Downloading and Moving OneDrive files from shared link directory - rest

I am looking for assistance to find out how I can download and move a OneDrive file that is accessed through a shared directory, via the shared link method of sharing.
I have two users:
user 'A' who is a Microsoft Consumer and has a regular OneDrive account and will host a csv file 'test.csv' in a folder 'toshare'
and user 'B' who is also a regular Microsoft Consumer who should use the graph API to download test.csv and then move the file to a subdirectory /toshare/archive
Aside: I am currently using the chrome app "advanced REST client" to manually make the REST calls, and am getting Authenticated OAuth BEARER tokens by inspecting network traffic from Microsoft's online "Graph Explorer" tool. After we understand the calls, we'll integrate it into our Java app.
I have succesfully followed the instructions here:
https://developer.microsoft.com/en-us/graph/docs/api-reference/v1.0/api/shares_get
to view the folder contents.
To be more explicit, user 'A' has went into OneDrive and has right clicked the folder 'toshare' and selected shareLink. I have converted the shareLink to a share token and then used the following API call with the Graph API as user 'B':
GET https://graph.microsoft.com/v1.0/shares/<share-token>/root?$expand=children
this shows me all the files in the directory, which includes 'test.csv'
Now, using this information, how can I download test.csv? Assuming user 'B' doesn't know the name of the file, but can identify it by being a .csv file (we can do this in code). There does not appear to be much documentation on how to download the files through a share.
The closest I've gotten was to take the "webUrl" attribute of the children object for my file, and then turn that into a share token and call
GET https://graph.microsoft.com/v1.0/shares/<child-share-token>/root
This will show me the file meta-data. and then I try to download it by roughly following the api documentation to download https://developer.microsoft.com/en-us/graph/docs/api-reference/v1.0/api/item_downloadcontent
GET https://graph.microsoft.com/v1.0/shares/<child-share-token>/root/content
This is interesting because this works if I make the call with user 'A' but does not work for user 'B' who instead gets a 403 in advanced REST client. (If I run it in Graph Explorer, I get "The site in the encoded share URI is invalid." instead, which I've discovered with other experimentation, really means there's an authorization issue.)
GET https://graph.microsoft.com/v1.0/shares/<share-token>/root:/test.csv:/content
Also does not work, it returns: "400 Bad Request" with message: "Resource not found for the segment 'root:'." It seems like the path style file navigation does not work for shared directories?
At this point I'm rather stuck. After downloading the file, I also would like to move it into a subdirectory, denoting that it has already been read in. I'd also like to get this working for OneDrive for Business, but that seems to be another set of challenges that I'll leave for another day.
Any insight would be great thanks,
Jeremy

It's best to consider the shares/{id} segments to be similar to drives/{id}, at which point all of the previous documentation around children access is applicable. Given your scenario I'd use the path syntax:
https://graph.microsoft.com/v1.0/shares/<share-token>/root/children/test.csv
This obviously necessitates knowing the file name, but it sounds like you already have an algorithm to do that.
Theoretically your approach for creating a child-share-token would work, but it would now require that User B both provide authentication as well as to have explicit permissions. Since your share-token was a sharing link User B is most likely getting permission by virtue of the fact that they have the URL, in which case generating a new one is probably removing the special token that allows this to work. That's why it's best to always use the original share-token where possible.
Similar rules will apply to move the file. First off, we'll assume that the sharing link provides the ability to "Edit" otherwise none of this will work :). Second, we'll assume that the archive folder already exists (if it doesn't you'd need to create it using a POST to https://graph.microsoft.com/v1.0/shares/<share-token>/root/children that looks like what we've documented here).
To move the file you'd want to PATCH to https://graph.microsoft.com/v1.0/shares/<share-token>/root/children/test.csv and provide a new parentReference as documented here. It's always best to use id values if you have them, but you should also be able to provide the path to the parent in the form of /shares/<share-token>/root/children/archive.

Related

How to get a single file that has been shared with me on OneDrive?

