Asking for facebook permissions only when required -

i have following script works, i.e. goes facebook login page if user not logged in, , asks them if ok app post messages on wall:

<?php     require 'facebook.php';      $facebook = new facebook(array(         'appid'  => 'removed security reasons',         'secret' => 'removed security reasons',         'cookie' => true,     ));      $session = $facebook->getsession();      if ($session) {          if (isset($_get[id])) {              $post = $facebook->api("/" . $_get['id'] . "/feed", "post",  array('message' => 'hello!'));             echo 'a message has been posted on friends wall';          } else {              $friends = $facebook->api('/me/friends');              foreach ($friends $key=>$value) {                 echo 'you have ' . count($value) . ' friends<br />';                  foreach ($value $fkey=>$fvalue) {                     echo 'friend id = ' . $fvalue[id] . ' - friend name = ' . $fvalue[name] . ' - <a href="/stage2.php?id=' . $fvalue[id] . '">post message</a><br />';                 }             }         }      } else {          $loginurl = $facebook->getloginurl(array(             'req_perms' => 'publish_stream',             'next' => 'http://'.$_server['server_name'].'/stage1.php',             'cancel_url' => 'http://'.$_server['server_name'].'/cancel.php',         ));          header('location: '.$loginurl);     } ?> 

how can improved not ask extended permissions in start. should ask basic permissions display friends list, , ask extended permissions if user clicks on friend post message.

quickly, there want point out regarding following block of code:

foreach ($friends $key=>$value) {     echo 'you have ' . count($value) . ' friends<br />';      foreach ($value $fkey=>$fvalue) {         echo 'friend id = ' . $fvalue[id] . ' - friend name = ' . $fvalue[name] . ' - <a href="/stage2.php?id=' . $fvalue[id] . '">post message</a><br />';     } } 

your 1st foreach loop misleading , not practice @ all. graph api isn't overly consistent in how presents data, reason doing foreach deal data key in json object returned. bad idea, because data key typically present along other keys (like paging). instead, check see $friends['data'] not empty, , re-assign $friends array so: $friends = $friends['data'];.

example:

if (!empty($friends['data'])) {     $friends = $friends['data']; } else {     $friends = array(); } 

now, question.

you mentioned don't want over-ask permissions. that's great thing want, problem facebook doesn't make exceedingly easy check permissions have or not have. there fql table allows check if user has set of permissions, table doesn't updated kind of urgency. if obtain permissions user (or if user retracts permissions) , check fql table status of permission, can (and will) read incorrect value , false positive.

you have 3 options deal this, can think of right off top of head.

1. continue on stage1.php code, - there's nothing wrong way you're obtaining installation , session user there. change page 2 redirect user through oauth endpoint requesting publish-stream permission every time user loads page. oauth endpoint not re-prompt user install, , send them on way.

   the cons approach is, every request post friends' wall turns 3 requests.

   • the initial page load
   • the oauth redirect / load
   • the redirect oauth application

   this approach requires add flag next key in loginurl, can make sure user went through oauth endpoint, otherwise you're going infinite redirect error.

2. utilize fb javascript sdk check users' current set of permissions. this, you'll utilize fb.getloginstatus method.

   example:

   <div id="fb-root"></div> <script src="http://code.jquery.com/jquery-1.5.2.min.js"     type="text/javascript" charset="utf-8">  </script> <script src="http://connect.facebook.net/en_us/all.js"     type="text/javascript" charset="utf-8">  </script> <script type="text/javascript"> (function($) {     fb.init({         appid: '<?= fb_app_id; ?>',         cookie: true,         status: true,         xfbml: true     });      $('a').click(function(event)     {         var self = this;          event.preventdefault();          fb.getloginstatus(function(session)         {             if (session.perms.match(/\"publish_stream\"/))             {                 /* user has publish stream, don't need                  * ask again                 **/                 window.location = $(self).attr('href');             }             else             {                 /* user not have publish stream, need                  * ask.                 **/                 fb.login(function(response)                 {                     if (response && response.perms.match(/publish_stream/))                     {                         /* have publish stream access! */                         window.location = $(self).attr('href');                     }                 }, {                     perms: 'publish_stream'                 });             }         })          return false;     }) })(jquery); 

3. don't utilize extended permissions, use javascript sdk (again) , give user publish-dialog each user publish on wall of. relatively easy thing do, also.

   example:

   given links users:

   <a href="#" data-id="123">friend 1</a> <a href="#" data-id="456">friend 2</a> <a href="#" data-id="789">friend 3</a> 

   you can this:

   <div id="fb-root"></div> <script src="http://code.jquery.com/jquery-1.5.2.min.js"     type="text/javascript" charset="utf-8"> </script> <script src="http://connect.facebook.net/en_us/all.js"     type="text/javascript" charset="utf-8"> </script> <script type="text/javascript"> (function($) {     $('a').click(function(event)     {         var user_id = $(this).data('id');          fb.ui({             method:    'feed',             message:   'hello!',             to:         user_id         }, function(response)         {             //this gets called whether successful, or not.         })     });  })(jquery);