After knowing that there may be slight differences in developing apps on Facebook and integrating website with Facebook via the PHP SDK, let's start discussing how we can request extended permissions from our apps.

 

Background Information

It is very likely that a Facebook app will access user's facebook account related information (e.g. friends list, personal information, photo album). In Facebook, our app can do this only if the necessary permission was granted before (i.e. the user has allowed us to do so).

For the old PHP client library, the authentication and authorization checking can be simply done by making the require_login() call, with the required permission as an option parameter.

Please kindly refer to the article "Walkthrough on our 1st FB App Part 3 - Code Walkthrough" to get a basic understanding on this.


How to Request Permission for App using PHP SDK?

When using the PHP SDK to develop app on Facebook (let's call it "PHP SDK app"), the situation is somehow a little bit more complex bit still easy to understand.

Cheers!!

As an exercise, you can try to further migrate "Our 1st FB App (PHP SDK)" by including this authentication and authorization checking.

 

Potential Issue

Frankly speaking, there is a potential problem in the above coding!! (I just want to make sure you understand the whole picture.)

For "Our 1st FB App (PHP SDK)", we are requesting the "publish_stream" permission. However, this is only required for the "Publish Post onto my Wall" tab. I think it is reasonable for an application to request the necessary permission only when it is required. For example, 99% of the user will only access the basic application features of an application that required the basic permission. For the remaining 1%, they will access the advanced features but they required extended permission.

So theoretically, we can just request the "publish_stream" permission only in "Publish Post onto my Wall" page and request the basic permission for other pages. However, the above coding will not work. This is because by having the basic permission, when the user access the "Publish Post onto my Wall" page, our application can access the "me" object via Graph API. As a result, $fbme will not be null and application logic of the "Publish Post onto my Wall" page will be executed (and failed)!

To implement this, we can compare the existing permission that we have against the required permission (instead of relying on the value of $fbme). However, this is more advanced and I won't discuss here.