I am trying to add collaborators through Box API, but when I am adding a user group, the api request return status 403: Forbidden.
Here is the request attributes i'm passing:
{"item": { "id": "3907701373", "type": "folder"}, "accessible_by": {"id": "400235","type":"group"}, "role": "viewer"}
And it returns me this error:
Bearer realm="Service", error="insufficient_scope", error_description="The request requires higher privileges than provided by the access token."
The documentation for Create Collaboration states that:
Errors may occur if the IDs are invalid or if the user does not have permissions to create a collaboration.
Are you able to create a collaboration with a regular user on that folder?
Follow-Up
I think the problem could be due to one, or possibly both, of the following:
Box recently introduced the Group Admin, which has permissions to "add existing users to their groups, create new users that will be assigned to their groups, and assign folder access to their groups." You may need to have those permissions in order to manage group collaborations.
Your may need to enable the Manage an Enterprise scope for your application, under OAuth2 Parameters > Scopes. If (1) above is true then your app most likely requires elevated, enterprise privileges.
Related
I am developing an application that interacts with Google Drive and will work as follows: When a user adds/modifies a file in Drive Share, my application will receive a notification and I will handle it. I did the development locally using Auth2 authentication and everything works perfectly, but this application will be hosted on a Cloud Functions and because of that I am not able to use Auth2 authentication, as user consent is required.
Due to this problem, I went to the perspective of using a Service Account, where I added it as the manager of my share drive, used it to create the function, and gave it all the necessary permissions, but when I modify a file, the my endpoint that was supposed to receive the message, just doesn't.
I did a search and saw that it's due to the service account not having access to user data, so it makes sense that no notification would be created.
Below I am attaching the code I am using to create the watcher on the drive and the authentication process by SA:
Code responsible for get credentials to authentication
SCOPES = [
"https://www.googleapis.com/auth/drive",
"https://www.googleapis.com/auth/drive.file",
"https://www.googleapis.com/auth/drive.readonly",
"https://www.googleapis.com/auth/drive.metadata.readonly"
]
credentials, project_id = google.auth.default(scopes=SCOPES)
credentials.refresh(req.Request())
Code responsible for creating the watch
drive = discovery.build("drive", "v3", credentials=credentials)
params = {
"kind": "api#channel",
"id": "id_watcher",
"type": "webhook",
"address": "address cloud functions"
}
# r = drive.changes().watch(fileId=file_id, body=params, supportsAllDrives=True, supportsTeamDrives=True).execute()
r = drive.changes().watch(pageToken=1,
body=params,
driveId=driverId,
includeCorpusRemovals=True,
includeItemsFromAllDrives=True,
includePermissionsForView=None,
includeRemoved=True,
includeTeamDriveItems=True,
pageSize=None,
restrictToMyDrive=None,
spaces=None,
supportsAllDrives=True,
# supportsTeamDrives=True,
# teamDriveId=driverId
).execute()
My question would be if there is a way to use Auth2 without the need for user consent, that is, without the step of opening the browser and allowing the generation of the token. If not, can you help me with a method that might work?
Remembering that this code will be in a cloud functions.
Thank you very much!
Two suggestions, one for the user consent scenario and one alternative for the notifications:
Domain Wide Delegation and Impersonation
If you are using Google Workspace and building the application for the organization. You can use Domain Wide Delegation if you are utilizing Service accounts. This would allow you to start the process of impersonation and avoid the consent of the users.
As suggested by the official documentation you can also apply and review the ways to grant the service account with the option to impersonate users.
Generating Notifications
Another suggestion could be utilizing Pub/Sub or push notifications to have your alerts. You would be able to utilize the Service account and your code and get the notifications and have them similar to an Audit log:
The image is a sample of a Gmail APi for watch and list.
References:
https://cloud.google.com/pubsub/docs/overview
Google Drive API - file watch does not notify (webhooks sample)
I'm trying to delete a course using the "TRY THIS API" option in https://developers.google.com/classroom/reference/rest/v1/courses/delete I get the error:
"error": {
"code": 500,
"message": "Internal error encountered.",
"status": "INTERNAL"
}
}
Care should be taken when removing a teacher's account, because, as explained in the official documentation:
Before you remove a teacher's account, confirm that the teacher’s classes are no longer in use by students or co-teachers. Removing a teacher account without transferring ownership limits some class functionality.
Because of this, trying to remove a course owned by a deleted user results in a 500 error, as reported in Issue Tracker.
