I created a messenger application for my clients. I need to get the scope "pages_manage_metadata" to be able to set webhook for their pages.
But test user can only get these scopes
https://i.stack.imgur.com/UG6r1.png
I cannot test my application on a test user and his page because the incoming messages are not working. I can not send an approval request and write how to use my application
Please tell me how to implement this function
Test users don’t work well for stuff that is related to pages. They can not interact with any “real” pages, only pages created by the test user account itself.
Use a real user account, that you add to a role in your app (admin/developer/tester; note that “tester” and “test user” are two different things), and use that account for your testing during development. If you don’t want to interfere with any live pages that user might be an admin of, then create a new page for your testing purposes first.
Related
I have a workspace in which I have many applications based on the same schema.
Every applications has his own login page at the moment.
I want to build another application responsible for the login of all the other applications.
The login will redirect the user to a main page that will show the links to the different modules (applications) based on the user type.
Note that only the ADMIN user can see the links to all the applications.
Different types of user will see only the links to the apps that they are authorized to access.
I read other related posts, I know I have to change the cookie name for all the app I want to share the authentication.
But my question is:
If I login successfully with a user different from the ADMIN, I am still able to access all the applications via URL, even if their link is not visible in my main page.
How can I prevent this?
Check out the use of authorisation schemes (see under Shared Components).
If you had an authorisation scheme per application you check on each page so that if the current user was authorised that application. Don't forget that each authorisation scheme would also allow users who have ADMIN access.
Hope this helps.
Just had another thought. Check out this post http://www.explorer-development.uk.com/securing-vulnerability-exploits-apex-part-2/ by Craig Sykes.
Activating Session State Protection and using Checksums would prevent a number of issues for you.
I have an application allowing users to sign in using their Facebook and Twitter accounts. I only need a very basic information like their email address and full name. Everything works fine and as planned.
Accounts.ui.config({
requestPermissions: {
facebook: ['email'],
github: ['user:email']
}
});
But, now I need to implement a feature posting to a Facebook page and Twitter on behalf of the admin users only. So, I need to get additional permissions from specific users only.
Admin users are eligible to manage our page at Facebook. The app needs to request additional permissions to be able to post to the page. I wan't to keep those basic permissions for regular users.
How can I accomplish that?
One way you can do is,
If you know that logged in user is Admin, put the re-authenticate button in user-dashboard (or somewhere which makes sense) that will do authentication user of user for whatever permissions as required by application.
This will basically do, oauth with social service like usual and upon completion you will get aceess code and against this code get the re-newed access token from social service. (This is normal , how you basically do the oauth manually) Now, use this access token to post to social services.
For this, you will need to use node modules such as for facebook -fb_graph , for twitter- twiiter
Hope this helps
I'm currently toying with the Facebook Graph Api and have been able to get some interesting results, I would like to be able to post to one of my Facebook App users pages. They have authenticated the app and confirmed the ability for my app to be able to post on there wall. I know there is the can_post check using FQL, but I haven't seen any information on this using the Graph API. Is there a possible check to make so I can see if I have the ability to post on there wall?
can_post
https://developers.facebook.com/docs/reference/fql/user/
This settings is actually a setting of the timeline:
This setting only affects the viewers of the specific timeline and does not apply to the owner of the timeline.
can_post - bool - Whether or not the viewer can post to the user's Wall
Beyond this settings, by authenticating an application and giving it certain publishing permissions, the application, using it's per-user per-app access token will be able to perform actions on behalf the actual user. Actions will be attributed to the user even though it is the application that initiated and published these stories.
To answer what I assume is your underlying question - your application, given the appropriate permissions, will always be able able to publish a story to the users timeline. The act of giving an application any permissions is the same as allowing the application to act as you and access everything you would be able to access. This includes posting a story to your own timeline (even if no other user would be able to).
Is it possible to ban users from using a Facebook application?
I'm not talking about the canvas or the discussions board (which is what I've found by looking around), but the application itself, that is, causing errors or preventing actions whenever the user tries to use the Graph API (in my specific case, an Android app that uses the Graph API to provide some features).
The scenario I'm envisaging is something like this:
user authenticates app to use its features and gets the access_token;
user uses the Graph API according to the app permissions;
user someday does something he shouldn't;
user is banned and, even if the access_token is still valid, Graph API requests fail, and will always fail even when deauthorizing and authorizing the app again.
Is this possible using the Graph API or the developers app console on Facebook, right now, or is there really no way to prevent users from misusing your application? I guess I may do something "out of band" to enforce this somehow, but being able to do it at the Facebook level as well would be much more effective and harder to circumvent.
See https://developers.facebook.com/docs/reference/api/application/
Use the 'banned' connection of the Application object to ban specific users from your App - you'll need the App access token to do this
Just create a blacklist of specific Facebook User IDs, and check the user's ID against the blacklist when they log into your app.
If the blacklist matches, show a message telling them that they are banned and don't allow access to any functionality.
I am creating a Facebook App. I would like to test this as real - or real-looking - test users.
How do I do this?
I know that it is possible to create test users via the code, but I have not seen examples of this using Python/Django. I'm also not really sure how to use these test users: can I log in with them for real via Facebook or what?
I would also like for me and a few friends to be able to add the App and test it, but without it being listed in the App Directory (I don't want anyone to stumble across it before it is ready). Is this possible?
Facebook provides an Open Graph API to create test users.
You can view the documentation here:
https://developers.facebook.com/docs/test_users/
How to create a test user (Your first question):
Get an app access token
https://graph.facebook.com/oauth/access_token?
client_id=YOUR_APP_ID&client_secret=YOUR_APP_SECRET&
grant_type=client_credentials
Or use the graph explorer https://developers.facebook.com/tools/explorer/
Or the access token tool: https://developers.facebook.com/tools/access_token/
Create the test user
https://graph.facebook.com/YOUR_APP_ID/accounts/test-users?installed=true&name=YOUR_DESIRED_TEST_USERNAME&permissions=DESIRED_PERMISSIONS_LIST&method=post&access_token=YOUR_APP_ACCESS_TOKEN
Or use the GUI manager for test users on the Open Graph section of your App management dashboard
https://developers.facebook.com/apps/YOUR_APP_ID/permissions
Choose "Add" under Test Users
1) Once you create the test users FB gives you a link you can use to log in, customize profiles and add photos, etc.
2) You can take a look at this CLI written in Python:
https://github.com/kcbanner/facebook-test-users
3) I am not sure, but I think you have a choice of whether to list or not list the facebook app in the directory. You can also limit access to certain users within your code by only allowing certain facebook ids access.