I'm trying to access basic information from a FRIEND page via FQL:
SELECT name, status, locale FROM user WHERE uid = 11111111
I can get the name and locale, but I can't see their status. If I go to their page, I can see their status, so I should have access to it via the FQL api too, shouldn't I?
Or, do I have to request every user for user_status (or friends_status?) when next they visit the page? This is definitely my stumbling block.
thanks.
To see what permissions you have for your access token, lint it at https://developers.facebook.com/tools/lint.
To see a friend's status, the user will need to grant friends_status per https://developers.facebook.com/docs/reference/api/permissions.
If you find that you don't have those permissions for that user, send them to FB.login() with the scope parameter set to the permissions you require.
Related
I am trying to create web-forum with user authentication, using Github and Google. I've already managed to get user information with access token, like login, email and etc. But I don't get the workflow for authenticating this user in my database.
In order for user to register, he need to provide email, login and password. All the examples and tutorials I saw, was stopping at the sessions and that's it.
My website has database with posts and comments, and to fetch, for example, user's created posts, I need to get the user id, then I will lookup in the database. I thought, maybe, I can use access token as a password, since it's unique, but it always changes and has an expiration date. Then I thought, to left the password input empty and register user without it, but I think, that's not very secure. How should I do it?
Is it possible to add additional info to a Google user, during creation, on a Google Domain?
We have a range of users, that we identify by their email ("username#domain.com"). Some of the users gets to pick a new email, like with their initials, instead of the autogenerated username.
This causes a issue, since we are using a webservice (that we have no controll over), this webservice provides only the users real name, and then their autogenerated username, but not "custom" email with for example the users initials.
So when the user from google comes with his login info, I cant match that user with the userdata from the webservice.
If it was possible to attach the autogenerated username to the google user, it could be matched that way. But i havent been able to find anything about adding custom info like this, to a Google Domain user.
We solved this issue, by adding an alternative email with the autogenerated username + google domain on creation of the Google user.
We then checked the email of the user trying to log in, and if it didnt match, we then checked his alternative email for matches.
Hi I am working on a web2py project.
I use auth object to create login feature
And using the following code
auth.settings.extra_fields['auth_user']= [Field('address')]
So whenever, an user sign up for an account, the person need to put address.
What I would like to do is display the address in default/index.html when the user login to my application.(the user can view his own address only, not the others)
Do I need to deal with db.auth_user??
I have no clue...
Can you help me?
Thank you.
If the user is logged in, the entire user record is available in auth.user (which will have a value of None if the user is not logged in). So, to display the address in a view:
{{=auth.user.address}}
You could also retrieve the user record from the database via db.auth_user(id) or db(db.auth_user.id == id).select().first(), but using auth.user is more efficient, as it is stored in the session and therefore does not require a database query.
I have been doing some research about authentication and authorization on web api. I understand authentication (username/password) and ROLE based authorization, but what I'm confused about is authorization on data.
Say you have a user (user id 1) who is authenticated, an admin, and is associated to company ABC. I have other users associated to ABC which user id 1 can update. Now I want to update user id 2's name who is associated to ABC (which I should have access too). I need to pass in something to identify user 2, ie put /user/2 plus post data. I know on the server side that user 1 is allowed to update user 2 because he is authenticated and an admin.
Now I have user 100 who is associated to company XYZ. User 100 should not be able to update user 2. This is what I'm having a hard time finding information on.
What are some approaches/blogs/anything that can give some helpful ideas on how to prevent user 100 from accessing data outside it's company.
My thoughts are I could pass in the logged in users id (which I grab server side based on authentication) into the update stored procedure and do a check to make sure that user id is associated to the user being updated. To me this seems tedious and ugly in that every stored procedure needs a user id parameter and a check to make sure they can access the data they are accessing (maybe this is correct).
I know how to authenticate and how to check role based authorization, the missing part is resource based authorization.
Thanks for the help.
Does anyone have any insight. Its hard to believe that Role based Authorization is sufficient.
use the concept of authz where a user is prevented to see the details of other users
In Facebook API:
"When a user allows you to access their basic information in an auth dialog, you have access to their user id, name, ...
To get access to any additional information about the user or their friends you need to ask for specific permissions from the user."
So basically Facebook allows for use of the API with restricted permissions by default, and then it specifically asks for all sorts of permissions you might use.
In Twitter when the user is redirected to the twitter popup on "account/verify_credentials" the popup shows:
"This application will be able to:
Read Tweets from your timeline.
See who you follow, and follow new people.
Update your profile.
Post Tweets for you."
It is basically giving me permissions that I don't need right off the bat and it might drive the user away from giving me such permissions (I wouldn't blame them)
Is there a way to get restricted permission (such as user info, and that's about it) thus show less items the user is allowing me to do in the popup ?
Sign into https://dev.twitter.com/apps, select the application, and switch access to read only on the settings tab. This will remove the Update your profile and Post Tweets for you permissions. The first two permissions are always present with Twitter OAuth.