Facebook API tab settings security - facebook

I am working on a Facebook App that adds a tab to fan pages. Admins of those pages should be able to edit some settings for the tab.
So I created a settings script for that. If an admin wants to edit something, he or she is sent to http://mydomain/settings.php?fb_page_id=theirpageid
How can I verify that the person loading that page is actually authorized to change those settings? For example, if I knew the page ID for some other page that uses my tab (and the id of a page is right in the URL of the page) I could get in to their settings.
The only thing in the request array is the page id.
Thanks in advance,
Tim
UPDATE:
The only solution I've come up with is asking the user to sign in with facebook and then checking the rights, but this is something I'd like to avoid, as it's another step for the user.

The best practice for this would be to authorise user to your admin page with the manage_pages permission.
With this permission you can see what Apps / Fan Pages which that particular user is admin of by making a request to:
https://graph.facebook.com/me/accounts?access_token=VALID_ACCESS_TOKEN
So you can easily judge if the user has valid admin access rights to a page with your application tab installed.

Related

Updating access token for Facebook

My situation:
On my company's page, there is a sidebar which displays wall posts from the company's Facebook page. The previous admin of the page resigned and made another employee the admin. Now, instead of the wall feed, we are seeing "The user must be an administrator of the page in order to impersonate it." in the sidebar.
I have tried several suggestions from SO, but nothing has worked. This seems ridiculously complicated, but maybe it's just me. Any help would be appreciated.
EDIT
This is the URL I tried:
https://graph.facebook.com/oauth/authorize?client_id=MY_CLIENT_ID&redirect_uri=MY_REDIRECT_URL&scope=manage_pages,user_status,user_videos,read_stream,offline_access
Are you using HootSuite?
The reason is probably that you still use an User Access Token of the old Admin, which is not an Admin anymore.
It'd be better if you use a Page Access Token (if you can set this manually somewhere in your application). You can get a new Page Access Token for your new Admin via the
GET /me/accounts
endpoint if the new Admin is loggend in: https://developers.facebook.com/tools/explorer?method=GET&path=me%2Faccounts

How to make a FB Page tab App visible to users who don't have FB account

I'm working on Facebook App which is a page tab,
I like to show that app visible to everyone, to the users those who don't have FB Account.
I tried,
FB.Init
{
status:false // previously it was true
}
but didn't work out.
I also changed in this url https://www.facebook.com/settings?tab=applications
App visibility to "public" and also changed Age restrictions, Country restrictions to "everyone", but didn't worked out.
The page is visible to everyone but on clicking the page tab, it redirects to the facebook login page.
Could someone tell me how to correct it?
For me it wasn't anything in #Igy's answer, all my restrictions were off. In the Developers page, select your app from the App dropdown, select Status & Review, then toggle the first thing (Do you want to make this app and all its live features available to the general public?) to Yes. That did it for me.
All Facebook page tab apps are available to users who don't have a Facebook account / are not logged in unless one of the following is true:
You've applied demographic restrictions to the page
You've applied demographic restrictions to the app
You've done something in your app's code which requires the user to be logged into Facebook, for example, if you auto-redirect people to the OAuth dialog
Here's an example: https://www.facebook.com/cocacola/app_1407266749487557
Screenshot when logged out:
Dani, if you're being redirected, it might mean that your page - not the tab but the page itself - is not public. You can go to the page settings and edit the Page Visibility option.

