I am building a Facebook app that has the ability for others to submit stories, and if they publish this story to "Everyone", then anyone, even people who aren't their friends, can see the story. I want to add the user's profile pic to the story. I know that you can access this via:
https://graph.facebook.com/<userId>/picture
However, I do not want to expose the user's userId this way. Someone could just view the source, see their userId in the src URL and then the person's privacy has just been compromised.
I want to hide the userId so that this type of privacy leakage is NOT possible.
Is there a way to do this, or is my only option to save a non-profile image for the user?
They will always be a way to identify a user from their profile pic, assuming they have one set and aren't just using the standard silhouette. The UID is part of the string that makes up our CDN urls for profile pics, so there's nothing that's 100% foolproof.
Your best course of action would likely be query the Facebook API and store the CDN URL directly from there before rendering - eg for me, querying
https://graph.facebook.com/260300016?fields=picture will return the URL for my current profile picture - https://fbcdn-profile-a.akamaihd.net/hprofile-ak-snc4/203337_260300016_1473273891_q.jpg
Related
In my app, I let users register/login with their social media accounts i.e. LinkedIn, Google and Facebook.
My question is once I get the profile picture URL for the user, should I save the image in my system OR am I allowed to simply save the URL and let the image be served from the user's social media account? I'm not even sure if I'd be allowed to save the image as technically it could be the property of LinkedIn, Google or Facebook.
The general recommendation is to use the profile picture URLs the networks provide. Those usually redirect to a CDN URL. It has the advantage that changes to profile pictures are “live” immediately, and you don’t have to worry about re-checking periodically.
Only if you are in a situation where you have to show a massive amount of profile pics at once and the redirects are slowing stuff down, storing them on your system is an option to think about. But without any actual need, I would not go that route.
(And don’t store the actual CDN URLs; at least for Facebook, because they explicitly say those are to be considered “transient”, and will change over time.)
Did I miss sth or it is impossible to get link to user's timeline from Facebook Messenger API?
According to: https://developers.facebook.com/docs/messenger-platform/user-profile User Profile API doesn't return link in fields.
Is there any other option?
You would have to use the User Profile endpoint and use all the information for determining which Facebook user it matches to. If you image match the profile picture and match all the other information, and compare timezone to their location, it is probably possible, but it's probably not easy.
Making a workaround like this might not be a bad idea because Facebook seems to want to keep all the stuff seperate right now, as their user ID's are different for seemingly everything. The User Profile endpoint exists for personalization purposes, but it doesn't identify a user.
The user matching through login might also be useful as a outside of messenger solution, but I'm not sure exactly how that would be done.
I have a facebook token which is getting the graph.facebook.com/me/home url just fine. On posts with pictures, I would like to pull out the picture ID from the post so I can get detailed information about the sizes and urls to different images.
The problem is that on this feed, I don't see any "privacy" fields for most users. But the way these URLs work vary widely. For example, a photo can be viewed while logged out of facebook. A photo can be viewed as long as you are logged in as anyone. A photo is private. When I query graph.facebook.com/(photoID) most of the time I get false. Is there some permission that I should be getting from users that I don't have here? Is this restricted not by the user perhaps but by the permission of the friend's photo? I noticed that in at least one case, I cold only get "false" on a photoID, but logged in to my personal account (not knowing this person at all) I could see their photo fine. These inconsistent levels of security are confusing to me.
I would like a way to tell what kind of link this is going to be before I bother querying the photoID or sending the URL on for further processing. Is there a way to force an extra field on the feed or is there some field that contains the data that I'm just not seeing?
Its not exactly made clear by facebook.
Unfortunately, just because you don't have permission to look at a pictures details via the API doesn't mean you can't view the image. As far as I know, or the documentation explains, there is no way to know without attempting to display the picture to the user.
Either way, the API wouldn't return pictures the requesting user can't see, and I'm pretty sure caching the image's url for other users would be a violation of the ToS.
Does anyone know if Facebook Permissions will allow an app to display a photo of one app user to another, regardless of privacy settings?
I want to save photo id's to a database and then display many different users photos at once, to the user, within the app.
I could use fbml but am hoping to use xfbml.
Any suggestions would be much appreciated!
Facebook API restrictions are going to be exactly the same as the authenticated user ( assuming they grant you sufficient access). So if a user has access to photo's in another users gallery, you can display them. If they don't, you cannot.
However, if you save the Photo ID of a users picture, then want to display it to a different user later on, who does not have implicit rights to view that photo, they will not be able to see it.
Your app would be best served by taking a copy of the shared photo, which would take Facebook permissions completely out of the equation.
I'm building a site that allows users to sign in using their facebook account.
I want to cache nice big versions of the users profile pictures. I know that i'm not allowed to cache images for more than 24 hours so i'm going to re-fetch the images once every 24h.
I thought i could get the url of the image original like this:
$fb=new Facebook($key,$secret);
$query = "SELECT src_big FROM photo WHERE pid IN (SELECT cover_pid FROM album WHERE owner = ".$id." AND name = 'Profile Pictures')";
$imgurl = $fb->api_client->fql_query($query);
http://wiki.developers.facebook.com/index.php/Photo_(FQL)
But i get an exception saying "Requires user session". Why do i need a user session? Is there a workaround for this? How does other sites solve this?
If i have a user session it works for some users but not all. Why not?
Rules on photo accessibility are detailed with the Photos.get API method.
Privacy Note: Photos are visible on
the Facebook Platform only if the
photo owner has authorized the calling
application, or the photo owner has
not turned off access to the Platform.
The Photos.get method is essentialy a wrapper for querying the Photo FQL table so it follows the same rules.
Consider asking users for the offline_access extended permission so you can query their own photos even when they're not online. You'll need to store their session key in your database and make queries with that, but it will mean you can pull down the photos of users who have authorised your application whenever you want.
For when it sporadically works: Some users may have set privacy settings to disallow applications access to their profile pics.
Possibly some users might not have uploaded a profile pic.
Edit: From the (new)fb menus go to: Account > Privacy Settings > Applications and Websites > What you Share
(This page explains about how the user's privacy setting choices affect fb-enhanced websites)
In short the external website can only access what fb users have made available to 'Everyone'.