Recent Facebook Security Changes

Aug 10, 2010 at 11:46 AM

Hi,

I have had a Canvas app running on 3.1 (Facebook Developer ToolKit) for a while now, have not looked at the app on line for about 3 weeks and now find that new user's are not getting all there permissions when registering with the app. So I removed the app from my account and added it again, only to find I now get this message after accepting the app's permission settings, which only seem to cover basic information:

"API Error Code: 100
API Error Description: Invalid parameter
Error Message: When enabling the profile selector, an app may not request permissions that do not apply to all profiles in the selector. Note: You are seeing this message because you are a developer of this application. For regular users, inapplicable permissions are silently ignored."

In my site master page constructor I set the following required permissions:

this.RequiredPermissions = new List<Enums.ExtendedPermissions>() { Enums.ExtendedPermissions.email, Enums.ExtendedPermissions.create_note, Enums.ExtendedPermissions.offline_access};

When I go to the application settings in my account, the only one present is "Publish content to my Wall", neither the off line access nor email options are there...

Is this due to the new security stuff FB have implemented ans if so, is there a fix on the way?

Thanks,

Charles.

Aug 10, 2010 at 12:12 PM

I have altered my Migration settings and now no longer get the error message, but by canvas does not display, I am guessing it is giving a silent error now with the different Migration settings....

Any help with this would be greatly appreciated, the problem has only shown up as we have a round of testers trying the app out and I am finding they can't access the app or it's functionality, but older users still can, but as I have described above, having removed the app and re applied it, I now can't get access to the app or it's functionality.. 

Aug 10, 2010 at 3:49 PM

Hi,

I can confirm this issue with another pretty similar case. My application was also working for quite some time both on 3.0.1 and 3.1, but now got the same error (pretty much exactly in the same way). More specifically the problem is in the requiring of extended permissions. You can install/authorize the app itself and use pages with "RequiredPermissions = null". But once you try to load pages with RequiredPermissions set, you get the error.

Matta

Aug 10, 2010 at 5:38 PM

im also using 3.0 and havent checked it in about a week but if i'm having problems with mine, i'll make sure i'll come back to this post...

Aug 10, 2010 at 8:18 PM

Well, relieved it's not just me then, hope we get a response from the busy devs on this soon, and possibly a resolution, or maybe some guidance on what we are doing wrong :D

Great API by the way, just a shame FB breaks interfaces...

Aug 18, 2010 at 10:21 AM

Sorry to bump this, but is there any help/advice that can be offered?

Aug 22, 2010 at 3:49 PM

Hi,

I ended up doing a workaround using the Oauth/Graph api (essentially not using the RequiredPermissions). I added the following piece of code to the beginning of my master page:

<fb:if-is-app-user>
    <% 
        if (!CheckExtendedPermissions(Request))
            Response.Write("<fb:redirect url=https://graph.facebook.com/oauth/authorize?client_id=" + [YOUR_APP_ID] +
                              "&redirect_uri=" + System.Web.HttpUtility.UrlEncode("http://apps.facebook.com" + Request.Path )+
                              "&scope=[YOUR_EXTENDED_PERMISSIONS] />");
    %>
</fb:if-is-app-user>

 The CheckExtendedPermissions is just a utility function that the "fb_sig_ext_perms" request parameter for the all the necessary permissions. I.e. that will forward the user to the extended permissions prompt (which now has all of them in one page, yey), and then back to the original page.

 

Aug 22, 2010 at 4:12 PM

Yes, I have removed this and written my own GET/POST API to the Facebook Graph API.

Shame this lib made it a bit easier...

Aug 22, 2010 at 4:29 PM

It does look a bit dubious for the Toolkit at the moment. Obviously the whole thing was written with the REST api in mind, and this new api is a major change. But the lack of developer updates seems to imply that Microsoft might not be "ponying up" for v4.0... Of course, it's open source...

Aug 25, 2010 at 1:35 PM

Not sure it's MS's fault, just the way these projects go some times. I would imagine the devs are just dead busy earning a living rather than patching this open source Toolkit.

Aug 26, 2010 at 12:37 PM
FrostyMatta wrote:

Hi,

I ended up doing a workaround using the Oauth/Graph api (essentially not using the RequiredPermissions). I added the following piece of code to the beginning of my master page:

<fb:if-is-app-user>
    <% 
        if (!CheckExtendedPermissions(Request))
            Response.Write("<fb:redirect url=https://graph.facebook.com/oauth/authorize?client_id=" + [YOUR_APP_ID] +
                              "&redirect_uri=" + System.Web.HttpUtility.UrlEncode("http://apps.facebook.com" + Request.Path )+
                              "&scope=[YOUR_EXTENDED_PERMISSIONS] />");
    %>
</fb:if-is-app-user>

 The CheckExtendedPermissions is just a utility function that the "fb_sig_ext_perms" request parameter for the all the necessary permissions. I.e. that will forward the user to the extended permissions prompt (which now has all of them in one page, yey), and then back to the original page.

 

 Funny I stumbled on the same solution,  wish I found this post earlier, but I can confirm this works for us.