Twitter Read/Write permissions

[bytor99999]

Not really a Spring Social specific questions. But does anyone else find it a little scary that if you set your Twitter app to Read/Write permissions that the authorization page and therefore our permissions show that we can change the user's profile and change who they follow?

So, if I had a question it would be, is there a permission where it is all READ, but also allowed to just tweet on their behalf? And if so, is there a setting in Spring Social we can set that would set it to that type of permission?

Thanks

Mark

[habuma]

No, those read/write settings are strictly a Twitter thing. They've extended OAuth 1.0a to give permissions that on the surface look like OAuth 2 scope, but are quite different in that they're requested in the application configuration at Twitter and not in an authorization request to the user. (The user is ultimately asked whether or not they will agree, but they're effectively "hard-coded" when you register your app with Twitter.)

Twitter has no in-between permission like you speak of. And even if they did, since it's an application-configuration detail at Twitter, there's nothing Spring Social can do to support it. The *most* Spring Social could do is enable you to specify that you only want write permission with regard to tweeting, but not for the profile...and throw exceptions otherwise. But that would only be moving the problem up a level, as it's still *you* the application configurer that decides whether or not to restrict it--you'd just be doing it in Spring rather than at Twitter. You could essentially accomplish the same thing by not writing code that updates the profile. In the end, the user still either agrees to *all* write access or *no* write access...nothing in between.

[bytor99999]

Yeah, pretty scary. Makes me not want to use "Login with Twitter" at other websites.

Of course, our app will not write to their profiles, but no matter what Twitter will always show those permissions. You can't change them anywhere.

Thanks

Mark