Child Item

Cannot find a way to have a restricted API access to a team-shared folder

Hello,

I have an accounting system for which we'd like to leverage our Dropbox Business subscription.

What I need is a Dropbox folder, shared with specific members only, and a way to create a Dropbox API access which will be limited to edit that specific folder.

In short, it would be an "App folder" but not restricted to a specific user.

The limitation would be made to ensure calls from the accounting system could not reach other parts of the company Dropbox (this point agrees with the DBX platform developer guide recommendation that "Your app should use the least privileged permission it can").

We thought about multiple options, but none seems to answer that need.

1/ Using the Dropbox API with "App folder" permission

If we create an app with that level of permission, and generate a token, a folder is created in the private part of the user Dropbox, but this App folder cannot be shared with other users, nor moved to a part where it would be shareable.

It is completely locked inside the private folder of the user, which makes it useless for our use case.

2/ Using the Dropbox API with "Full access"

The accounting system would have access not only to the folder we want to share, but also to every single document provided by Dropbox to our company.

A single programming mistake or breach would be problematic - this does not address our need.

3/ Trick: using the Dropbox API via a dedicated user

We tried creating a new "Bot" Dropbox user (attached to the company), then to use the Dropbox "groups" feature to forbid access to all folders except the one we want to share with that app.

If we create an app, this time with "Full access" (which is restricted thanks to the groups above), a programmatic access via the token can only see its own documents, not the company shared folder apparently, so this again does not address the need.

4/ Using the Dropbox Business API file access

If I understand correctly, a token created this way is able to impersonate any user, hence getting access to the whole Dropbox, so this does not address our need.

So this leads me to the question: is there a way to have programmatic access, restricted (for obvious security reasons) to a single folder, which is shared by N users ?

Many thanks,

-- Thibaut

Find more posts tagged with

API

Abuse

Accepted answers

thbar

Ultimately it worked out fine. I indeed used the trick in point #3, then:

- POST /2/users/get_current_account (with an auth token for the restricted user) then fetch root_info/root_namespace_id

- from there, add the header:

Dropbox-Api-Path-Root set to {".tag": "namespace_id", "namespace_id": the_root_namespace_id}

- fetch using /2/files/list_folder (and continue version)

This allows restricted access to a team-shared folder.

Now a word of feedback: I really hope in the future it will be possible to avoid the creation of a specific user & restrictions, and instead have Dropbox provide an additional level of access (instead of Full Dropbox vs. User-Specific-Folder) to allow access to a restricted list of folders.

In all cases, thanks for your help, which put me on good track!

-- Thibaut

All comments

chirstius

Hey @thbar,

When you say the app can only see it's own documents and not the company (team) shared folder for #3 do you mean, literally the listing does not contain ANY team folder content at all? As if it didn't exist?

If so, you may be using team space and member folders and would need to access the team content a little bit differently. You should take a read through the Namespace Guide for information about how to get the root namespace and accessing team content. That may get you where you want to be.

-Chuck

thbar

Hello Chuck,

> When you say the app can only see it's own documents and not the company (team) shared folder for #3 do you mean, literally the listing does not contain ANY team folder content at all? As if it didn't exist?

It's exactly that. It can see its own documents (currently "get started with dropbox pdf"), and nothing else.

Thanks for your quick feedback, I'm diving into the namespacing documentation & playing around with the PAW API client, to see if I can figure out how to get what I need here.

Will report back :-)

-- Thibaut

chirstius

Sounds like that might be the case then. If you have additional questions just post them back, but once you get the root namespace, and add the path root header to your requests, I think you'll be in a good place.

Good luck!

-Chuck

thbar

Ultimately it worked out fine. I indeed used the trick in point #3, then:

- POST /2/users/get_current_account (with an auth token for the restricted user) then fetch root_info/root_namespace_id

- from there, add the header:

Dropbox-Api-Path-Root set to {".tag": "namespace_id", "namespace_id": the_root_namespace_id}

- fetch using /2/files/list_folder (and continue version)

This allows restricted access to a team-shared folder.

In all cases, thanks for your help, which put me on good track!

-- Thibaut

Greg-DB

I'm glad to hear you got this working. I've sent this along as a feature request for a way to restrict access to specified paths only. Thanks!