Child Item

Suddenly getting "no_permission/unauthorized_account_id_usage/" with add_folder_member endpoint

We've recently started getting different behavior from the API when calling add_folder_member. We're getting the error "no_permission/unauthorized_account_id_usage/".

I've replicated it in the API explorer below. The folder is owned by the account associated with the access token. In the parameters, the `dropbox_id` is of course from a different account. That `dropbox_id` is then returned in the array of `unauthorized_account_ids`.

We've been using this endpoint since the v2 API came out in 2015 without problem.

Calls to other endpoints in the sharing.write scope work just fine.

Have the permissions changed in some way?

Screenshot 2024-10-19 134706.png

Find more posts tagged with

API

Abuse

Comments

DB-Des

Hi @adamb924,

I'll be happy to help with any issues you're having with the Dropbox API, but I'll need some more information. Please reply with:

- the name and version number of the platform and SDK/library you are using, if any

- the steps to reproduce the issue, including relevant code snippet(s), but don't include any access or refresh token(s)

Could you also confirm if you receive the same error when using the user's email address instead of their Dropbox ID?

adamb924

Thanks for getting right back to me. This is with API v2. We're using CURL calls. Here for example is a CURL call that replicates the problem (with placeholders for the private stuff).

```

curl -X POST https://api.dropboxapi.com/2/sharing/add_folder_member \
--header "Authorization: Bearer <my access token>" \
--header "Content-Type: application/json" \
--data "{\"members\":[{\"access_level\":\"editor\",\"member\":{\".tag\":\"dropbox_id\",\"dropbox_id\":\"<my user id>\"}}],\"quiet\":false,\"shared_folder_id\":\"<my folder id>\"}"

```

When I identified the user with an email address, it worked. Please let me know if this behavior will be fixed, or if we should switch over to using email addresses.

Thanks.

Greg-DB

@adamb924 Thanks for following up. Can you clarify where/how you retrieved that "dbid" value that you're passing to /2/sharing/add_folder_member?

adamb924

Yep, I got it from the account_id field in the value returned from my call to

https://api.dropbox.com/oauth2/token. (When I logged in as the target user.)

Greg-DB

@adamb924 Thanks for the information. In that case, yes, please use email addresses for this use case, instead of copying over the identifier from the other authorization.