Setting mandatory permission for a facebook website app

Question

Hello Facebook developpers community,

I'm currently working on a multiplayer online game with HTML/JS. I just want to allow user to register with the game and I decided to allow them to login with their facebook account. I created a Facebook website application for that.

But when I set a fb:login button on my page, the dialog don't ask me for the permissions I set (FYI : i just configure them in the Authenticated Referrals section).

Maybe I need to configure the permissions in an other place but with the new Auth Dialog, I'm not sure where I need to go..

Answer 1

Authenticated referrals have no effect on usage of fb:login-button, they intended for links to your application on Facebook itself.

To request permissions from user you should use scope parameter of Login Button, here is simple example of requesting email and user_location permissions (both HTML5 and XFBML):

<div class="fb-login-button" data-scope="email,user_location"></div>

<fb:login-button scope="email,user_location"></fb:login-button>

Update:
As stated in comments those attributes may be easily manipulated by "advanced" users to avoid granting permissions. There is no way to specify which permissions will be user will be asked to grant from Application Settings. This isn't really a problem on it's own due to fact that Authenticated referrals suffer from very same problem, once user see authentication step he may change scope parameter to whatever he wants.

Actually you SHOULD NEVER trust to anything that came from user, so you'll better check the granted permissions after he logs-in by querying Graph API:

https://graph.facebook.com/me/permissions

This will return list of permissions user is granted to your app, if something missing react on that.