I developed a simple application on Facebook using PHP and I want to know how the people can add this application, and after adding the application a update is generated (e.g vipin join this application).
Thanks
Users don't add applications anymore. The closest they can get is bookmarking, which your application receives no notice of. The closest thing you can get to checking as a developer is checking is Users.isAppUser.
You also don't receive notice when a user grants/rejects permissions (which is generally a prerequisite to viewing your application).
Basically, you have to post notices and create feed entires in direct response to user action (unless they've granted you a perpetual session).
The old model of actually adding applications was all kinds of broken from a user experience point-of-view, so Facebook basically pulled the plug on it.
Yup, no more "Dude just added this app" messages in the newsfeed. However, Facebook will occasionally show "Dude uses the 'Thing' application" messages under the "highlights" section of a user's homepage. There's nothing you can do to encourage or discourage it -- it just happens.
Related
I'm trying to learn the development of Web Applications in JavaScript, and for this I am developing a simple Time Tracking application. I am developing this with ExtJS for dynamically creating the UI.
This would allow Employees to submit the time they have spent working on different projects, and allow the Managers, to add Projects to Users and so on.
Once the user signs in, I determine their role, and provide the appropriate UI (through JavaScript).
I was wondering what is the best and most secure way of doing this? (I am of course checking the authorization on the server side, so that no one can make changes by just calling my PHP Services via http get/post)
I asking from a perspective of disallowing a non authorized person, to even see the non-authorized UI, by fiddling with the JavaScript (from the FireBug console for example).
I was thinking of creating a Service which returns the appropriate script for creating the appropriate UI, through JSONP. It feels quite WTF-ey to me, so I was wondering if there was better way.
To build on naugtur's comment. You must always assume that there will be a very smart person that can build the UI for himself/herself, or fake any of the calls to the server that any part of the UI could do.
Based on that, the premise of the way you suggested towards the end of your question seems debunk to begin with. The easiest route once we settle that (I'm assuming your making a single-page application) would be to always dump all the javascript code right up front at the login screen and only allow the user to see what they need to based on their role (i.e. a card panel that has different cards for each role would be an example).
I would also like to add that on the backend of the application, you should always have security checks in place to make sure the user has the correct role for whatever action he is doing. If your application is internet facing, this is a necessity, there will always be that user who will look through your code and see what he can do maliciously or just for fun... or that guy on who wants to see what happens when he uses the debugger to create his own fake ajax calls with varying parameters.
I'm building a product that involves clients adding their FB app data into my product's dashboard.
In this case each client would have to go to developers.facebook.com/apps and create an app first.
I would want to have a button which says "Create App" in my website that when clicked, would create the app instantly for the client.
So is it possible to create a FB App from my website (with script, not manually) ??
Thanks in advance,
Altin.
It was possible couple of years ago, and now it's been removed.
First of all, I’d think about the question, “does every client really need their own app?”
Maybe it’d also be possible to have all of the stuff you’re planning to do (no details on that) under one app, and have it decide on what data to show based on the fact which client’s Facebook page it gets added to (if it’ll run as page tab app), or by some additional parameter passed to it when calling it. You could f.e. example automatically redirect to a sub-folder on your webspace based on this criteria, that displays individual pages for that client.
If that’s not an option, then yes, your clients will have to set up the basic app themselves (and therefor they’ll need a verified account) – and afterwards tell app id and secret to you. Many of the “advanced” app settings can then be set by you via script – look at what properties are marked as “(Editable via API)” here: https://developers.facebook.com/docs/reference/api/application/
(Although some of the basic settings, like category, description, logo etc. will still have to be set by your client themselves. But other, more “technical” stuff, that the client maybe doesn’t know about and doesn’t even want to be bothered with, like canvas/page tab URLs etc. can be set by you. I’d say that’s as good a compromise as you can get for such a scenario.)
There's one news-portal and its huge (site A). During production backwards, it has been even powered with some sort of a social networking stuff - not yet started, but about to start (soon site B).
Packed together looks great, but in some future there might be a lot of problems with maintaining the database, servers and stuff so I've been asked to separate it as I did. Site A goes on its own domain, site B also - databases are separated.
Now, I need to do the following: when user logs into site B (social site) and arrives to site A (portal) they should be instantly logged in there too (on a site A).
Any ideas how to do this - without duplicating entries to user tables?
