Why "can_upload" Permission is "false" for the Owner of the file

I am using Box-Node-SDK to fetch details of a file in my drive.

As you can see in the below screenshot, I created the file and modified it multiple times.

We can clearly see that I am the owner of the file., in the file details.

But, when I fetch the File-Info using Node-Box-SDK. The “Permissions” object in the response shows “can_upload” as “false”.

I have created a Custom-Application to use Auth2.0. Added a Web-Integration, I used the auth-code Received from web-integration to Initialise BoxClient and Fetch FileDetails.

Am I missing something obvious here? Why is “can_upload” show “false”, When I have access to the file, and uploaded a new version multiple times?

Thanks, Sarin

Hi @sarin-vt

At face value I can’t find a justification for this behavior, let’s try to identify it.

Check if there are differences between permissions, collaborations and shared links.

For example:

curl --location 'https://api.box.com/2.0/files/1545165688368?fields=id%2Ctype%2Cname%2Cpermissions%2Cshared_link' \
--header 'Authorization: Bearer wc...rt'
    "type": "file",
    "id": "1545165688368",
    "etag": "1",
    "name": "25m_file.bin",
    "permissions": {
        "can_download": true,
        "can_preview": true,
        "can_upload": true,
        "can_comment": true,
        "can_rename": true,
        "can_delete": true,
        "can_share": true,
        "can_set_share_access": true,
        "can_invite_collaborator": true,
        "can_annotate": false,
        "can_view_annotations_all": true,
        "can_view_annotations_self": true,
        "can_create_annotations": false,
        "can_view_annotations": false
    "shared_link": {
        "url": "https://app.box.com/s/5gii2vftdn9gcse5s8054llq6lo9aczn",
        "download_url": "https://app.box.com/shared/static/5gii2vftdn9gcse5s8054llq6lo9aczn.bin",
        "vanity_url": null,
        "vanity_name": null,
        "effective_access": "collaborators",
        "effective_permission": "can_preview",
        "is_password_enabled": false,
        "unshared_at": null,
        "download_count": 0,
        "preview_count": 0,
        "access": "collaborators",
        "permissions": {
            "can_preview": true,
            "can_download": false,
            "can_edit": false
curl --location 'https://api.box.com/2.0/files/1545165688368/collaborations' \
--header 'Authorization: Bearer wc...rt' 
    "next_marker": "",
    "previous_marker": "",
    "entries": [
            "type": "collaboration",
            "id": "54322446561",
            "created_by": {
                "type": "user",
                "id": "18622116055",
                "name": "Rui Barbosa",
                "login": "barduinor@gmail.com"
            "created_at": "2024-05-30T07:52:38-07:00",
            "modified_at": "2024-05-30T07:52:38-07:00",
            "expires_at": null,
            "status": "accepted",
            "accessible_by": {
                "type": "user",
                "id": "22240548078",
                "name": "Investment User",
                "login": "barduinor+inv@gmail.com"
            "invite_email": null,
            "role": "editor",
            "acknowledged_at": "2024-05-30T07:52:38-07:00",
            "item": {
                "type": "file",
                "id": "1545165688368",
                "file_version": {
                    "type": "file_version",
                    "id": "1697405049168",
                    "sha1": "ab11ba8a4e5595183c12ada6869713ff826d20d7"
                "sequence_id": "1",
                "etag": "1",
                "sha1": "ab11ba8a4e5595183c12ada6869713ff826d20d7",
                "name": "25m_file.bin"
            "is_access_only": false,
            "app_item": null

And the same for the parent folder.

I suspect somewhere the collaboration or share permissions are stircter, but because you are the owner of the file, then you can still upload it.
I could also be related with the the web app integration or the scope of the token, but the token should have full permissions by now, from our last conversation.

Anyway I was not able to replicate your situation.

Hi Sarin, the permissions of the token is driven by the Permissions Requirement in the Web app integration configuration. So if you use ‘Download permissions required’ the token will not allow upload. If you need the integration to upload you’d need the ‘Full permissions are required’


Hi @pchristensen,

Yeah, that makes sense. I had my web integration configured to use “Download Permissions are Required”.

Can you please help me understand a few more concerns:

  1. If “User A” has only view access on a file. If I configured “Full permissions are required” for my web integration, can the User A see this web integration option.?

  2. What If, we use the OAuth2.0 token of Admin, and use the as-user header? Can I get the original list of permissions for that user on that file?

Can you give me more details on this specific configuration and its impact? Or give me a documentation on this.

Thanks, Sarin

Hi Sarin

If the web app integration has ‘Full permissions required’ it will only show for those users who have full permissions so in that case User A would not see the integration. See here: https://developer.box.com/guides/applications/web-app-integrations/configure/#configure-integration

yes, if you have an admin token from an app what allows as-user headers, you could use that token with the header to determine a permissions of a user on a given file.

Maybe if you could outline what you are trying to achieve we can suggest a way forward


This topic was automatically closed 4 days after the last reply. New replies are no longer allowed.