I've created a 6.x patch based on jamix's 5.x patch

As per Facebook's guidelines, "any Facebook Connect site that stores data about the user must register a Post-Remove URL." This patch provides a new page, fbconnect/unlink, that processes Facebook's POST notification after a user has unauthorized the app by unlinking their Facebook account from the website's one.

Make sure to set "Post-Remove Callback URL" in your app's settings to "http://www.yourwebsite.com/fbconnect/unlink" for this to work.

CommentFileSizeAuthor
fbconnect-unlink-6.x.patch1.15 KBsmooshy

Comments

shroge’s picture

shroge commented

I was looking at implementing this patch on my site so I was taking a look at the patch and noticed that the deletion of the user was taking place with a direct db call:

db_query('DELETE FROM {fbconnect_users} WHERE uid = %d', $uid['uid']);

I was thinking that it might be better if that was done with the user_delete call and check that you do not delete the 0 or 1 user:

if ( !empty($uid['uid']) && $uid['uid'] > 1 ) { // do not want to remove 0 or 1 no matter what
user_delete(null,$uid['uid']);
}

That way, any place that the user info has gotten into (users_roles, authmap) will be removed and so that module_invoke_all is called. I know that my module will need to do a bit of cleanup if a user is deleted.

smooshy’s picture

smooshy commented

Correct me if I'm wrong, but I don't think you want to delete the user. The purpose was to just unlink the facebook user profile from the user in the drupal db. Is my thinking wrong on this?

shroge’s picture

shroge commented

Looking at it again, I can see that a better option might be to have a variable for either just deleting the facebook connection info (thus leaving the user data in tact) or for deleting both the facebook connection info and the user entirely. I'm trying to make my site have the functionality where if a user on facebook removes the application, then their account on the site would also be deleted. That way I can keep the site a lot cleaner so that defunct account information and abandoned module nodes aren't hanging around out there. So with the variable option there would be a quick check to see if only the facebook connection info would be deleted or the entire user account deleted.

smooshy’s picture

smooshy commented

I see where you're going with that. If fbconnect is the ONLY way they were allowed to log into the site this make sense.

And yes, I agree that a variable might be best and it's probably good to make it clear to the user that that's what they would be doing if they remove the application from facebook. That all of their profile data on the drupal site and all of their history, comments, posts would no longer be associated with them.

It has the potential to be a dangerous operation. How often have you gone into facebook to remove applications just to clean things up a bit. Since they're no way in the facebook side of things to tell them that they would be deleting their profile on your site, this could potentially create data loss.

tsi’s picture

tsi commented

Should we expect this in a new release anytime soon ?

jamix’s picture

jamix commented

Thanks everyone for the feedback. The idea behind the patch's logic is exactly what smooshy described in #2. Facebook Connect allows existing website users to link their Facebook accounts, so we cannot blindly remove all Facebook-connected Drupal users who unauthorize the app in Facebook.

What we could do, though, is check whether the user actually created their website's account with Facebook Connect. If that is the case, we can remove Drupal's user record as well.

smooshy’s picture

smooshy commented
Status: Needs review » Needs work

I noticed a strange behavior in my testing that most of the time the db record in fbconnect_users is removed correctly but sometimes not. I don't know what is causing the discrepancy. It seems to be pretty random. How reliable is facebook's callback to the site? Is it guaranteed that it will make the callback? I haven't studied the api docs enough yet to know the answer.

jamix’s picture

jamix commented

It is strange. I tested it quite a few times, Facebook was calling the callback every time the app was unauthorized.

phpepe’s picture

phpepe commented

for version 6.x-1.8 you need to change one line to the patch:
db_query('DELETE FROM {fbconnect_users} WHERE uid = %d', $uid);
instead of
db_query('DELETE FROM {fbconnect_users} WHERE uid = %d', $uid['uid']);

smooshy: If you could solve the problem yet, could be due to this issue:
http://drupal.org/node/483282#comment-2118418

pribeh’s picture

pribeh commented

Hi I've noticed that this is now possible in fbconnect version 1.9 - hence should this issue not be closed?

I'm not sure I want to make a second request so I'm asking this here: when you uninstall fbconnect does this unlink all profiles from their facebook counterparts as far as FB is concerned? Or is there a way to mass disconnect (unlink) accounts?

vectoroc’s picture

vectoroc commented
Status: Needs work » Closed (fixed)

It does not. (If I understood you)
As I see simple way is recreate fb app and reinstall fbconnect module.