In the Graph API Reference it is stated that one can list members of group and permissions required for this action are
Any valid access token if the group's privacy setting is either OPEN or CLOSED.
Any valid access token implies that I could use App token. But using the Graph API Explorer and App Token, when the group is Closed, data returned is empty. This works only when the group is Public. If I try to use User Access Token, everything is fine.
Am I missing something here?
As it seems, it is a bug and facebook has confirmed it. Waiting for fix or at least documentation change.
Related
When making requests to the reachestimate endpoint in the Facebook Ads API (v2.4), we are receiving an "Unsupported get request" error (code 100) for some users, whereas it works for the majority. Here's what I know:
The requests are well-formed. We are providing the access token, ad account ID, currency, targeting spec, and API version. Except for ad account ID and access token, the parameters are identical between working and non-working requests.
According to the access token debugger, the access tokens are valid, never expire, and contain the ads_management scope.
I am able to use the same access token to successfully retrieve the Facebook page being promoted.
One theory was that perhaps the users did not have permission to view the pages that were being promoted. To test this, I added an alcohol restriction to one of the pages for which the reachestimate call did work, and changed the user's age to 20. I also blocked the country in which that user was located. The reachestimate call continued to work for that user, so thus that did not reproduce the issue.
Facebook seems to be providing a generic error that does not help determine the problem. I'm looking for any other ideas as to what it could be or how to identify it.
I recommend you to file a bug at https://developers.facebook.com/bugs/
And you should attach the full response including a field called fbtraceid in the bug. In this way we are able to looking to what happened to you.
I have written a Python script that makes some statistics for me and a couple of friends based on our posts and comments in them. I've been using it by getting a temporary token in Graph Explorer and copying it to the script before running it. So far I've been able to access friends' posts with API 1.0 (and for some time with 2.0, I assume that was a bug) but now the 1.0 API is getting closed and I'm running into an issue - while some of the /post requests are still accessible to me, many return an "Unsupported get request" error. I can only assume that I can't access these anymore unless I'm using their User Access Token.
I'm not sure what I can do now:
ask them to use Graph Explorer to provide me a temporary token. It works, is pretty secure with default permissions but I would have to do it every time I wanted to update the data.
make some sort of dummy app that they will log into once. I don't know if that violates any rules and if it will be removed immidetaly, I hope not. But I have no idea how to extract the user access token out of the app so I can use it in the script.
What's the "correct" way of doing this?
If the App is only for a specific group of people, it should be no problem. Just add your friends as Tester in the App so they can authorize it with the read_stream permission. Else you would need to go through a review process, and Facebook usually does not approve read_stream.
You don´t really need to handle the Access Token, just use the JavaScript SDK and read the stream of your friends whenever they visit your App.
Btw, you can get the Access Token in the callback response of FB.login. But it will only be valid for 2 hours, you can extend it to 60 days though. More information about extending Access Tokens: https://developers.facebook.com/docs/facebook-login/access-tokens
Easy solution: Create an entry page where your friends (who are Testers in the App) can authorize with read_stream. Right after authorization or refreshing the Token with FB.getLoginStatus, read their posts and store them.
Here´s some code to get you started on that entry page: http://www.devils-heaven.com/facebook-javascript-sdk-login/
...of course you can also just let your friends generated the Access Token manually. Information about that can be found in the Facebook docs (see Link above) or (for example) here: http://www.devils-heaven.com/facebook-access-tokens/ - they can then give you the Token, it will be valid for 60 days if it´s an extended one, or only 2 hours if it´s a default User Token.
I have created an application on developers.facebook.com from my profile. Get APP ID, APP SECRET and generate TOKEN. Now, when I send the request like
https://graph.facebook.com/search?q=media&type=page&access_token=MY_TOKEN
is ok, but when I try to send the request for GROUP, like
https://graph.facebook.com/search?q=media&type=group&access_token=MY_TOKEN
I get the error
The remote server returned an error: (403) Forbidden.
Seems I have permissions problem. I set the permissions friends_groups, user_friends, user_groups to the account, but.. still the same error...