EDIT:
Any other ideas instead of auth services? OpenId will just give us one user with 10 accounts, fakes and so on. How about cookie stuff or multi-database queries?
EDIT 2:
Well this is something hot.. unless its not April 1st joke and worth a try:
http://www.shawnhogan.com/2005/12/cross-database-join-with-mysql.html
You can use OpenID.
OpenID is an open standard that describes how users can be authenticated in a decentralized manner, eliminating the need for services to provide their own ad hoc systems and allowing users to consolidate their digital identities.
If you want to share some profile information (e.g. posts or photos) without giving access to your login and password you can use OAuth.
See if my answer here is of any use.
It's pretty simple, and only requires user information to be kept on one side. Where you need some information on the non-database side, you can just pass that information there using values in a query string, alongside the encrypted string.
Can you believe this?
$DB->query("SELECT * FROM table..."); // works of course...
$DB->query("SELECT * FROM another_database.table..."); // WORKS ALSO!
This guy is a miracle:
http://www.shawnhogan.com/2005/12/cross-database-join-with-mysql.html
I don't believe it, so simple at the end!
I'm using the server-side SDK to access Facebook Authentication.
After authorizing my app - even with the included example.php, I can go to App Privacy in settings then click on the app, then See Details in the Last data access section
And the dialog shows:
My App accessed the following information on your behalf:
Basic Information - Today
Likes, Music, TV, Movies, Books, Quotes, About Me, Hometown, Current City, Education History and Work History - Today
My Friends' Current Cities - Today
All I really need from the authentication is the userid and possibly name... I don't care about any other personal info. And yet even the example.php which is really basic seems to be requesting a lot.
Is there another way to authenticate without Facebook thinking I pulled all this data? I don't want users to be concerned about excessive data pulling when I'm not even pulling it.
The Stack Exchange authentication does not have this issue. It might be an issue in the PHP SDK?
The additional entries in the app access log are created for requests to the /me-object without a fields-parameter. So instead of accessing /me?access_token=xxx use /me?fields=id,name,...&access_token=...
Please note that the access log is not deleted when you remove an application. This may be quite confusing during testing because you will see old entries.
This could be me making extrapolations from the documentation (which given how it's organized, isn't too difficult to do) but did Facebook make some big changes to how application developers create and utilize test users?
To my recollection (and I last did this about a month ago), developers used to be able to go to a url from within a logged in account that would convert that user to a 'test user', who had no privileges in the public system but could serve as a test entity for publishing, getting permissions, etc. I had a test user setup via this method and had generated access tokens for him/her that were saved to the database.
Recently this all stopped working. My first instict was to print out the properties of the Facebook object I had created, and where once there had been the JSON decoded user data, there now was an exception from the CURL process that accessed the /me/ api endpoint.
Facebook GraphAPI – Uncaught EntCannotSeeExistenceException: The entity (class EntTestUser) backed by id 12345 cannot be seen by the current viewer 12345 (EntID: 12345)
Values obviously changed to protect the innocent. The userids were identical however, which made it strange that the user possessing ID 12345 for some reason had no rights to see 12345
I looked through the Facebook documentation and found their what seems to be their new logic for making the application itself create temporary test users and generate login URLs for them, something alot of people here are probably familiar with.
http://developers.facebook.com/blog/post/429
Has this system superceded the old one? It seems that acting on behalf of test user accounts generated via the old method is no longer permitted since they are not made "by" the application. I wrote some quick logic to test this new process with fixed access tokens and it worked - I should also mention that all the application logic functions as it originally did with no errors for real user accounts. Has anyone else experienced this with their Facebook api apps? Can we definitely say that these old access tokens/userids/accounts made via that old method are now effectively useless?
Thanks as ever.
http://developers.facebook.com/blog/post/475
I hate to break form and answer my own question, but from the comments enough people seem to be having this problem.
Digging through the developer updates today I finally found the above post (having already written workarounds, of course) Quoted:
We have removed the ability to turn
user accounts in test accounts as
mentioned here to prevent
unintentional conversions of real
accounts into test accounts. The
proper way to create test accounts is
by using the accounts connection of
App Graph Object.
This tiny notification was mixed in with the updates for March. Probably should RSS their developer blog so these things don't take me by suprise again! This particular update became effective March 4th. In any event, it's good to have a conclusive answer right from the source.