cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Want to learn some quick and useful tips to make your day easier? Check out how Calvin uses Replay to get feedback from other teams at Dropbox here.

Dropbox API Support & Feedback

Find help with the Dropbox API from other developers.

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Re: Cannot find a way to have a restricted API access to a team-shared folder

Cannot find a way to have a restricted API access to a team-shared folder

thbar
Helpful | Level 5
Go to solution

Hello,

I have an accounting system for which we'd like to leverage our Dropbox Business subscription.

What I need is a Dropbox folder, shared with specific members only, and a way to create a Dropbox API access which will be limited to edit that specific folder.

In short, it would be an "App folder" but not restricted to a specific user.

The limitation would be made to ensure calls from the accounting system could not reach other parts of the company Dropbox (this point agrees with the DBX platform developer guide recommendation that "Your app should use the least privileged permission it can").

 We thought about multiple options, but none seems to answer that need.

1/ Using the Dropbox API with "App folder" permission

If we create an app with that level of permission, and generate a token, a folder is created in the private part of the user Dropbox, but this App folder cannot be shared with other users, nor moved to a part where it would be shareable.

It is completely locked inside the private folder of the user, which makes it useless for our use case.

2/ Using the Dropbox API with "Full access"

The accounting system would have access not only to the folder we want to share, but also to every single document provided by Dropbox to our company.

A single programming mistake or breach would be problematic - this does not address our need.

3/ Trick: using the Dropbox API via a dedicated user

We tried creating a new "Bot" Dropbox user (attached to the company), then to use the Dropbox "groups" feature to forbid access to all folders except the one we want to share with that app.

If we create an app, this time with "Full access" (which is restricted thanks to the groups above), a programmatic access via the token can only see its own documents, not the company shared folder apparently, so this again does not address the need.

4/ Using the Dropbox Business API file access

If I understand correctly, a token created this way is able to impersonate any user, hence getting access to the whole Dropbox, so this does not address our need.

 

So this leads me to the question: is there a way to have programmatic access, restricted (for obvious security reasons) to a single folder, which is shared by N users ?

Many thanks,

-- Thibaut

 

1 Accepted Solution

Accepted Solutions

thbar
Helpful | Level 5
Go to solution

Ultimately it worked out fine. I indeed used the trick in point #3, then:

- POST /2/users/get_current_account (with an auth token for the restricted user) then fetch root_info/root_namespace_id

- from there, add the header:

Dropbox-Api-Path-Root set to {".tag": "namespace_id", "namespace_id": the_root_namespace_id}

- fetch using /2/files/list_folder (and continue version)

This allows restricted access to a team-shared folder.

Now a word of feedback: I really hope in the future it will be possible to avoid the creation of a specific user & restrictions, and instead have Dropbox provide an additional level of access (instead of Full Dropbox vs. User-Specific-Folder) to allow access to a restricted list of folders.

In all cases, thanks for your help, which put me on good track!

-- Thibaut

View solution in original post

5 Replies 5

chirstius
Dropbox Staff
Go to solution

Hey @thbar,

When you say the app can only see it's own documents and not the company (team) shared folder for #3 do you mean, literally the listing does not contain ANY team folder content at all? As if it didn't exist?

If so, you may be using team space and member folders and would need to access the team content a little bit differently. You should take a read through the Namespace Guide for information about how to get the root namespace and accessing team content. That may get you where you want to be.

-Chuck

 

thbar
Helpful | Level 5
Go to solution

Hello Chuck,

> When you say the app can only see it's own documents and not the company (team) shared folder for #3 do you mean, literally the listing does not contain ANY team folder content at all? As if it didn't exist?

It's exactly that. It can see its own documents (currently "get started with dropbox pdf"), and nothing else.

Thanks for your quick feedback, I'm diving into the namespacing documentation & playing around with the PAW API client, to see if I can figure out how to get what I need here.

Will report back 🙂 

-- Thibaut

chirstius
Dropbox Staff
Go to solution

Sounds like that might be the case then. If you have additional questions just post them back, but once you get the root namespace, and add the path root header to your requests, I think you'll be in a good place.

Good luck!

-Chuck

thbar
Helpful | Level 5
Go to solution

Ultimately it worked out fine. I indeed used the trick in point #3, then:

- POST /2/users/get_current_account (with an auth token for the restricted user) then fetch root_info/root_namespace_id

- from there, add the header:

Dropbox-Api-Path-Root set to {".tag": "namespace_id", "namespace_id": the_root_namespace_id}

- fetch using /2/files/list_folder (and continue version)

This allows restricted access to a team-shared folder.

Now a word of feedback: I really hope in the future it will be possible to avoid the creation of a specific user & restrictions, and instead have Dropbox provide an additional level of access (instead of Full Dropbox vs. User-Specific-Folder) to allow access to a restricted list of folders.

In all cases, thanks for your help, which put me on good track!

-- Thibaut

Greg-DB
Dropbox Staff
Go to solution

I'm glad to hear you got this working. I've sent this along as a feature request for a way to restrict access to specified paths only. Thanks!

Need more support?