In my facebook developer app's upgrade tool, I'm told to do these
In my code however, I'm only using these after the user allow access in facebook :
https://graph.facebook.com/oauth/access_token
and
https://graph.facebook.com/me?fields=id,email,name&access_token=strToken
The setting for "Enforce app restrictions on API calls" is set to "No"
so my question is, is the alert safe to ignore ? I'm utterly confused
The alert is saying 'if your app has geographic restrictions, these changes in v2.10 will affect you' - it's based on a sample of your app's API calls, and comparing those calls to which calls have upcoming changes
If you don't actually have restrictions in place, you can ignore this alert.
Note that the second screenshot you added isn't showing if you have geographic restrictions enabled, it's showing if you're already enabled the behaviour that the first alert is warning you about.
You can see if you have geographic restrictions enabled in the app settings, Advanced tab, screenshot:
If you do have restrictions configured, you'll need to either start making your API calls with an appsecret_proof parameter, or accept that for some users, your calls will stop working if the user doesn't meet the configured restrictions
Related
I've built a CRM webapp with Django for a specific lead heavy industry. It's working for both gmail and outlook users. Through MsGraph and Google API, the user is able to give authorization via Oath2 to the app to access their inboxes. The app then grabs and parses emails from various sources.
Each lead source always sends the lead emails with same subject. This makes the lead emails easy to identify from the users inbox. Unfortunately, the subject of EVERY email that comes in has to be searched to find the desired lead emails. Unfortunately, Identifying by sender isn't an option, and wouldn't change the issue. Each email would still have to be searched.
I have a couple of colleagues beta testing right now.
As I think about taking on new users that may be outside of my colleagues, I am starting to think the webapps unrestricted access to a user's inbox via the available scopes isn't the best approach for trying to attract new users. I would be suspicious of any 3rd party program wanting to access all of my emails, even if just searching for specific emails.
I use Google's watch() and MsGraphs subscriptions to do this while the user is offline. It doesn't appear that Google or Microsoft allow for any kind of message change filter based on what's in the subject line.
Are there any methods that I have not been able to find in either Google API or MsGraph documentation that would limit access to only the emails that meet the subject search criteria?
Would this even pass either of their security checks to get 'Published Status.'
Reading through the Google docs, it looks like you can set authorization scopes that limit access to just labels and basic settings. This should allow you to filter messages by subject and apply labels to those filters.
Of course, the subject filtering doesn't have anything to do with authorization. But fine tuning the authorization is better than allowing write access to an entire mailbox.
I would say in general, the more open the permissions are, the less likely you are to get approved. Google wants you to only have access to what you need to achieve the product's purpose, nothing more.
https://developers.google.com/gmail/api/auth/scopes
There definitely isn't a way to set custom permissions based on subject. In fact, I don't know many APIs in general that allow you to define custom permissions that granularly.
That said, it doesn't seem like you even need read access to message headers, let alone message body content, to achieve what you want to do in Gmail.
I assume Microsoft has similar scoping, but I'm not sure.
I would like to know how to proceed with the review process when I already have a scope that has been approved but would like to add another scope that requires approval.
My application offers the ability to send Gmail, and I have decided to offer the ability to add additional drafts.
Therefore, gmail.compose needs to be added to the scope in addition to gmail.send, which has already been added and approved.
In this case, I assume we will need to review the scope of gmail.compose, but will the consent screen be restricted during the review process?
We fear that if restrictions are imposed, customers who already use the Gmail sending feature will be affected.
Please let me know if you know how to complete the screening response without impacting the project.
I have a very specific question about G. Analytics and the GDPR law.
I've read many topics about this, but answers are sometimes contradictory. I would love to have an answer from a G.A. expert or a lawyer.
The GDPR law indicates that we must obtain the user consent before data treatment ; so for me, it would suggest that we must deactivate G.A. tracking as long as user doesn't optin to that treatment.
If I do so : I refresh the page when user has optin, so the data collection can begin ; Problem doing that : we loose the referrer param (since we do a JS refresh, this param is lost : referrer will be the current page)
Others questions :
If I activated IP anonymisation on G.A. : Must I obtain the user consent or can I send the datas by default (and offer the possibility to user for opt-out) ? (many websites seems to have this process, but it seems contradictory with the user-consent obligation...) but this topic suggest to proceed like this.
Regarding cookie law : Is it allowed to store in cookies the user client-id (that G.A. uses) without the user consent ? If not, how to workaround this limitation, and use G.A. without allowing it to set cookies ?
Is there a way to store user activity without sending it to G.A, and when user opt-in -> send all that datas ?
Many thanks in advance !
Disclaimer: Not a lawyer
There are some cookies that can be set without consent (e.g. for security purposes, or perhaps even a preference for cookies). These are generally meant for essential purposes only and not for analytics, functional, or performance purposes.
However, if referrals are a critical part of how your website functions (say for example process discounts if it came from a certain link), it might be considered essential. The lines are bit blurry on what can be considered 'essential', and indeed 'legitimate interest' for non-essential functions.
If you visit websites and look in dev tools, cookies are there immediately even for websites that are showing a cookie consent banner.
-- As for non-cookie technical ways --
I do have a related question that is open to answers on whether non-cookie based tracking technologies fall into the scope of consent - you could potentially send information to the server-side.
You might also use a front-end framework to construct a Single Page Application (although you might not have the option in a company), so that the page is not actually reloaded on a consent click. The consent form can simply trigger a script to run / change a state variable so that information that were stored in JS as variables can now be written into cookies.
first time on stackoverflow. Was wondering about this problem I am having as mentioned in the title, my application cannot retrieve any data via the API for any profiles that are non-related in anyway (no mutual friends either). Is this a known thing due to privacy settings or permissions?
Thanks!
This is the rules you have to know, for example 100007110730790 is a non-friend id:
Rule 1. If the user turn platform Off:
Facebook API wouldn't work at all:
Rule 2. If the platform is ON and user 100007110730790 does not provide user_status permission for your app, you can get the feed with have tagged with you:
Updates:
if you are using your apps(not graph API explorer default app, this app wouldn't include activity feed!), you can also get public activity feed(add life event, change language, so on, even though he/she doesn't use the app at all!):
Update 10 jan 2014:
shared_story is included on this rule.
Rule 3. If the platform is ON and user 100007110730790 does provide user_status permission for your app, you can get the status feed even though non-friend!:
And using FQL:
So, for albums/photos is the same, the non friend need to grant user_photos permission to the same APP.
Yes, I guess. In any ways you shouldn't be able to retrieve something that is not normally visible to you. Looking aroudn Stackoverflow there are multiple threads with similar queries, so it seems like a known limitation.
Whenever I go to create the code for the like box/button to place on our website/advertisements I get an error message. Is this a fb issue or operator error issue?
I was able to generate a like button just fine and it functioned perfectly. Make sure you're using their social plugin service at: http://developers.facebook.com/docs/reference/plugins/like/
Also if your website doesn't have XFBML enabled make sure you un-check the Send Button option.
A Like plugin should be able to be used with any valid URL.
It may be misconfigured if it's not working for you.
However, regardless of any technical issues you're having, this is expressly against Facebook policy (see https://developers.facebook.com/policy/ )
IV.4.a Your advertisements must not include or be paired with any Platform
integrations, including social plugins such as the Like button,
without our written permission.
and
IV.4.e Ad networks, ad exchanges, and data brokers must not use Facebook’s Platform,
logos, and trademarks (including, but not limited to, Platform APIs, social
plugins, the Share button, and the F logo).