Can you please tall me what am I doing wrong? Maybe I need a different token?
As I understand you're using an App AccessToken for an endpoint (object type) which needs a user AccessToken. See the docs at https://developers.facebook.com/docs/graph-api/using-graph-api/#search
It's stating
"All Graph API search queries require an access token included in the request. The type of access token you need depends on the type of search you're executing.
Searches across Page and Place objects requires an app access token.
All other endpoints require a user access token."
Several people have asked how to post photos using an app token and the general response seems to be that they should use a user token instead.
However, according to https://developers.facebook.com/docs/concepts/login/access-tokens-and-types/ :
"[y]ou can use app tokens to publish or delete content on behalf of a user who gave your app permissions".
and according to https://developers.facebook.com/docs/reference/api/photo/ :
"To publish a 'photo' object you need
-a valid access token
-publish_stream permission
"
The way I interpret those two statements is that I should be able to POST a photo to .../USER_ID/photos using a valid APP token.
However, when I try to do that I get the message "A user access token is required to request this resource". At the same time I can easily publish to .../USER_ID/feed using nothing but the APP token. It is also possible to submit stories containing "User Generated Photos" with only an APP token.
So an App can do those things with an APP token, but needs a USER-specific token for .../USER_ID/photos? I wonder if this behavior is by design? So far I have not found anything in the documentation to indicate that is the case.
I too was stuck at the same point as mentioned. And the documentation barely helped.
The workaround I used was to take the 'offline_access' permission while logging in and storing that temporary user access token given to the user.
While publishing the photo I used that offline user access token since the app access token didn't work. It worked like it should've although offline_access has been discouraged to be used...it seemed to be the only way for now.
When working with my app, or with the Graph API Explorer, I have learned that I can access some information about anybody. Take for example,
https://graph.facebook.com/btaylor.
This includes the topics 'feed' and 'posts', which need 'read_stream' permission. I can get the information, even though he has not extended such permission to my app that I know of. My question is, do 'read_stream' topics have an undocumented peculiar status that does not require permissions?
I'll answer your two questions separately.
First, read_stream permissions is not inconsistent. You will need an access token to read someone's stream, no exceptions. The inconsistency you're observing probably lies in the presence of the access token within the URL. For instance
https://graph.facebook.com/btaylor should not provide you with anything more than basic details because the URL does not contain an access token.
https://graph.facebook.com/btaylor?access_token=AAAAAAITEghMBAMFnukHXAQgLGCfnptZAkF41gIDFt7ycPYkRpGic5MoHkpB6CZCaT21PPyQDOjYo7Tn4mGFH7CyNW06kgrZAWbeTVt9YwZDZD will show you additional details because it does contain the access token. However, realize that the access token will expire at some point, so the above link might not work. This link with the proper access token can be found here: http://developers.facebook.com/docs/reference/api/#auth
When looking at btaylor's posts, https://graph.facebook.com/btaylor/posts will tell you you need an access token but https://graph.facebook.com/btaylor/posts?access_token=AAAAAAITEghMBAMFnukHXAQgLGCfnptZAkF41gIDFt7ycPYkRpGic5MoHkpB6CZCaT21PPyQDOjYo7Tn4mGFH7CyNW06kgrZAWbeTVt9YwZDZD will show you all the posts.
It's possible that the Graph API Explorer is caching the access token and sending it with your request without your knowledge, but this doesn't seem to be the case for me. Are you sure the access token is not present within the "Access Token" field?
Second, the reason that you can see data publicly on someone's Facebook profile is because of their Facebook privacy settings. Facebook privacy settings do not correlate at all to the permissions requested and given via the Graph API. You could have everything public on your Facebook profile but none of it (besides the basic information) will be available via the API. A user has to explicitly allow your application access to their information when using the API. As to "why" this is the case, it's probably due to privacy and spam. If everyone in the world had API access to all information a person provided publicly, there would probably be a whole lot more spam only allowing that information to be viewed on facebook.com.