I'm building an app that uses the ms-graph v1.0 API to write data to excelsheets in my OneDrive. It works with excel files that I uploaded to my drive but doesn't work with excel files that've been shared with me.
I know that I can get a list of all shared files with me/drive/sharedWithMe and the file that i want to edit is amongst the files that are being returned.
However, when i try to get one shared drive item using its driveItem property parentReference: driveID like this: /drives/{driveID}/items/{itemID} it returns : 403 - acces denied.
Here are my permissions:
"user.read",
"calendars.read",
"directory.accessasuser.all",
"files.readwrite.all"
I couldn't try the shares path /shares/{shareID} because I don't know how to figure out the shareId. It doesn't seem to be among the properties of the item that is returned by /sharedWithMe. Where can I get it?
Figured it out by myself.
I got the error
"message": "Cannot reference a user's drive from another user's personal site"
so I removed the me/from the route me/drives/{driveID}/items/{itemId} and it worked.

Can't create working Shared Access Signature for Azure Files

I need to create a SAS so I can create an Azure SQL Extended Event session. The event session needs a file data storage target via SAS and I can't create one that works. Here's what I've tried:
Identified a storage account that's not blob; just general. I'm pretty sure I need general so I can create files directly.
Created a file share therein.
Using azure storage explorer, right clicked on that file share and selected, "Get Shared Access Signature."
Checked Read, Write, List and created.
This gives me the URL https://mystorageacct.file.core.windows.net/xevents?st=2018-12-25T16%3A29%3A51Z&se=2018-12-29T16%3A29%3A00Z&sp=rwl&sv=2018-03-28&sr=s&sig=mysig
If I just try to follow this URL or create a CloudFile object with it in code, I get the oft-seen error, Server failed to authenticate the request. Make sure the value of Authorization header is formed correctly including the signature. Signature did not match. String to sign used was rwl 2018-12-25T16:29:51Z 2018-12-29T16:29:00Z /file/cs7f0fbc5104d4ax435dx883/$root 2018-03-28
Tried adding in comp=list&restype=container as suggested here. No joy.
Ensured I have no access policy in use.
Went to the azure portal and created a different SAS at the storage account level (couldn't see a way to create it on the file share). That gave me this "File service SAS URL": https://mystorageacct.file.core.windows.net/?sv=2018-03-28&ss=bfqt&srt=sco&sp=rwdlacup&se=2018-12-30T01:25:16Z&st=2018-12-26T17:25:16Z&spr=https&sig=mysig
If I try that URL I get Value for one of the query parameters specified in the request URI is invalid. I don't know which parameter is in question, they look fine to me, but I don't know what the value srt=sco indicates. Based on this doc srt is resource type, but I don't know what the value sco indicates.
Very confused, looking for suggestions.
For any future readers, extended event sessions confusingly (because they write a file) require blob containers, not general/file/queue containers. At least I could only get them to work that way.
You are probably confused by how the SAS URLs are presented. In fact, the SAS URLs you got just provide examples of how to use the SAS token, they can't be used directly. Hence you saw those errors occur.
Service-level SAS URL, i.e. the one you got from Storage Explorer.
It's in the format of fileEndPoint/fileShareName?SASToken. The SASToken gives us permission to operate on all files inside the specified file share. To leverage the token, we need to add fileName in the URL, i.e. fileEndPoint/fileShareName/fileName?SASToken.
comp=list&restype=container is to list blobs in Blob Container, not for File Share.
Account-Level SAS URL, the one you got form Azure portal.
It's in the format of fileEndPoint/?SASToken. Likewise, we need to complement the URL to make it valid, i.e. fileEndPoint/fileShareName/fileName?SASToken. Note that this SASToken has all permission on all Storage resources because all choices are checked.
sco means we have permission to operate on service, container, and object, which indicates the scope of permission, check doc for details.
I am not familiar with Azure SQL Extended Event session, but if you only need to work with files inside one file share, 1st is enough.

