We have already launched an application, but we clearly see now, that we need publish to wall permission (our approach with not requiring this from user and basing on invites doesn't work well). Can we do it? How to make sure, that users will be instantly notified about the need of accepting new permissions, rather than having our application malfunction, if they don't have them yet?
Basically, it will allow current user to perform only the permission they granted. But there is a trick to solve the malfunctioning of app as permission is changed.
Always put the permission button as first step for the application. So that if user has already given all the permission to app, it will automatically redirected to next_step mentioned. If there is all/any permission added, it will ask only for updated permission to users.
It will make your app work with new as well as old users.
Related
I've got an existing app with a few thousand users. I'd like to add extra functionality which necessitates requesting new permissions.
Will requesting the new permissions (essentially making a new review request) move my app into unpublished status? Or will it continue to function with the existing granted permissions while login review takes place for the new?
Might be a stupid question - but didn't see any documentation on it and want to ensure I'm not cutting off service for the 4-5 days that it takes them to review/approve/possibly deny.
Will requesting the new permissions (essentially making a new review request) move my app into unpublished status?
No. Review has nothing to do with the app’s status of being in development or live.
Or will it continue to function with the existing granted permissions while login review takes place for the new?
Yes, all permissions your app had already been granted previously will continue to work. Even if your newly submitted permissions would not be approved for some reason, the already approved ones stay approved.
(That is, of course, unless they find out now, that you app uses them for something that is not compliant with Platform Policy.)
I need only the basic permissions "email", "public_profile","user_friends" and I need all of them for my app to work.
FB login takes the user to permissions page and he/she can just uncheck email and user_friends and I will have to handle it separately.
Yes, I do understand the trust equation here that has been discussed in a lot of questions on SO.But a lot of apps somehow circumvent this. e.g. Uber
Uber is probably using an old App created before end of April 2014. Those basic permissions where included back then. In newer Apps you can´t force a user to authorize all permissions, he will always be able to skip the extended ones.
One good way is to use the "return_scopes" flag of FB.login and check if the user accepted the neccessary permissions right after the authorized your App: https://developers.facebook.com/docs/reference/javascript/FB.login/v2.2
First let me introduce the problem. I have site where I want to allow users to login using their Facebook account. Also I want to have possibility to post on users wall and access his email. I created Facebook app and every time not logged user comes to login page he clicks on Facebook button and gets to auth dialog of application where he must allow getting his email and on next screen allow posting on wall. To this dialog user gets with link which contains scope=email, publish_stream.
First question: When user clicks do not allow to post on wall, next time he uses this link he must again do that. Shouldn't Facebook remember this? I thought that I should not give the scope in link and use application setting where on permissions page a choose extended permissions. But these permissions are never asked for. Even when I enable referrals.
Second question: Is using FB application for this right? Should I not use fblogin?
Thank you.
When user clicks do not allow to post on wall, next time he uses this link he must again do that. Shouldnt facebook remember this?
No – because then there would be no way to ask a user for an extended permission once they’ve declined it.
Of course it might be annoying to the user to see that dialog asking for posting permission every time again when he just wants to login to your page.
That’s why Facebook themselves advise you to only ask for permissions you actually need for the current task. To provide the ability to log in to your site, you only need basic data and maybe email – so only ask for that, when the user is just logging in.
And then, when you come to the point where the user actively wants to share content through your app – then check if you got the necessary permission already, and ask them for it if it’s not present (by calling the auth dialog again, this time with the extended permission set in the scope parameter).
That way, it’s clear to the user why he gets asked for that permission at this point, and he doesn’t get hassled about it time and time again if he just only tries to log in.
I thought that I should not give the scope in link and use application setting where on permissions page a choose extended permissions. But these permissions are never asked for. Even when I enable refferals.
For these settings to have any effect, the connect to your app must happen in a way that actually triggers Authenticated Referrals. Doing the login by yourself in your app logic does not trigger this way of authentication.
I have users who have authorised my app and are using it. I now need to request further permissions on top of this and I remember reading that the Javascript SDK has some inbuilt methods which allow you to just request the permissions which have not already been handed over. I've looked around a fair bit but I can't find any information on this anymore.
Can someone confirm that this exists, and if possible, how I can do this? I actually switched from using the PHP SDK for the login just because I read about this feature!
You can actually do this in the php-sdk as well. What you need to do is inspect the permissions connection and see if the user has granted the required permission to your app
https://developers.facebook.com/docs/authentication/permissions/
If not you can either redirect them to the auth dialog, or prompt them with a button and explain why you want them to authenticate again.
You can view a sample response at
https://developers.facebook.com/tools/explorer/?method=GET&path=me%2Fpermissions
Alternatively,using the Auth Dialog
https://developers.facebook.com/docs/opengraph/authentication/
might also achieve what you are after, though this only works on referrals from Facebook I believe
It's the same procedure as with users who have disconfirmed a permission. In that case the documentation for invalid access tokens applies: https://developers.facebook.com/docs/authentication/access-token-expiration/
So, you just need to reauthenticate the user including the additional permissions in the scope parameter.
You should be able to check for granted permissions, then if they are not the same as the ones you need then just redirect them to log in with he extended permissions you require and that's it.
http://developers.facebook.com/docs/reference/fql/permissions/
Using stream.publish, I've tried the above by passing the application's id as the uid parameter, but it always gives me a Permissions Error. I've ensured that the extended permissions for "publish_stream" are set to allow, but it still gives me this error.
Is it possible to make posts appear as if they came from the application?
I had a similar problem to this. The easiest way to get your app to publish something is to use something like:
Facebook.streamPublish("I used this app")
This will prompt the user to update their status with the message "I used this app". This does not require any additional permissions and the final message contains a box saying it came via your app.
This should work fine if the user has given you extended permissions for offline access (which you can ask for when you request stream publishing permissions as well). More about that here:
http://wiki.developers.facebook.com/index.php/Extended_permissions
Once the user has given you offline access, you'll get a session key that doesn't expire, and you can use that to make calls on their behalf.
UPDATE: This is no longer necessary, given the end of offline permissions, as #Marty McVry notes. Even easier!