My favorites | Sign in
Google
Project hosting will be READ-ONLY Wednesday at 8am PST due to brief network maintenance.
Project Home
  
Downloads
  
Wiki
  
Issues
  
Source
    
New issue | Search
for
| Advanced search | Search tips
Issue 168: opensocial_viewer_id is currently being passed even if the viewer has NOT have the application
3 people starred this issue and may be notified of changes. Back to list
Status:  1207535
Owner:  ----
Type-Defect
Priority-Medium
Container-Orkut


Sign in to add a comment
 
Reported by johnebmj, May 09, 2008 
Description of the bug/feature
==================================

When gadgets.io.makeRequest() is called, opensocial_viewer_id is currently
being passed even if the viewer has NOT have the application.

The opensocial_viewer_id should only be passed if the application has
access to the viewer id.  The viewer must have the application installed.
However the viewer_id value is being passed even without the user having
the application installed.

What steps will reproduce the problem?
======================================
1.Navigate to CodeRunner (with a Orkut user without CodeRunner App installed):
http://sandbox.orkut.com/Application.aspx?uid=3614003783765785339&appId=218116460194
2. Run this code:
----------------------------
function makeSignedRequest() {
	var params = {};
	params[gadgets.io.RequestParameters.AUTHORIZATION] =
gadgets.io.AuthorizationType.SIGNED;
	params[gadgets.io.RequestParameters.CONTENT_TYPE] =
gadgets.io.ContentType.JSON;
	params[gadgets.io.RequestParameters.METHOD] = gadgets.io.MethodType.POST;
	
	var url = "http://www.hipersocial.com/vnv/loginAuth.php"
	
	gadgets.io.makeRequest(
		url,
		function(ret) {
			output("GET['opensocial_viewer_id'] from Signed Request: ",
ret.data._get['opensocial_viewer_id']);
		},
		params
	);
};
makeSignedRequest();
---------------------------

What is the expected output?
============================
GET['opensocial_viewer_id'] from Signed Request: 

What is the actual output?
==========================
GET['opensocial_viewer_id'] from Signed Request: 15988286432912483202

Which container (orkut, MySpace, hi5, etc) are you using?
=========================================================
Orkut

Which browsers have you experienced this on?
============================================
IE, Firefox
Comment 1 by brendan.ribera, May 09, 2008 
Why shouldn't the application have access to the viewer id if the viewer hasn't
installed the application?

The id isn't personal information about the viewer, so it seems like it's perfectly
acceptable to pass this information to the application.

Without it, an application cannot rightly assess how many unique users hit their app.
Comment 2 by johnebmj, May 09, 2008 
Hi,

It would be useful also for me that the OpenSocial provide the viewer_id in all
cases, though I think this is a bug.

Look at the 2nd comment by api.kur...@google.com,  Feb 19, 2008 in
http://code.google.com/p/opensocial-resources/wiki/OrkutValidatingSignedRequests :
-------------------------
Viewer will be sent if the app has permission to access the viewer object (i.e.
viewer has the app installed).

The cert may eventually be moved to a https url. When the plan for releasing certs is
finalized, then we will post updated information.
-------------------------
Comment 3 by mNeo07, May 15, 2008 
Viewer id should be accessible. Only then can you provide "basic/limited" 
functionality to a viewer who doesn't have the app installed (as orkut recommends).
Comment 4 by apija...@google.com, Jun 05, 2008 
(No comment was entered for this change.)
Status: 1207535
Comment 5 by api.kurrik.g00g1e, Jun 18, 2008 
(No comment was entered for this change.)
Labels: Container-Orkut
Sign in to add a comment