Managing Permissions for Android

During basic login your app receives access to a person's public profile and friend list. To access additional profile information or to publish content to Facebook on someone;s behalf, you need to request the necessary permissions:

  • Public Profile - Is available behind the public_profile permission.

  • Read Permissions - All other information that someone adds to their Facebook profile are secured by other read permissions.

  • Write Permissions - Apps need separate publish permission to post content on the person's behalf.

Here are the ways to manage permissions in your app:

  • When you send Facebook requests for someone, should check for necessary permissions and request them if needed.

  • Your app should deal missing permissions errors from Facebook by asking for permissions and retrying.

  • People using your app can revoke permissions in Facebook but you can also implement this in your app.

  • You can also let people remove basic login privileges from your app, by implementing a mechanism to revoke login entirely.

Learn more about the different available permissions in Permissions Guide.

People are sensitive about granting publish permissions, so you should only ask for publish permissions once a person is ready to post something from your app and not during the initial login.

Get Additional Permissions

During the basic login your app receives access to a person's public profile and friend list. To access additional profile information or to publish content to Facebook on their behalf, you need to request the necessary permissions.

Here we get user_status. You can pass in these permissions to the LoginButton button or a custom UI for login and permissions.

In MainFragment class modify the code in the onCreateView():

...
LoginButton authButton = (LoginButton)view.findViewById(R.id.authButton);
authButton.setFragment(this);
authButton.setReadPermissions(Arrays.asList("user_status"));

return view;
...

Get Read Permissions

LoginManager is a singleton instance, and works with the AccessToken's currentAccessToken. After a successful login, the currentAccessToken will be set. To request additional permissions, simply call the logInWithPermissionName methods.

The logInWithPermissionName methods always open a UI and prompt someone for additional permissions if needed. To get addiitional permissions from someone, make this request with the Facebook SDK for Android:

LoginManager.getInstance().logInWithReadPermissions(
    fragmentOrActivity,
    Arrays.asList("email"));

Use this to request permissions beyond what the app already has been granted. You can use this after initial login.

You can request many of the read permissions listed in Permissions Reference.

Get Publish Permissions

You can ask for any number of read permissions or for publish permissions during login. Ask for more than four permissions experience a significant drop off in the number of completed logins.

Requesting publishing permissions with publish_actions during login creates a second step in the login UI. So you should request minimum read permissions during login then request any additional or publish permissions when someone actually needs them. To optimize your permission requests, see Optimizing Permissions.

To ask for publish permissions in your app, you can use the LoginManager.

LoginManager.getInstance().logInWithPublishPermissions(
    fragmentOrActivity,
    Arrays.asList("publish_actions"));

This requests permissions in addition to what the app already received during login.

Re-Request Permissions

People can grant only a subset of permissions that you ask for, except for public profile, which is granted at login.

People can also revoke permissions granted to your app in Facebook's interface at any time after they have logged in. So your app should regularly check which permissions have been granted. We provide methods for you to check what permissions are currently granted to your app.

To get the list of permissions associated with the current access token, call:

AccessToken.getCurrentAccessToken().getPermissions();

To get the list of declined permissions, call:

AccessToken.getCurrentAccessToken().getDeclinedPermissions();

Your app should handle the case where someone had declined to grant your app one of the permissions you requested. If your app must have one of the declined permissions to work, you can request them again by using the LoginManager as in the examples above.

Login Review

When you implement Facebook Login, your app can optionally ask someone for permissions on a subset of that person's data.

If your app asks for more than public_profile, email and user_friends, Facebook must review it before you release it. Learn more about the review process and what's required to pass review.

Login Review Guide