In normal conditions, as a G Suite admin, you should be able to transfer ownership of the class, but since the class functionality is limited, you might not be able to add a new teacher to transfer ownership to. Because of this, the FAILED_PRECONDITION error you are getting might be due to the course being in a non-modifiable state (here you can see the possible reasons behind FAILED_PRECONDITION).
Reference:
Issue Tracker: 500 Internal Server Error when trying to delete courses created by users that have been deleted
Before you remove a teacher account
Transfer ownership of the class
Request Errors: FAILED_PRECONDITION
I am creating an application in which I am getting a Client_secret.json file, and in my application I'm trying to load that json file and get the credentials from it using the following code:
credentials=get_credentials(filename)
http = credentials.authorize(httplib2.Http())
service = discovery.build('admin', 'directory_v1', http=http)
userinfo = {'primaryEmail': primaryEmail,
'name': { 'givenName':user },
'password': password
}
service.users().insert(body = userinfo).execute()
It gives the following error:
httpError 403 when requesting https
//www.googleapis.com/admin/directory/v1/users?alt=json returned
insufficient permission
I'm not sure what I'm doing wrong or am I missing something? I was wondering if the problem is in the json file which I'm creating?
Any help would be appreciated.
Thanks,
Aman
Well, you can start by checking a few things:
If you're using a service account, be sure to enable the "wide domain delegation option" to allow a service account to access user data on behalf of your users and perform operations.
Check if the scope https //www.googleapis.com/admin/directory/v1/users is authorized for your client ID on your google admin console > Security > Advanced settings > Authentication > Manage API client access.
Check if the user that you're using to insert the new user have enough privileges a.k.a super admin privileges.
Check if the Admin SDK API is active on your project.
Keep in mind that just downloading the client_json and activating a API isn't enough to allow these types of operations. For certain APIs like Admin SDK, the user you're gonna use to consume those services need to have specific privileges.
Here's a few helpful links
https://developers.google.com/identity/protocols/OAuth2ServiceAccount#delegatingauthority
https://support.google.com/a/answer/162106?hl=en
I would first check to make sure that you have the correct Admin privileges on the account that you are trying to use OAuth credentials on. I would try logging into the account and going to this reference page in the Directory API for Users:insert
https://developers.google.com/admin-sdk/directory/v1/reference/users/insert
On the right hand side you should go to the Try this API section and see if that account has permissions to create new users.
Also another thing I noticed as well, is that you're not setting the required field familyName inside of the name field. familyName is a required property.
// ... role=reader, type=anyone, with_link=true .... $perms
$service->permissions->insert($fileId, $perm); // see error below
HTTP Code: 403
[
{
"domain": "global",
"reason": "forbidden",
"message": "Insufficient permissions for this file",
"locationType": "other",
"location": "file.permissions"
}
]
Users of a specific domain are unable to share links. The error above is not listed here https://developers.google.com/drive/v2/web/handle-errors
The admin of the domain is certain that "share with public" is allowed for all users of their domain.
You may need to check if you set the scopes right for the users in order for them to access the file. See Authorizing requests with OAuth 2.0. The scopes are the one giving permissions to certain users on what they can do to a file or folder. See What scope or scopes does my app need?
As a general rule, choose the most restrictive scope possible, and avoid requesting scopes that your app does not actually need. Users more readily grant access to limited, clearly described scopes. Conversely, users may hesitate to grant broad access to their files unless they truly trust your app and understand why it needs the information.
You may also want to see Perform Google Apps Domain-Wide Delegation of Authority. It is suggested here that you use a service account which will enable users to access your Google API through your web application.
It seems I'm not allowed to add an Enterprise Admin or Co-Admin to a group via the API. I can add all other types of users to groups, and can create/edit/delete groups just fine, but I'm not allowed to add a user to a group if that user is an Enterprise Admin or Co-Admin.
Is this expected behavior, or is my application user missing some sort of entitlement?
POST /group_memberships
{ "user": { "id": "12345"}, "group": { "id": "12345" } }
{
"type":"error",
"status":403,
"code":"access_denied_insufficient_permissions",
"help_url":"http:\/\/developers.box.com\/docs\/#errors",
"message":"Access denied - insufficient permission",
"request_id":"xxxxxxx"
}
This is the box a limitation/feature. You can not add an Enterprise Admin or Co-Admin to the group of another Administrator.
For example:
User A and B are enterprise admins. Each sing up to box separately.
When user A create a group, he can create a new user and add the created user to the group.
But user A can not add the user B to the group.
Likewise, when user B create a group, he can not add the user A.
Because they are from different organizations.
You will clear when you try to add an Enterprise Admin to the group via https://app.box.com website. If you do so, the pop up will show with the message "The supplied email address already has a Box account that belongs to a different organization."