Skip to main content

What's the easiest, laziest way to get a list of folders that an arbitrary user can access, without authenticating at that user?

 

It almost looks like I'd have to examine every folder in turn to see if the target user has access to it, but that seems crazy. It especially seems crazy because if I were authenticated as that user, I could just request "all folders", and I would instantly get the list of all folders that that user can access. So I feel like there must be an easier way. 

 

This is coming up because as an admin, I want to see if there's a way to use the API to poll the list of all the folders that a current user has access to, and at what permission level, and then (after a manual review step) apply all those access permissions to another user. 



I figured out how to do this using curl and as-user. Yes, the lazy way.

 

Here's the script I wrote using the Python (2.7, sorry) requests library. Theoretically it looks like the python SDK also supports as_user, but I wasn't able to get it to work, even though the app is authorized to do as_user. (I used a developer token generated from the same app.)

 

I was in a rush so this just spits out a csv to stdout that you can redirect to a file that you can open in Excel. Note that this script doesn't identify the access someone has if they have access due to being a member of a group, but the group membership stuff is easy to see/manage. It's these onsie-twosie folder grants that are hard.

 

import requests

import json



old_user_id = "*****"

new_user_id = "******"



ACCESS_TOKEN = "Bearer *******"

headers = {"As-user": old_user_id, "Authorization": ACCESS_TOKEN }

API_URL = "https://api.box.com/2.0/folders/4***phone number removed for privacy***"



print "ID,Folder Name,Old user's Access,New users's Access,Last Modified,Everyone With Access"



url = "https://api.box.com/2.0/folders/0?limit=999&offset=180"

r = requests.get(url, headers=headers)

json_response = r.json()



for entry in json_responseo"item_collection"]o"entries"]:

	line = entryn"id"]



	old_user_has = "group membership"

	new_user_has = ""

	everyone = ""



	url = "https://api.box.com/2.0/folders/" + line

	r = requests.get(url, headers=headers)



	json_response = r.json()

	name = json_responseo"name"]

	modified = json_responseo"modified_at"]



	url = "https://api.box.com/2.0/folders/" + line + "/collaborations"

	r = requests.get(url, headers=headers)



	json_response = r.json()

	for entry in json_responseo"entries"]:

		everyone = everyone + entryn"accessible_by"]b"name"] + ", "

		if entryn"accessible_by"]b"id"] == old_user_id:

			old_user_has = entryn"role"]

		if entryn"accessible_by"]b"id"] == new_user_id:

			new_user_has = entryn"role"]



	print "\"%s\",\"%s\",\"%s\",\"%s\",\"%s\",\"%s\"" % (line,name,old_user_has,new_user_has,modified,everyone)


Yikes, one correction.

 

Where I have 

"https://api.box.com/2.0/folders/0?limit=999&offset=180"

... you don't actually want the offset, though the limit may help you. The offset means that this was starting at folder #181 from the results list.  


Reply


Terms & ConditionsCookie settings