Thanks,
Jim Cortez
> --
> Twitter developer documentation and resources: https://dev.twitter.com/doc
> API updates via Twitter: https://twitter.com/twitterapi
> Issues/Enhancements Tracker:
> https://code.google.com/p/twitter-api/issues/list
> Change your membership to this group:
> https://groups.google.com/forum/#!forum/twitter-development-talk
> <https://groups.google.com/forum/#%21forum/twitter-development-talk>
Of course, for desktop (and mobile) applications this will mean that
they will have to integrate the normal OAuth flow. "Yay!".
In the past, I've seen several occurrences where popular clients weren't
affected by the rules. Will we yet again see this, or will there not be
an exception for those clients? The same question goes for Twitter's own
apps: will they make the switch to OAuth, or will they keep using xAuth?
Tom
On 5/18/11 7:01 PM, Matt Harris wrote:
> Hey everyone,
>
> We recently updated our OAuth screens to give users greater
> transparency about the level of access applications have to their
> accounts. The valuable feedback Twitter users and developers have
> given us played a large part in that redesign and helped us identify
> where we can do more.
>
> In particular, users and developers have requested greater granularity
> for permission levels.
>
> In response to this feedback, we have created a new permission level
> for applications called �Read, Write & Direct Messages�. This
> permission will allow an application to read or delete a user's direct
> messages. When we enforce this permission, applications without a
> �Read, Write & Direct Messages� token will be unable to read or delete
> direct messages. To ensure users know that an application is receiving
> access to their direct messages, we are also restricting this
> permission to the OAuth /authorize web flow only. This means
> applications which use xAuth and want to access direct messages must
> send a user through the full OAuth flow.
>
>
> What does this mean for your application?
> If you do not need access to direct messages: you won�t need to make
> any changes to your application. When we enforce the new permission
> level your read or read/write token will automatically lose access to
> direct messages.
>
> If you do need access to direct messages: you will need to edit your
> application record on https://dev.twitter.com/apps and change the
> permission level of your application to �Read, Write and Direct
> Messages�. The new permission will not affect existing tokens which
> means existing users or your app or service will need to reauthorize.
>
> We know this will take some time so we are allowing a transition
> period until the end of this month. During this time there will be no
> change to the access Read/Write tokens have to a users account.
> However, at the end of the month any tokens which have not been
> upgrade to �Read, Write and Direct Messages� will be unable to access
> and delete direct messages.
>
>
> Affected APIs and requests
> On the REST API, Read and Read/Write applications will no longer be
> able to use these API methods:
> /1/direct_messages.{format}
> /1/direct_messages/sent.{format}
> /1/direct_messages/show.{format}
> /1/direct_messages/destroy.{format}
>
> For the Streaming API, both User Streams and Site Streams will only
> receive direct messages if the user has authorised an application to
> access direct messages.
>
> Applications that use �Sign-in with Twitter� or xAuth will only be
> able to receive Read or Read/Write tokens.
>
> What this means is only applications which direct a user through the
> OAuth web flow will be able to receive access tokens that allow access
> to direct messages. Any other method of authorization, including
> xAuth, will only be able to receive Read/Write tokens.
>
>
> What will happen when the permission is activated
> When we activate the new permission, all Read and Read/Write
> user_tokens issued to third-party applications will lose their ability
> to read direct messages. Any attempt to read direct messages will
> result in an HTTP 403 error being returned.
>
> For example, a GET request to
> https://api.twitter.com/1/direct_messages/sent.json will return an
> HTTP 403 Forbidden with the response body:
>
> {"errors":[{"code":93,"message":"This application is not allowed to
> access or delete your direct messages"}]}
>
>
> Key Points
> * If you wish to access a user�s direct messages you will need to
> update your application and reauthorize existing tokens.
> * The only way to get direct message access is to request access
> through the OAuth /authorize web flow. You will not be permitted to
> access direct messages if you use xAuth.
> * When we enforce the permission Read/Write and Read tokens will be
> unable to access and delete direct messages.
> * Read/Write tokens will be able to send direct messages after the
> permission is enforced.
>
> We�ll be collating responses and adding more information on our
> developer resources permission model page:
> https://dev.twitter.com/pages/application-permission-model
>
> We have also blogged about this on the Twitter blog:
> http://blog.twitter.com/2011/05/mission-permission.html
>
> Best,
> @themattharris
"A mathematician is a device for turning coffee into theorems." -- Paul
Erdos
Quoting Matt Harris <themat...@twitter.com>:
--
Twitter API documentation and resources: http://dev.twitter.com/doc
API updates via Twitter: http://twitter.com/twitterapi
Change your membership to this group: http://groups.google.com/group/twitter-api-announce?hl=en
There have been a lot of opinions voiced about how this is being implemented. This not only proves troublesome for xAuth clients, but it lends me to worry about how the future of permissions will evolve. Effectively now, every single Twitter user needs to get their application re-authed for the new tokens to provide DM access by the end of the month.
The Facebook style of using a 'scope' for individual permissions is so much more viable. I also believe that the API should provide a lookup for the permissions that a set of credentials currently provides. I honestly believe that going down the 'scope' route for permissions will be a lot better for all concerned. When new permissions are introduced to the API in the future, it would be a small matter of updating the requesting scope for the application developer, rather than completely rewriting chunks of code.
