XF 1.1 How is Facebook publish_stream permission "Post to Facebook as me" used?

[Thelo]

I've noticed that when using the Facebook integration login, Xenforo requests the publish_stream Facebook permission (Facebook.php, function getFacebookRequestUrl), which is shown to the user as a request to "Post to Facebook as me: ForumName may post status messages, notes, photos, and videos on my behalf" when they first log in.

Since requesting this permission looks scary to many spam-wary users, I'd like to know why Xenforo requests this permission, what exactly it does with it, and if there is a safe way to avoid requesting it. According to Facebook (and common sense), there is a strong inverse correlation between the number of permissions requested and the number of people willing to accept them, so if it's not actually useful, I'd like to avoid it.

The current Xenforo Facebook permission requests are: "email,publish_stream,user_birthday,user_status,user_website,user_location"

Facebook has this to say on publish_stream:

publish_stream:

Enables your app to post content, comments, and likes to a user's stream and to the streams of the user's friends. With this permission, you can publish content to a user's feed at any time, without requiring offline_access. However, please note that Facebook recommends a user-initiated sharing model.

Edit: In particular, it doesn't look like publish_stream is necessary for either the Like feature or for logging in through Facebook, so I'm pretty puzzled as to what exactly it does for Xenforo...

 

[Mike]

It is not used currently, but there would be plans to allow users to push threads they create back to FB, etc.

 

[Thelo]

Alright, in that case I'll edit it out for my own copy of Xenforo, to simplify the FB login flow and make it look less scary for newcomers.

Thanks for the fast answer!

 

[digitalpoint]

If you edit it out for now, you might run into issues down the road when those features are used in XenForo and you now have users that have linked their Facebook account without the necessary permissions (of course wouldn't matter if you didn't use those functions in the future)... just something to think about.

 

[Thelo]

If I understand correctly how Facebook permissions work, if you end up needing some permission later, you can just request it at the time where you actually use it - and Facebook will popup a permission request to those users who haven't granted it yet. So I'm willing to ask for that additional permission later when / if it turns out we need it.

 

[digitalpoint]

If I understand correctly how Facebook permissions work, if you end up needing some permission later, you can just request it at the time where you actually use it - and Facebook will popup a permission request to those users who haven't granted it yet. So I'm willing to ask for that additional permission later when / if it turns out we need it.

Yep... but the mechanism to request additional permissions is probably going to be something you are going to have to code yourself... since XenForo by default already asked for the necessary permissions, I suspect there's not going to be a mechanism to request additional permissions. Of course I could be wrong... but that's how *I* would build it as a developer. Adding additional code/extra step to take into account installations that went in and changed how things work... probably wouldn't be something I would bother with.

Plus the fact that XenForo is already proactively requesting permissions for something they already know they are going to use in the future is an additional hint that there isn't going to be a built-in "request more permissions" mechanism.

 

[Thelo]

Just as a followup, I ended up having to add a new Facebook permission (friends_online_presence) to the list, and the process was very smooth: I simply added it to the permissions string in Facebook.php, and now the next time a Facebook-enabled user logs to the forum, Facebook automatically detects the new permission request and prompts for it once. Once the permission is granted, it stays granted.

So in the end, I didn't really have to code anything to add a new permission, and our users were minimally impacted. This means that it's pretty safe to remove the publish_stream permission request, even if it's actually used later on.

 

[tmac]

Thelo - could you share how you removed the publish_stream permission request? I'd like to do the same. Thanks!

 

[Thelo]

Thelo - could you share how you removed the publish_stream permission request? I'd like to do the same. Thanks!

The file /library/XenForo/Helper/Facebook.php has this line in it:

$perms = 'email,publish_stream,user_birthday,user_status,user_website,user_location';

Just remove ",publish_stream" from that string and you're good to go.

 

[tmac]

Thanks!

 

[digitalpoint]

Total side note, but I built something to give users the ability (only if they want) to publish certain things to their Facebook wall/stream, so it came in quite handy having the publish_stream permission already enabled.

 

[DRE]

Total side note, but I built something to give users the ability (only if they want) to publish certain things to their Facebook wall/stream, so it came in quite handy having the publish_stream permission already enabled.

Yeah I saw that when I was on your site last week. I'm getting the same thing (status wise) for my own site as well. http://xenforo.com/community/thread...-to-facebook-status-and-twitter-status.35907/

 

[fattony69]

Total side note, but I built something to give users the ability (only if they want) to publish certain things to their Facebook wall/stream, so it came in quite handy having the publish_stream permission already enabled.

I know you don't share many of your addons (and for good reason like you've stated in past posts), but this would be a good one to release.

 

[Chris D]

I know you don't share many of your addons (and for good reason like you've stated in past posts), but this would be a good one to release.

I've already released the Social Status Updater which does the post to Facebook (and Tweets to Twitter) when you change your Status.

Obviously digitalpoint's one has some extra features

 

[digitalpoint]

I know you don't share many of your addons (and for good reason like you've stated in past posts), but this would be a good one to release.

There is an addon that already does it somewhere (oops, looks like Chris Deeming already posted it).

The problem with my setup with the ability to post stuff to Facebook, is the Facebook stuff is just 1 of 6 third party accounts you can link, and the 5 other account types each do something specific to Digital Point for the user. For example people can link their Google Analytics account for various things as shown here: http://adminextra.com/threads/lack-of-development.5780/page-30#post-51534

So making the Facebook thing I did as an addon just doesn't make much sense because it's a *tiny* part of a much bigger addon that does all sorts of crazy things that are specific to Digital Point.