Retrieve comments for a file owned by non active user
I'm attempting to retrieve comments on a file via the api, but I am getting a 403.
When I do a GET request here https://api.box.com/2.0/files//comments, with an As-User header, I receive this as a response.
{
"type": "error",
"status": 403,
"code": "access_denied_insufficient_permissions",
"help_url": "http://developers.box.com/docs/#errors" target="_blank">http://developers.box.com/docs/#errors>" target="_blank">http://developers.box.com/docs/#errors" target="_blank">http://developers.box.com/docs/#errors>>",
"message": "Access denied - insufficient permission",
"request_id": ""
}
I'm able to do this on the admin users files fine, and also able to access other endpoints such as collaborations/tasks/metadata with an As-User header.
One thing to note is the user is not active. They are set to "Cannot delete, edit & upload". If I set them to active, the request works. What I don't understand is why I can do the other endpoints while the user is in the "Cannot delete, edit & upload" state.
Is this expected?
-
Hi ,
I ran a few app tests to verify, but this is due to scope requirements on the "Get comments" endpoints. Basically that endpoint is only made available with the read & write scope, but not with just read. Most likely this is due to some metadata on access being written to the file during the call.
Why this is impacting you is because a non-active user is set to not be able to edit the content, so since write permissions are needed by that call (and not the other endpoints you mentioned) the call will fail.
We're working on adding transparency to the docs to make it much easier to understand how scopes impact endpoints, but for the time being that's the main reason for the error that you're seeing.
Hope that helps,
Jon
-
Ahh, yeah that makes sense. I ran into the same thing with the /content endpoint, as I discovered that also writes data back when it's called.
Thank you for the clarification!
Out of curiosity, what gets written back on that endpoint? I find it kind of weird that /comments writes data, but the other ones I mentioned do not.
Please sign in to leave a comment.
Comments
2 comments