When building any site that will interact with Facebook, you need to have a user connect their Facebook account with your site. You create an app listing on Facebook, get some handshake tokens, put them in your code, then have a user initiate a connection between your site and their Facebook account.
The initiation is usually a button that says something like “Connect with Facebook”. Behind the button is some code that indicates your token and what permissions your site wants from the requesting user. Usually you’ll want your site to have their email address, maybe some permissions to read their wall posts or perhaps even post on their wall. For many types of sites (like a couple I’ve worked on over the last year) you *really* are only using Facebook as an authentication system, and you’re not planning on doing any interaction with Facebook at all, so you don’t really want any permissions to their data or wall or anything else.
However… Facebook *requires* that you get access to certain aspects of the users’ data. Even if you don’t ask for it. It’s confusing, poorly documented, and certainly causes many people to abandon signups partway through the process.
Specifically, Facebook will always tell the user that your site/app wants access to the user’s friends list. Always.
The Facebook developer guide says
“The public profile and friend list is the basic information available to an app. All other permissions and content must be explicitly asked for.”
But… it doesn’t indicate that there will be a popup asking for this.
The only “permission scope” being requested is “email”. But Facebook insists on presenting this warning that MY SITE is REQUESTING “friend list” permissions. We’re *not* doing this – we do not want the friends list, but have no way of *not* getting it.
Even more confusing, really, is the Facebook documentation on this (their docs have always been an unholy mess, imo)
“When a user logs into your app and you request no additional permissions, the app will have access to only the user’s public profile and also their friend list.”
What happens when you *do* in face request “additional permissions” is that you still are presented to the user as asking for permission for their friend list. I suppose the word “additional” has an implication there, but really, this is dealing with computery/programmery stuff – be explicit about what happens in both situations.
More to the point, give people a way to *not* have access to friend lists. This is offputting to users, and in an age where privacy is a bigger concern than ever, requiring access to data that is not needed or wanted is negligent. I suppose it would disrupt all the farmville and candy crush clones from making a living by not requiring people to spam their friends.