So this is new. And by new I mean painfully similar to the types of major functionality bugs we see every time there is a large-scale functionality change in Facebook.

I don’t know if this is a bug, or just undocumented, but I am unable to get the FBID of a user (even one who has allowed and interacted with the app) if the application is on its own tab in a fan page. I can get it on the boxes tab (by way of a workaround below) or on its own canvas page, but nothing works for the application tab.

Part of one of the recent changes to the platform was that you could no longer use require_login() from a tab (boxes or application). You can still use it on the application’s canvas page, but when you try to use require_login() in a tab, you’ll get an error that tells you you cannot redirect, something like:

fb:redirect: redirect forbidden by flavor TabFBMLFlavor

A suggestion on the developer forums suggests using:

$is_tab = isset($_POST['fb_sig_in_profile_tab']);
if( !$is_tab ) $user = $fb->require_login();

This basically checks to see if the application is being accessed via a tab (versus the canvas page or profile box). If it is being accessed via a tab, use the $_POST[‘fb_sig_in_profile_tab’], and if not, go ahead with require_login() as usual.

The problem is, while this works on profile tabs, it does NOT work on fan page tabs. When you use $_POST[‘fb_sig_in_profile_tab’] in an application on a fan page tab (or any of the other non-require_login() methods of getting a user’s ID) you end up with the ID of the fan page, NOT the viewing user.

This is a major problem for me, as many of the applications I have to build are not meant for addition to the directory, but are instead meant to be used only on a corporation’s fan page. The inability to access the user’s FBID severely limits what that application can do. In fact, it more often than not renders it completely useless.

To work around this, you can use the following to get the FBID of a user when your application is appearing in the Boxes tab:

function get_user() {
global $facebook;
global $authorized;

// this will fail if user hasn't authorized:
try { return $facebook->api_client->users_getLoggedInUser(); }

return $facebook->get_canvas_user()

and then setting the $user FBID variable with:

$user = get_user();

However, even this does not work on applications appear in their own tab on a fan page.

I downloaded Facebook’s sample application, “Smiley”, to attempt to see how they did it. I’m certainly not new to Facebook application development, but I figured using their own code would help me see how they handle this particular issue.

I, of course, made the gross assumption that their own sample application would be updated with the most recent API calls and best practices. Not only is the Smiley’s app not up to date with the most recent ApI changes, it is flat-out *broken*. Thanks to several files that are completely *missing*, Smiley’s doesn’t even run. The very first line of the index.php makes an include call to a file called constants.php that DOES NOT EXIST. Well done, as usual, Facebook. The new API changes have been out for weeks now – there is just no excuse foer the ongoing broken samples and stubbed or missing documentation.

I have spoken to Facebook and they insist that this was a policy decision to prevent applications from spamming users – however there are a few problems with this explanation:

  1. The FB user’s decide what applications can message them, email them, etc – and by blocking an app, they never hear from them again anyway. Application behavior is irrelevant.
  2. If they were concerned with spamming, why does this behavior only emerge when the app is on its own tab? Its okay to spam from Boxes and canvas then?
  3. If the user has allowed the application, they have voluntarily given the app their information.
  4. Disallowing applications from accessing the FBID of users who have allowed the application renders many applications completely useless. They’re basically statis HTML pages, and it seems unlikely that Facebook would so detrimentally cripple such an important part of the platform.

I suspect that I’m receiving inaccurate information from Facebook regarding this behavior, and I suspect this may be a bug. If this behavior was actually implemented to prevent applications from getting the FBID of users who have allowed it, the decision would have applied to Boxes as well.

I’m still going back and forth with Facebook on this, but I wanted to post it here in case other Facebook application developers are having the same trouble. When I discover the fix, I’ll post a followup here.




Previous post

More on Haiku (or Moron Haiku?)

Next post

Changes to Facebook's Newsfeed/Wall



Iā€™m a tech geek/dev/infosec-nerd/scuba diver/blacksmith/sword-fighter/crime fighter/ENTP/warcrafter/activist. I'm the CTO at Mass Mosaic and the CEO of Grokability, Inc. in San Diego, CA. Tweet at me @snipeyhead or read more...

  • Will

    I use my customized Application, which has iFrame, as a Tab within my Fan Page since I think I cannot use iFrame within a “Static FBML” Tab. My customized App is just a simple page that grabs dynamic data from an external website. I just call it as an Application because that is the procedure I went through: Created an Application in Facebook to act as a dynamic page. Since I don't know FBML that well yet (I just know PHP & some MySQL) and I don't have enough time to dedicate to the project, I opted to use an iFrame placed inside a Tab page within a Fan Page. Sorry if my post is confusing. Hope this clarifies it. šŸ˜€

  • Not really, but i appreciate you trying šŸ™‚ Even in an IFRAME application, the app tab itself is still FBML. If you try to put IFRAME into an app tab, you'll usually get an error.

  • insightcanada

    I'm having a similar issue. I'm trying to pull content from our site and load that into an application that sits as a tab on a page of ours.The actual canvas page of the app works, but its throwing that error when set as a tab.
    Snipe, do you have any ideas of what i might need to do to get a tab that can pull dynamic content from an external site? i thought an iframe would be the magic i needed šŸ˜›

  • You can pull dynamic content from an external site, but it's gotta be written as an FBML app would be written. Load server-side scripted data, and then call updated information using mock ajax/FBJS.

  • Thanks for this usefull info “don't lose too much sleep over it either. Most errors are not shown to users, only developers” :^)

  • Bart

    Hi there.
    Totally agree with you after spending hours and hours trying to solve this problem.
    If I'll get it working – I'll let you know as well.

  • Hi,
    I am able to get the user_id of a user on a tab IF the tab posts to an external URL, AND the user has authorized the application. I then quickly do the dirty work on my server and then redirect back to the tab. This is useful for having forms on an application tab, anyway.
    Authorizing is the tricky part. I used to just be able to do requireLogin=1, but that no longer works. fb:if-is-app-user isn’t allowed either, I get that ugly “forbidden by flavor TabFBMLFlavor” error.
    I got it to work from this solution:
    The script:
    function formDone() {
    function submitForm() {
    FB.Connect.showPermissionDialog(“”, formDone);

    and then put onsubmit=”submitForm();return false;” in the form.

    • If the tab posts anywhere (outside url or otherwise), you can get the fbid. The user just has to interact with the tab in some way, at which point you can get the fbid.