Let's assume the following situation for a canvas app:
i) day 1:
- Facebook app is created which needs
read_stream,publish_stream,offline_access
permissions. When a
user comes to app for first time, authorize
call redirects the user
to a permission ALLOW / DENY screen , and when the user allows it
redirects the user back to canvas url.
The canvas url has access_token in a signed request in its request parameters which can then be used to run the app.
No permission dialog is needed for same user coming to the app next time, as signed_request contains acess_token if the user had authorized the app in past.
The code looks like:
if(access_token received from signed request)
// do something with user information
else
// redirect user for authorization flow
ii) day 2: - Now, let's say I want to add one more permission to my list, user_birthday
read_stream,publish_stream,offline_access,user_birthday`
Now the following logic will have problems
if(access_token received from signed request)
// do something with user information <-- the access_token does not have new permission
else
// redirect user for authorization flow
How can this additional permission addition be tackled efficiently, as API calls affect the performance of the app? I would not want to use something like :
https://graph.facebook.com/me/permissions?access_token=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Every time the application loads to check the permissions related to the token.
UPDATE:
Sharing a good method : Store the permission set along with the access_token with which it was received. eg. If current permissions are "basic_details-birthday-publish" (lets call it 1), store the access_token and permission set as
user | access_token | perm_set
Dhruv sdfsdfsdf 1
Now,in your settings, whenever you need to ask for a new permission, create a new permission set "basic_details-birthday-publish-checkins" (lets call it 2),
then you need to show the permissions dialog only for users who have access token with perm_set = 1 and not for users who already have perm_set = 2, this will get rid of the need to check access_token of each user with "/me/permissions" api.
An implementation suggestion.
Store the permission set along with the access_token with which it was received. eg. If current permissions are "basic_details-birthday-publish" (lets call it 1), store the access_token and permission set as
Now,in your settings, whenever you need to ask for a new permission, create a new permission set "basic_details-birthday-publish-checkins" (lets call it 2),
then you need to show the permissions dialog only for users who have access token with perm_set = 1 and not for users who already have perm_set = 2, this will get rid of the need to check access_token of each user with "/me/permissions" api.