Needs work
Project:
Drupal for Facebook
Version:
6.x-3.x-dev
Component:
Code
Priority:
Normal
Category:
Feature request
Assigned:
Unassigned
Issue tags:
Reporter:
Created:
21 Jun 2010 at 16:16 UTC
Updated:
25 Jun 2011 at 02:45 UTC
Jump to comment: Most recent file
Comments
Comment #1
jaypark commentedFound your comment in fb_canvas.module, // @TODO - new libs provide no require_login equivalent.
looks like FB has made the decision for us - that would seem to be the better business decision for facebook, although that option did something important for DFFB apps: it provided the automatic registration and login for every FB user who visited the app at the outset.
So, for example, when visiting http://apps.facebook.com/drupalforfacebook/ for the first time, and not knowing to go to user/login for the standard login/FB connect page, a user can't comment because they're not logged in. You could provide a login/FB connect box - but doesn't that seem redundant for a user who's already at facebook.com and logged in?
I'm wondering what the best way to provide the end user a seamless transition to the application would be, given there is no require_login equivalent.
Thanks Dave. BTW, the new fb php api seems to have resolved a lot of the redirect/rewrite issues I was having with 2.x; DFFB is maturing beautifully.
Comment #2
Dave Cohen commentedIt surprises me, but I've yet to find any equivalent of require_login() for the new libraries. Just an api that facebook dropped along the way.
On apps.facebook.com/drupalforfacebook, I present a facebook login button on pages where it might be needed, like http://apps.facebook.com/dave-dforfb/node/7/dff_tour/identity.
But maybe I haven't found all the right places.
Comment #3
jaypark commentedusually there are links to login or register, to post comments for example, but at a.f.c/drupalforfacebook those links aren't present for anonymous users and if you're logged into fb or not.
Comment #4
Dave Cohen commentedI removed the regular drupal registration, not because it couldn't be supported, but because spam became too much a problem even with mollom enabled. By allowing only facebook login, spam has been reduced.
Comment #5
dipen chaudhary commentedI am facing the similar issues with 6.3 and other issues for 6.2 (maybe in a separate issue), my iframe canvas app needs to know the currently fb logged in user for the following:
1> I need to personalize content that get displayed in the canvas on the basis of gender.
2> The good old functionality of creating a local account that currently works with 6.2 upon authorization.
Can you please confirm if my understanding is right abt 6.3:
1> In 6.3 branch of this module, the authorization of canvas app doesn't happen as intended and hence local account doesn't get created automatically (given specified in the app settings) as it happened in 6.2.
2> The Javascript SDK if used can fill in for above, which I think is the preferred way according to recent docs - http://developers.facebook.com/docs/authentication/ ?
3> 6.3 branch is based on graph api? Looks like after looking the sdk code.
Also I observed that drupalforfacebook doesn't automagically create local account when I first visit it from a fb user who has never seen it before, though I can go to /user/login to see fb connect.
All in all, would it be wise to develop fb application which requires local accounts creation based on fb data? I am willing to help on this as I will spend this week on couple of applications I need to expose via drupal. Let me know what are the good avenues for improvement in 6.3 branch which can use some help.
Comment #6
Dave Cohen commentedFacebook has eliminated require_login. They've added FB.login.
It might be possible to replicate the require_login feature, using FB.login. I plan to do something along these lines, but I'm not sure exactly how it will work. I want to give module developers an easy way to require login for some pages but not others. Perhaps integrating with the drupal menu system, or putting logic into a hook.
Facebook wants apps to stop requiring login on all pages, and only call FB.login in response to some event, like the user clicking a particular button.
Comment #7
Dan Silver commentedLooks like I'm a little late to the party. I read through this issue page and couldn't find the answer. So, is there a way to require authorization when the user goes to a canvas page?
Thanks!
Comment #8
Nabulaer commentedaccording to this : http://developers.facebook.com/docs/authentication/canvas If the signed_request does not contain the user_id parameter, you should prompt the user to authorize your app. You can use one of several different ways to handle authorization ranging from the Login Button to manually performing the OAuth2.0 flow your Web server.
can that be added to the module to enable canvas authorization ?
Comment #9
Nabulaer commentedfrom doing some more investigation with 6.x-3.x-dev I found a function in fb.module : function fb_require_authorization($fb = NULL, $destination = NULL) that should do the trick.
So I changed fb_canvas.admin.inc line 97 to true
and in fb_canvas.module line 222 :
and add on line 117 :
and it works. I get basic authorization. now just to add extended permission support from contrib module.
Comment #10
Dave Cohen commentedGlad you found fb_require_authorization(), I only just added it last week, and am still experimenting with it. The idea is you can call it from any pages that need authorization. But if it works, it works for this feature, too. I'll try to get this into 3.0 release.