I'd like a response from Matt, Taylor or Raffi on this matter and the plans for future permissions and their implementation.
> --
> Twitter developer documentation and resources: https://dev.twitter.com/doc
> API updates via Twitter: https://twitter.com/twitterapi
> Issues/Enhancements Tracker: https://code.google.com/p/twitter-api/issues/list
> Change your membership to this group: https://groups.google.com/forum/#!forum/twitter-development-talk
--
Scott Wilcox
@dordotky | sc...@dor.ky | http://dor.ky
+44 (0) 7538 842418 | +1 (646) 827-0580
+1
--
Martin Dapas
Agreed.
I'm really disappointed with this change.
Asking users to reauthorize is a burden on both developers and users.
Existing users already gave their permission for apps to access
private messages.
The lead time for developers to respond to this change is ridiculously short.
In my opinion, Twitter should have allowed users finer grained control
over permissions, allowing them to selectively remove "private
message" permissions for existing apps.
An app should be able to request a set of default permissions. Users
should be able to accept the defaults, or selectively deny individual
permissions.
If an app has optional "private message" features, it must request
"private message" permission from *all* users. Either that or
register multiple apps for each set of appropriate permissions, which
is confusing and difficult for users and developers to manage.
Is it too late to re-think this, Twitter?
-Marc
I have updated my apps to use Read/Write/DM permissions, and then it
saves it as Read-Only... I tried to change it back to just Read/Write,
and again it is saved as Read-Only.
Is anyone else having this problem? Users are going insane...
-Chad
so use http://dev.twitter.com/apps
and DO NOT USE http://twitter.com/apps (which, should be deleted or
auto-forwarded or something....)
caramba,
-chad
> We know this will take some time so we are allowing a transition period until the end of this month.
Gentlefolk,
This is way too short an amount of time to implement OAuth and transition mobile users off of an xAuth based client. (In my experience, my user base upgrades an app over a full quarter of a year.) Furthermore, even if I was ready right now with a submission to Apple, there is a very good chance that my app would not be approved by your deadline.
Please reconsider this deadline.
Anon,
Andrew
____________________________________
Andrew W. Donoho
Donoho Design Group, L.L.C.
a...@DDG.com, +1 (512) 750-7596, twitter.com/adonoho
"We did not come to fear the future.
We came here to shape it."
-- President Barack Obama, Sept. 2009
Hey everyone,We recently updated our OAuth screens to give users greater transparency about the level of access applications have to their accounts. The valuable feedback Twitter users and developers have given us played a large part in that redesign and helped us identify where we can do more.In particular, users and developers have requested greater granularity for permission levels.In response to this feedback, we have created a new permission level for applications called “Read, Write & Direct Messages”. This permission will allow an application to read or delete a user's direct messages. When we enforce this permission, applications without a “Read, Write & Direct Messages” token will be unable to read or delete direct messages. To ensure users know that an application is receiving access to their direct messages, we are also restricting this permission to the OAuth /authorize web flow only. This means applications which use xAuth and want to access direct messages must send a user through the full OAuth flow.What does this mean for your application?If you do not need access to direct messages: you won’t need to make any changes to your application. When we enforce the new permission level your read or read/write token will automatically lose access to direct messages.
If you do need access to direct messages: you will need to edit your application record on https://dev.twitter.com/apps and change the permission level of your application to “Read, Write and Direct Messages”. The new permission will not affect existing tokens which means existing users or your app or service will need to reauthorize.
We know this will take some time so we are allowing a transition period until the end of this month. During this time there will be no change to the access Read/Write tokens have to a users account. However, at the end of the month any tokens which have not been upgrade to “Read, Write and Direct Messages” will be unable to access and delete direct messages.Affected APIs and requestsOn the REST API, Read and Read/Write applications will no longer be able to use these API methods:/1/direct_messages.{format}/1/direct_messages/sent.{format}/1/direct_messages/show.{format}/1/direct_messages/destroy.{format}For the Streaming API, both User Streams and Site Streams will only receive direct messages if the user has authorised an application to access direct messages.Applications that use “Sign-in with Twitter” or xAuth will only be able to receive Read or Read/Write tokens.What this means is only applications which direct a user through the OAuth web flow will be able to receive access tokens that allow access to direct messages. Any other method of authorization, including xAuth, will only be able to receive Read/Write tokens.What will happen when the permission is activatedWhen we activate the new permission, all Read and Read/Write user_tokens issued to third-party applications will lose their ability to read direct messages. Any attempt to read direct messages will result in an HTTP 403 error being returned.
For example, a GET request to https://api.twitter.com/1/direct_messages/sent.json will return an HTTP 403 Forbidden with the response body:
{"errors":[{"code":93,"message":"This application is not allowed to access or delete your direct messages"}]}Key Points* If you wish to access a user’s direct messages you will need to update your application and reauthorize existing tokens.* The only way to get direct message access is to request access through the OAuth /authorize web flow. You will not be permitted to access direct messages if you use xAuth.* When we enforce the permission Read/Write and Read tokens will be unable to access and delete direct messages.* Read/Write tokens will be able to send direct messages after the permission is enforced.We’ll be collating responses and adding more information on our developer resources permission model page: https://dev.twitter.com/pages/application-permission-modelWe have also blogged about this on the Twitter blog: http://blog.twitter.com/2011/05/mission-permission.htmlBest,@themattharris
--