

Finally found: best way to discover granted Facebook app permissions - kineticac
http://artchang.com/best-way-to-discover-granted-facebook-app-per

======
Cherian_Abraham
Great job guys. As we are building our core app, this is something that we
have been committed to do, from day one. I am real glad that we have some
precedence now to follow. We believe that an app should ask for the least
amount of profile data as possible to do what it needs to do. And if that
changes as the app grows, then it should request for additional permission as
its defined in a granular manner. Offline Access is a bad idea especially when
99% of apps are those you play with for two days and never ever use again.

Once again, thank you. We look forward to doing the same and giving our users
control of their privacy and their data.

------
ashot
why not just store the permissions granted on your end as you get them. why do
you need to ask facebook?

~~~
kineticac
Good question. There's a few things going on here. If a brand new user comes
and you store his initial permissions and also setup the web hook to get
updates on user permission changes (such as if she removes offline_access from
facebook.com/settings/?tab=applications) then you can just query your backend
(which would store this somewhere). Then you won't ever have to do this.

What if, for example, this is a pure client side application that doesn't
store anything in a backend database? Everytime a user comes to your site, you
can check to see if local storage has anything sure, but if they're on a new
computer or have cleared their storage, you're in the dark.

~~~
kineticac
Oh, an edge case: If facebook doesn't call your web hook to update your db on
the newest permissions before a user revists your site, you may have some bad
consequences.

Another edge case: say you have millions of users, only 1000 regularly visit
the site. You would have webhooks for a million users updating your backend,
rather than just confirming permissions with facebook whenever they arrive to
your site. The hop to facebook is probably just as fast, if not faster, than
checking in with your own backend. Let Facebook take the brute of the traffic
;)

------
kineticac
Feedback appreciated from Facebook API hackers!

~~~
bkaid
As a facebook hacker, I'd be interesting in seeing what the instructional
popups you made look like.

I think asking for the bare minimum as you need it is absolutely the way to go
as tons of people bounce out of apps that need all kinds of permissions before
they get to even see the app. I get sick of seeing apps that want offline
publish access before I even know what the app is because the developers are
lazy and just request all permissions available.

~~~
kineticac
I'll definitely be able to show you soon. We're finishing up a few final
touches on our beta, but signup now and we'll send you a beta invite asap! We
should be ready on Monday. <http://feedtopic.com> has a signup on the beta
roadblock.

In the meantime, I can give you a quick description of what we have going on:
each link that requires an extra permission not asked up front has a listener
that will check what permissions are available. If it's missing a permission,
we actually trigger a Facebox (from @defunkt's facebook lib). The Facebox
defaults are really clean. Light overlay, slight shadow, nothing fancy. We put
in different messages for different actions, one for example: "Yes you can
like someone's post from FeedTopic! We need a new permission from Facebook to
do this for you. Click the 'Add Permission' button to bring up Facebook's
Permissions page". We have a button that looks SUPER clickable, like if you
didn't click it you'd feel horrible because it has nice css gradients and
looks like it's 3D. Underneath we have a message that says: "We won't publish
anything without your direct permission to any part of Facebook, promise".
Once you click the button, it will show you the FB permission prompt. yes,
it's multiple steps, but it's clean and makes people feel really confident.
BTW, liking something on feedtopic is probably the last thing people are going
to the site for ;) It's just a small piece of info I can give away for now
before the launch.

