Facebook php API为使用无效令牌的用户提供访问权限
[英]Facebook php api giving access to users with invalid tokens
问题描述
I am using the facebook php api to control the access to some parts of my webapp. 
我正在使用facebook php api来控制对Webapp某些部分的访问。 Basically I am just checking if the user is logged into facebook and the user authorize the app (basic permission) every time the page is load and then printing things according to the state. 基本上,我只是在检查用户是否登录到Facebook,并且每次页面加载时都对应用程序进行授权(基本许可),然后根据状态打印内容。
Something like, if($check_user_lo_npe) { echo 'Welcome!'; } 例如if($check_user_lo_npe) { echo 'Welcome!'; } if($check_user_lo_npe) { echo 'Welcome!'; } , simple as that. if($check_user_lo_npe) { echo 'Welcome!'; } ,就这么简单。 Well, everything is working fine, until I realize that if the user deletes the app from their users settings in facebook, which means the token gets invalidated, I am still getting a true response from the function check_user_lo_npe even if I know the token is invalid because as I said, the user deleted the app. 好吧,一切工作正常,直到我意识到如果用户从其Facebook用户设置中删除该应用程序,这意味着令牌已失效,即使我知道令牌无效,我仍然会从check_user_lo_npe函数获得true响应因为正如我所说,用户删除了该应用。 This is how I am checking the permissions: 这就是我检查权限的方式:
function check_user_lo_npe() {
global $facebook;
global $data;
$fb_user_id = $facebook->getUser();
if ($fb_user_id) {
try {
if(!isset($_SESSION['fb_user_profile'])) {
$_SESSION['fb_user_profile'] = $facebook->api('/me');
$temparray = $facebook->api('/me/friends');
$_SESSION['fb_user_friends'] = count($temparray[data]);
}
$data->reg_user($_SESSION['fb_user_profile'],$_SESSION['fb_user_friends']);
return array(true,'');
} catch (FacebookApiException $e) {
$fb_user_id = NULL;
return array(false,$e->getMessage());
}
} else {
return array(false,'');
}
}
I need to realize when the user deletes the app so I can send them to the login screen again, the function is supposed to detect when there is an exception, but somehow I am not getting any... why? 我需要意识到用户何时删除该应用程序,以便可以将它们再次发送到登录屏幕,该功能应该能够检测到何时出现异常,但是不知何故我没有得到任何信息……为什么?
2 个解决方案
解决方案1
1 已采纳 2012-11-01 21:11:49
Those $_SESSION variables are set by your app, not by the Facebook SDK right? 这些$_SESSION变量是由您的应用设置的,而不是由Facebook SDK设置的,对吗? Without attempting to access the Facebook session you can't be sure if that session is still active/ 如果不尝试访问Facebook会话,则无法确定该会话是否仍处于活动状态/
If you need to check on each page whether there's still an active Facebook session or not, look at FB.GetLoginStatus() in the Javascript SDK, or make an API call to (for example) /me/permissions to check your access token is still valid 如果您需要在每个页面上检查是否仍然有活动的Facebook会话,请查看Javascript SDK中的FB.GetLoginStatus() ,或对(例如) /me/permissions进行API调用以检查您的访问令牌是否为还是有效
That said, it may be as easy to just have an exception handler which detects when an attempt to access Facebook's API fails, and have it send the user through the authentication flow at that point. 就是说,拥有一个异常处理程序来检测访问Facebook API的尝试何时失败,然后让其通过身份验证流将用户发送给用户,可能很容易。
解决方案2
0 2012-11-01 21:10:44
Your if ($fb_user_id) line is probably evaluating to false, which causes you to return array(false,''); 您的if ($fb_user_id)行可能评估为false,这将导致您return array(false,''); in your else statement, never triggering an exception. 在您的else语句中,永远不会触发异常。
If you did get past the ID check, it looks like you are putting data into $_SESSION before they delete the app, and then not re-checking it. 如果您确实通过了ID检查,则看起来您是在将数据放入$_SESSION之前,他们才删除了该应用程序,然后不再对其进行检查。 Once you have it in the $_SESSION , if you don't go back to Facebook to verify, there is no reason an exception would be thrown. 将其保存在$_SESSION ,如果不返回Facebook进行验证,则没有理由抛出异常。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.