In the last few weeks we have been produced a number of Facebook applications for our clients, including the Andrex “Pup-o-Matic” and Coral’s “Ask a Pro“. Their levels of popularity have been extremely impressive, with the Pup-o-Matic in particular getting astounding levels of traffic – 3.9million spins of the wheels and counting.

However, whilst we are delighted when someone chooses to allow these applications access to their Facebook profiles, there are undoubtedly a number of folk who do not feel comfortable with 3rd parties taking a peak at their private data. In fact the issue of privacy is such a hot topic on Facebook that they have recently updated their policy to ensure users know exactly what information they are granting access to. And whilst that is great news for the civil liberties activists amongst you, there is another issue that few developers appear to have catered for: what happens when a user denies your application access to their details?

Take, for example, the EA Sport’s FIFA Superstars application. EA are one of the world’s largest games producers, so you would assume they would put immense attention to detail when producing a Facebook application. Sadly though, they have not tested one of the first pieces of functionality that their application presents: the “Don’t Allow” button. Because, if you press this button, you’ll find that you are merely redirected back to the same authorisation request page. Go on, give it a try, I’ll wait… See what I mean?

However, it is not a great surprise that this issue has not been addressed in the vast majority of applications on Facebook (the Pup-o-Matic and Ask a Pro obviously do not fall into this category as our QA processes are extremely detailed ). I say this because the documentation, correct me if I am wrong, does not actually exist for this functionality. Previously developers could specify a URL for users to be redirected to if they choose to deny your app access. However the new version of Facebook’s API, the Graph API, users are simply redirected to the application’s canvas page. And since the canvas page was what initiated the authorisation request, you as the user are sent back into the authorisation process again. And thus the Facebook infinite authorisation loop has you. So how do we capture this event to save you hapless souls lost in this vortex? The answer lies deep within the Facebook bugs list, in a notice only posted just about a month ago. When the user clicks the deny button, a query string is appended to the canvas page url, with the variable “error_reason=user_denied“. So adding a simple check for this query string (in PHP use if($_GET['error_reason'] == “user_denied”){) and you’ll save the sanity of a few Facebook users.

There are no comments for this post