to use Auth2.0. Added a Web-Integration, I used the auth-code Received from web-integration to Initialise BoxClient and Fetch FileDetails.

Screenshot 2024-05-30 at 7.11.18 PM

Am I missing something obvious here? Why is “can_upload” show “false”, When I have access to the file, and uploaded a new version multiple times?

Thanks, Sarin

Best answer by pchristensen Box

Hi Sarin

If the web app integration has ‘Full permissions required’ it will only show for those users who have full permissions so in that case User A would not see the integration. See here: https://developer.box.com/guides/applications/web-app-integrations/configure/#configure-integration

yes, if you have an admin token from an app what allows as-user headers, you could use that token with the header to determine a permissions of a user on a given file.

Maybe if you could outline what you are trying to achieve we can suggest a way forward

Rgds
Peter

5 replies

rbarbosa Box
Forum|alt.badge.img
  • rbarbosa Box
  • Developer Advocate
  • 556 replies
  • May 30, 2024

Hi @sarin-vt

At face value I can’t find a justification for this behavior, let’s try to identify it.

Check if there are differences between permissions, collaborations and shared links.

For example:

curl --location 'https://api.box.com/2.0/files/1545165688368?fields=id%2Ctype%2Cname%2Cpermissions%2Cshared_link' \
--header 'Authorization: Bearer wc...rt'

{
    "type": "file",
    "id": "1545165688368",
    "etag": "1",
    "name": "25m_file.bin",
    "permissions": {
        "can_download": true,
        "can_preview": true,
        "can_upload": true,
        "can_comment": true,
        "can_rename": true,
        "can_delete": true,
        "can_share": true,
        "can_set_share_access": true,
        "can_invite_collaborator": true,
        "can_annotate": false,
        "can_view_annotations_all": true,
        "can_view_annotations_self": true,
        "can_create_annotations": false,
        "can_view_annotations": false
    },
    "shared_link": {
        "url": "https://app.box.com/s/5gii2vftdn9gcse5s8054llq6lo9aczn",
        "download_url": "https://app.box.com/shared/static/5gii2vftdn9gcse5s8054llq6lo9aczn.bin",
        "vanity_url": null,
        "vanity_name": null,
        "effective_access": "collaborators",
        "effective_permission": "can_preview",
        "is_password_enabled": false,
        "unshared_at": null,
        "download_count": 0,
        "preview_count": 0,
        "access": "collaborators",
        "permissions": {
            "can_preview": true,
            "can_download": false,
            "can_edit": false
        }
    }
}

curl --location 'https://api.box.com/2.0/files/1545165688368/collaborations' \
--header 'Authorization: Bearer wc...rt' 

{
    "next_marker": "",
    "previous_marker": "",
    "entries": [
        {
            "type": "collaboration",
            "id": "54322446561",
            "created_by": {
                "type": "user",
                "id": "18622116055",
                "name": "Rui Barbosa",
                "login": "barduinor@gmail.com"
            },
            "created_at": "2024-05-30T07:52:38-07:00",
            "modified_at": "2024-05-30T07:52:38-07:00",
            "expires_at": null,
            "status": "accepted",
            "accessible_by": {
                "type": "user",
                "id": "22240548078",
                "name": "Investment User",
                "login": "barduinor+inv@gmail.com"
            },
            "invite_email": null,
            "role": "editor",
            "acknowledged_at": "2024-05-30T07:52:38-07:00",
            "item": {
                "type": "file",
                "id": "1545165688368",
                "file_version": {
                    "type": "file_version",
                    "id": "1697405049168",
                    "sha1": "ab11ba8a4e5595183c12ada6869713ff826d20d7"
                },
                "sequence_id": "1",
                "etag": "1",
                "sha1": "ab11ba8a4e5595183c12ada6869713ff826d20d7",
                "name": "25m_file.bin"
            },
            "is_access_only": false,
            "app_item": null
        }
    ]
}

And the same for the parent folder.

I suspect somewhere the collaboration or share permissions are stircter, but because you are the owner of the file, then you can still upload it.
I could also be related with the the web app integration or the scope of the token, but the token should have full permissions by now, from our last conversation.

Anyway I was not able to replicate your situation.

pchristensen Box
  • pchristensen Box
  • Senior Staff Platform Solutions Engineer
  • 22 replies
  • June 3, 2024

Hi Sarin, the permissions of the token is driven by the Permissions Requirement in the Web app integration configuration. So if you use ‘Download permissions required’ the token will not allow upload. If you need the integration to upload you’d need the ‘Full permissions are required’

Screenshot 2024-06-03 at 09.59.03

Rgds
Peter

S
  • sarin-vt
  • Author
  • Known Participant
  • 17 replies
  • June 3, 2024

Hi @pchristensen,

Yeah, that makes sense. I had my web integration configured to use “Download Permissions are Required”.

Can you please help me understand a few more concerns:

  1. If “User A” has only view access on a file. If I configured “Full permissions are required” for my web integration, can the User A see this web integration option.?

  2. What If, we use the OAuth2.0 token of Admin, and use the as-user header? Can I get the original list of permissions for that user on that file?

Can you give me more details on this specific configuration and its impact? Or give me a documentation on this.

Thanks, Sarin

pchristensen Box
  • pchristensen Box
  • Senior Staff Platform Solutions Engineer
  • 22 replies
  • Answer
  • June 3, 2024

Hi Sarin

If the web app integration has ‘Full permissions required’ it will only show for those users who have full permissions so in that case User A would not see the integration. See here: https://developer.box.com/guides/applications/web-app-integrations/configure/#configure-integration

yes, if you have an admin token from an app what allows as-user headers, you could use that token with the header to determine a permissions of a user on a given file.

Maybe if you could outline what you are trying to achieve we can suggest a way forward

Rgds
Peter

system
  • system
  • Known Participant
  • 22 replies
  • June 7, 2024

This topic was automatically closed 4 days after the last reply. New replies are no longer allowed.


Terms & ConditionsCookie settingsAccessibility statement