Facebook Permissions Dialog in Page

I've created an app that works fine, however if the user has not authorized my app yet, they have to do the following (assuming they are in facebook AND logged in) -
go to my app
click login/authorize
popup with facebook permissions opens
accept in the popup
However I noticed with Zynga games like Mafia Wars 1/2, Farmville etc, when you go to the app, if it hasn't been authorized, it takes you straight to the permissions which is in a PAGE and not a popup, thereby eliminating one step. Also, the permissions dialog is full width, there is not app sidebar.
Does anyone know how I can duplicate this flow? It would be much easier to have users authorize within a facebook page rather than through a popup. How can I get permissions inside the page?
thanks in advance
Once user visit a Page tab with your application you can check if he is connected with your application by comparing Page ID with User ID in signed_requests, for unauthorized users ID's will be same. In that case you can start authentication flow by redirecting user's browser to "login url".
If you want it to be full page just do the redirect with JavaScript like this:
window.top.location = 'https://www.facebook.com/dialog/oauth?
client_id=YOUR_APP_ID&redirect_uri=YOUR_URL&scope=COMA_SEPARATED_PERMISSIONS'
If you using PHP you can construct Login URL by calling Facebook->getLoginUrl method.
Read the docs on Facebook authentication

can't find post-authorize URL on facebook APP page

I am making a Facebook App which will be only used for Facebook Pages.
I need to provide a post-authorize URL to make some action on Database when a user adds the app to their page.
But i cannot find any place to enter the URL.
Someone can help me ?
EDIT: User will only Add App to their page from Application Profile Page on FB
There is no such thing as "post-authorize URL" for applications working as Page tab. You will never know identity of user who added your application on page via application profile page.
Adding application to page doesn't mean that owner of page authorized the app.
Signed request contain information about page and user interacting with page tab application so you may know if user is admin of the page, liked the page and some additional details, it will include personal details only if user authorized application which should be done as separate step.
The way I'd do it:
List all the PAGE ID on which your user is admin:
FQL: select page_id from page_admin where uid=me()
When a page load your application, using the data contained in the signed_request POST parameter, look if the current page is a new page (just assign a boolean in the database to know if the page is already using the application or is new), and if the page is in fact using the app for the forst time, look if you have the admin in your database (remember? you have linked the PAGE ID and the ADMIN ID together in #1)
From there, you can do whatever you want: display a "application not yet authorized" instead of the normal app in order to wait for the user to pay you, etc...

How to determine if an app is authorized to a fan page

Forgive me if this has been asked before, but I was unable to find an answer to what seems a simple question. I have an app that is authorized to a user & user's fan page via a process from a website I've constructed. The process is this:
Visit Website --> authorize website to view list of fan pages --> Select Fan Page to install app to --> Authorize app to user account --> Authorize app to Fan Page
I've got all that working (a process, let me tell you), and everything functions as intended. I'm working on an admin interface to manage the app which is not housed in the Canvas App location but on the website itself. I haven't found a way to figure out if the app is installed or not. It appears that the Graph API / FQL doesn't support this.
My two issues are:
I have the user id & the fan page id but I can't figure out whether said fan page has my app authorized or not. Depending on this answer will determine whether I show the "Install This App" panel or the Administration panel.
I've read that the best method is to store the userid when the app is initially authorized, but after the app is authorized, the user is sent to the Fan Page's Wall and I can't figure out how to notify my iframe app.
[edit] I misunderstood your question and thought you had less implemented than you seem to have: If you have manage_pages permission for a user, you can get the Page access token for each of their pages, and access a list of apps currently installed as tabs on that page - the instructions are at https://developers.facebook.com/docs/reference/api/page/#tabs
[/edit]
Each request made to your app's 'page tab url' will include a signed_request parameter.
The method to decode it is explained at https://developers.facebook.com/docs/authentication/signed_request/ - when your app is loaded on a page tab you'll get the 'page' parameter.
So:
The first time the tab provided by your app is loaded on a new page, you can detect the page ID from the signed request.
This callback will also tell you if the user currently looking at the page tab is an admin of that page (which can be useful for your own edit interface, if applicable)
If you haven't already got an interface where the app user tells you which pages they admin you can get a list of all the pages that user administers by accessing the 'accounts' property on their user object (/me/accounts in the Graph API) once you have the manage_pages permission
can you keep track of who has the app authorized in a database on your website?
i.e. call a script on your website server from your app that returns whether or not the user has authorized the app.