Hi All,

I am just wondering if someone could confirm if what I am feel are issues are in fact the way CB connect for Facebook is designed to work.

Couple of possible issues.
1)
I am already registered on my site, but logged out. So I am presented with the CB login form with a CB Connect to Facebook button to "sign in".
I click on the button and I am presented with the FB OAuth dialog with my required permissions, I click to login with facebook.
I go back to my site but I am not logged in but a joomla error is shown which says "This email is already registered."

If they are already registered should the accounts not just be joined rather than throwing an error?
This could be confusing for already registered users who must login with email/password then click on the FB button to link. In future they are then able to sign in just by clicking the FB button.

2)
I go to my CB profile and in the menu click "Unjoin this site".
The application is removed from FB however the users FB account number is not removed the users CB record.
This means the menu still shows unjoin and invite which again could be confusing as the users has asked to be unlinked but this makes it look like we have not do what they want.
Also until the CB facebook id field is empty the user can not re-link CB and FB.

3)
On all of the FB OAuth dialogs if the user clicks cancel they are redirected to FB instead of back to my site.
If the user is logged out of FB the intial FB login screen cancel works as expected.

4)
The user is registered on the site and their account it linked to FB.
Since their last visit the site admin has altered the permissions they ask FB for.
The user returns to the site and clicks the FB button to login.
They are presented with a FB OAuth asking for the new permission(s) but they either click cancel or if asking for a FB extended permission they click the remove button for that permission then press skip.
They are then redirected back to the site and logged in however in both instances above they have not allowed the permissions the site requires.

(This is not an issue for me as I am just asking for basic and publish_actions on login then later on asking for more if as and when I need them. But I thought I would mention it since I spotted this.)

For example later in my site I ask for user_events and publish_events. If in the FB OAuth dialog they click cancel they are redirected back to my site and I pick-up the error and do not allow them to continue giving them a nice message.


Thank you in advance for your help with these.

Kind Regards

Mike

No, it doesn't match the user based off Email Address. That'd be a massive security vulnerability. They need to login to Joomla and click "Link". Then they can use the "Sign In" button to login with their Facebook credentials.

I had to think about this, sorry if I am being a little "dumb".
I guess you are referring to someone pretending to be facebook and firing stuff at the site until they find a valid email?

Didn't an earlier version just link the accounts?

That shouldn't be happening. I suspect it's due to the Joomla session still having the Facebook ID present. Will need to investigate and fix if is the case.

forge.joomlapolis.com/issues/3519

Not true, just click the sign in button after logging out. There's no need for them to "link" again.

With regards to the session I checked and after clicking unlink and the page doing what it does. The variable cbconnect_facebook still exists in the session, loging out and back in sorts the session and the menu on the CB profile no longer shows the FB stuff.

With regards to the re-linking, the current process for all registered users with no previous link is:
1. Login to the site.
2. In the CB login box click on the FB button (which says "link").
3. CB and FB do their stuff.
4. On their CB profile user decides to select "Unlink" on the menu.
5. CB and FB do their stuff. On FB app is removed.

In my view at this point if the user decides to re-link or re-authorise whatever we call it they will do what they did the first time and look at the CB login module. But the FB "Link" button is not showing.

I am assuming this is the reverse of the session problem above.
The CB menu items are looking at the session and if the session isset then they show.
But the CB module is looking at the database and if the FB id field isset then it does not show the button. I tested this by manually clearing the field in the backend and the button shows again. If anything they both need to look at session.

The reason being for an already registered person as per the top question they get an error if they try to login with facebook but have not logged in and "linked" first.


Thanks again to the CB team and thank you for your help with these.

Kind Regards

Mike

Thanks for your time with my queries.

With regards to the re-linking if they unlink what I meant is rather than not showing the button we should show the button as a way of promoting facebook to encourage them to re-authorise the app.
I know they can re-authorise by clicking "login with facebook" when they are logged out but in my view it would be nice.

Once the session issue is sorted in the next release I can manually add this if this is not something you want to do as standard.

Also just something I have noticed:
On the cblogin I am getting a load of empty span tags when in horizontal or div tags when vertical.
Looking at this I found it is due to the CB Connector.
plugin.cbconnect.php line 16 is showing all of the buttons which in cbconnect.class.php on line 1142 returns the button html.
On line 1178 it then adds a span or div tag around the button. But this is adding the tags even if the $return variable is empty.
To stop it I have just added aaround this at line 1178 to stop this.

Not a big issue it only caught me out due to my css.

Thanks

Mike