Visibility of files and folder using the Google Drive API

I have a simple Web Application (built using Django) and I am trying to use the Python Google drive API to access a personal Google Drive (not a Workspace).

My Web application is using credentials created under OAuth2, which is authorized by our charities gmail account - an account managed by me on behalf of the charity.

My Web application is able to create folders and upload files to this Google Drive, and they show up on the Browser interface (and can be seen by other who have access to this drive.

My application is able to use the drive.files().list() and drive.files.get() interfaces to see files and folders that have been created by this code.

However my application cannot see folders created by the same user through the Browser interface - despite the Browser showing that the owners is exactly the same as the owner of those folders created by the Application code. Any attempt to find those folders or get their data using the id results in a 404 error.

I can’t even get metadata on those Browser created folders using their file Ids- it is as if those files don’t exist within the Drive.

My first assumption was that the issue was to do with scopes, so my application currently initializes the drive service using the “…/auth/drive.file”,”…/auth/drive",
“…/auth/drive.install”,
“…/auth/drive.metadata.readonly” scopes.

I am now at a complete loss as to why my App can only see the files and folders it creates, but can’t see files and folders created by the same user via the Browser.

It must be something fundamental - I can’t imagine that the API is designed this way.

The Root Cause: Stale Tokens

The most likely reason your app can’t see browser-created files is that your application is still operating under the …/auth/drive.file scope, even though you added the full …/auth/drive scope to your code.

• …/auth/drive.file: This is “permissive restricted” access. It only allows the app to see files it created itself or files the user explicitly opens with the app.

• …/auth/drive: This provides full access to all files.

The catch: When you change scopes in your Django code, Google does not automatically update the existing token.json (or database-stored credential) on your server. Your app is likely still sending an old Access Token that was minted when only the .file scope was present.

The Solution: The “Nuclear” Refresh

To fix this, you need to force a re-authorization flow to ensure the new, broader scopes are actually granted by the user.

1. Delete your local token storage: Find the file (usually token.json or pickle) or the database entry where your Django app stores the user’s credentials. Delete it.

2. Restart the OAuth Flow: Run your application again. It should redirect you to the Google “Sign In” screen.

3. Verify the Consent Screen: You should see a more “scary” warning or a checkbox asking for permission to “See, edit, create, and delete all of your Google Drive files.”

4. Test: Once the new token is saved, your list() and get() calls should now return the folders created via the browser.

Important Technical Considerations

1. The q Parameter in list()

If you are using drive.files().list(), ensure you aren’t accidentally filtering your results. By default, list() should see everything with the full scope, but check that you aren’t filtering by appProperties or other metadata that only exists on app-created files.

2. Trash Status

Files created in the browser that are in the Trash will often return a 404 via the API unless you specifically query for trashed items. Ensure the folders you are testing are in the root or a visible directory.

3. Service Accounts vs. OAuth2

You mentioned using OAuth2 with the charity’s Gmail. If you ever switch to a Service Account, remember that a Service Account has its own Drive. It cannot see your charity account’s files unless you explicitly Share those folders with the Service Account’s email address. However, since you are using OAuth2, the “Stale Token” theory is the 99% probable culprit.

Reference

The https://www.googleapis.com/auth/drive.file scope only grants access to files created or opened by the app. For broad access, https://www.googleapis.com/auth/drive is required."

Source: Google Drive API v3 - Choose Scopes

Thank you.
Bizzarely i was starting to wonder if i need to throw my credentials away on my app and re-authorize as you suggested.

Your message not only confirmed my guess but also gave an explanation - so thank you.

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.