Comment #11
WildBill commentedIf I understand you guys correctly, Facebook is discouraging apps from requiring immediate authorization before they can be used.
In my case however, virtually every action in my app (mainly uploading and flagging pics) will require the user to have authorized it first. There's not really anything an "anonymous" user can do. To make the user click the "Connect" button after they've already navigated to the canvas page seems redundant and not really an ideal user experience. Is there any way to force the authorization at the beginning? I'm not sure I understand Nabulaer's instructions above, and I'm a bit wary of using the dev version, unless maybe I'm being overly cautious?
Any help is greatly appreciated for this excellent and crucial module.
Comment #12
WildBill commentedShould I use the 2.x branch instead? Some of the comments above would seem to indicate that... although it seems weird to downgrade...
Comment #13
WildBill commentedIt took a while for me to understand what to do, but I applied the changes in comment #9 to the 6.x-3.0-rc8 version and it worked — forced app authorization the very first time someone views the app.
However, I've noticed that the extended permissions I've selected in the app admin screen are not being requested in the popup dialog. They _are_ requested when I click the Facebook Connect button, so I'm assuming it's something in the way that the immediate authorization request is triggered. Where would I be able to enter these permissions values manually? I know hard-coding is not ideal, but in my case there's no other choice, right? There's also the distinct possibility that I'm being dense...
Comment #14
Dave Cohen commentedIf you take a close look at fb_require_authorization() you'll see a comment that the extended perms are still a TODO item. Likewise what to do if the user skips the authorization.
Yes, facebook no longer expects applications to require authorization on every page. Its just a good idea to have a page describing what your application is about, or some sort of access denied page. That's why fb_require_authorization is not fully implemented - it is not the best approach.
Still I'd welcome any patch that improves fb_require_authorization(). And a proper patch for the changes described in #9.
Comment #15
WildBill commentedHere are patches for fb_canvas.admin.inc and fb_canvas.module. These might just be the first patches I've ever submitted... someone should probably test them.
Yep, I missed the part about extended perms being a TODO item (not even sure where that function is found).
Is it possible to mimic a click on the Connect button, so that extended permissions are requested that way?
With regards to where to send the user if they skip the authorization, in my case just sending them to the anonymous user's page (as defined in the settings) is fine. Or I suppose a new field could be added to specify exactly what page to redirect to.
Comment #16
Dave Cohen commentedPatches are always appreciated, and more likely to push an issue forward than any amount of comments. You can make a single patch with changes to multiple files, so try to make just one patch file next time.
I like the idea that if they skip authorization they go to the page designated for anonymous users. But as the patch stands, even that page would prompt them to authorize the app. Some code needs to be in place to not require authorization on that page.
Finally for the patch to be perfect it would update comments (ie remove TODOs where applicable) and delete that
if (FALSE)check, rather than change it toif (TRUE)Comment #17
WildBill commentedNot being a serious programmer, my method of creating patches is kinda gimpy. I don't know how to patch two files in one patch. Can I just create two and then copy/paste them together into one?
I was thinking again about the logic of sending users who skip authorization to the anonymous page. If the creator of the app has determined that authorization is absolutely required to use the app at all, then it doesn't really seem to make sense to send them to a page suitable for anonymous users. In this case, there isn't likely any page that would be suitable for anonymous users. I suppose you could send them to a page saying "Sorry, this app requires that you authorize it before you use it." or something like that. What used to be the behavior on Facebook when you didn't authorize an app straightaway?
Comment #18
Dave Cohen commentedIf I recall correctly, there was no skip button. Maybe it showed a page provided by facebook, I can't remember for sure. Its a bad idea to have no page at all that an un-authorized user can visit. I can understand why facebook changed the feature.
Comment #19
vlad.k commentedsubscribing
Comment #20
webadpro commentedIs there a way to make the fb_require_authorization() as a popup dialog?
Comment #21
Dave Cohen commentedAFAIK, since canvas pages became iframe instead of FBML, there is no way to do that. I'd be happy to hear if I am wrong about that.
Comment #22
webadpro commentedAlright, but when trying to assign permissions, after a user clicks on Allow the page goes into infinite loop. Anyone knows why?
Comment #23
WildBill commentedWhat does your code look like?
Comment #24
notluap commentedI applied WildBill's patches to RC14 and it is working nicely (minus extended permissions).
Like WildBill, only authenticated users will be using my apps so having them have to go through the Connect pop-up window process was just another chance they would not install it.
If the user chooses to Leave App on the authorization page, it brings them back to their timeline.
Would love if this was committed to D4F!