File Upload: File Upload URL not provided

I've been trying to get file uploads to work, following the instructions for both Dropbox and S3 but each time I just get this message:
File Upload URL not provided
It doesn't seem to be making any calls to the server. I've found this mention of a bug around file uploads:
https://github.com/formio/ngFormio/issues/322
But I suspect that applies if you're hosting it yourself. I'm using the cloud version.
I've configured it with e.g. the S3 bucket's URL, authentication etc.
What does this error actually mean?
Update: here's the syntax I'm using:
<formio form="https://formview.io/#/xxxxxxxxxxxxxxxxxxx/applicationform" url="'https://formview.io/#/xxxxxxxxxxxxxxxxxxx/applicationform'"></formio>
Thanks
In order to make the uploads work, you need to provide the URL of your form, which is used to generate the upload token to upload the files to the 3rd party providers. This can be done in one of two ways.
<formio src="'https://examples.form.io/example'"></formio>
You would use above if you wish to render the form from the JSON REST API of the form. In many cases, you may wish to provide the actual form object (which I suspect is what you are doing) like so.
<formio form="{...}"></formio>
This works fine for rendering the form, but it does not provide the URL context for file uploads. For this reason, we have the url parameter which you can include along with your form object for file uploads to work.
<formio form="{...}" url="'https://examples.form.io/example'"></formio>
Providing the url this way is passive. The form will not try to submit to that url, but rather just use it as the url configuration for file uploads.

How can I restrict a user's access to just a single node of an AEM website?

I'd like to restrict a user's access to just a specific node within an AEM website. I want them to be able to manage a blog; they should be able to view the blog (of course), add/edit/delete entries/comments, upload photos, add/remove other collaborators, etc. However, I don't want them to have access to or even see anything else within AEM.
I have tried giving access to just the blog node under the content path (/content/geometrixx/en/blog), but when I try to log into AEM as this user and edit the blog (localhost:4502/cf#/content/geometrixx/en/blog.html), I get the following error:
No resource found
Cannot serve request to /cf in /libs/sling/servlet/errorhandler/404.jsp
I've tried giving write access to the /content/geometrixx/en/blog node and read access to everything else, and it seems to work, but of course, the user is able to see way too much. It would seem there is some particular node that a user must have read access to in order to edit content nodes, but I'm not sure what that is. Any ideas?
I would go to the /useradmin, chose the user, and in the Permissions tab I would allow access to the below and its child pages:
/content/geometrixx/en/blog - allow read modify create delete replicate
/apps/geometrixx/ - allow read only
/etc/designs/geometrixx - allow read only
/libs - allow read only
/etc/clientlibs - allow read only (optional)
/etc/workflow - allow read only (optional)
This is roughly the solution I use in our setup. As you are aware, you need to give at least read-only to the directories where cq components sit, as well as the components from your application, in this case geometrixx.
edit: Also useful to read: https://helpx.adobe.com/experience-manager/kb/CQ53ACLsMappingToCRX2.html
Most importantly you really need to understand the different pieces of functionality of cq, where they reside (/libs, /apps/, /etc/, etc...) and what is required to have a page properly rendered.
Is it a requirement you have for both author and publisher?
Reading https://jackrabbit.apache.org/api/2.2/org/apache/jackrabbit/core/security/authorization/GlobPattern.html can also help you set ACLs.
I suggest you create a custom group with deny jcr:all on /, and then set the ACL as described by dex and test to see if it helps.
can you try to give the modified access instead of read access,
/content/geometrixx/en/blog - allow read modify
As you need access to single blog node and its jcr:content

Bucket URL access denied

I created my first bucket, and when trying to access it by typing storage.googleapis.com/mybucket, I get the following in my browser. I am totally ignorant in respect to all things code, and only would like to be able to solve this issue in order to be able to use a WordPress plugin, WP2Cloud, which integrates Google Cloud Storage with WordPress. Here's what's in my browser:
This XML file does not appear to have any style information associated with it. The document tree is shown below.
<Error>
<Code>AccessDenied</Code>
<Message>Access denied.</Message>
</Error
Any help will be appreciated!
You can not use storage.googleapis.com/mybucket or mybucket.storage.googleapis.com directly from browser. You need to pass GoogleAccessId,Expires, Signature.
If you want to use from browser you need to use Signed URLs
https://developers.google.com/storage/docs/accesscontrol#Signed-URLs
example of Signed-URLs:
http://mybucket.storage.googleapis.com/testdata.txt?GoogleAccessId=1234567890123#developer.gserviceaccount.com&Expires=1331155464&Signature=BClz9e4UA2MRRDX62TPd8sNpUCxVsqUDG3YGPWvPcwN%2BmWBPqwgUYcOSszCPlgWREeF7oPGowkeKk7J4WApzkzxERdOQmAdrvshKSzUHg8Jqp1lw9tbiJfE2ExdOOIoJVmGLoDeAGnfzCd4fTsWcLbal9sFpqXsQI8IQi1493mw%3D