Intermittently, when doing a newFetchPersonRequest for the viewer that doesn't have the app installed, we still get the full set of viewer data. Does this seem right?

I thought the pattern was if the user didn't have the app, hadError() would be true, and viewer would be null... or possibly some of the internal error fields on the viewer wouldn't be empty.

Am I missing something here?

A screen cap of the executing code in the vs.net debugger is here:

Okay, a bit of background, so feel free to let your attention wonder for a moment if you already know this. OpenSocial has it set up that when a DataRequest returns, it passes a DataResponse object to the callback function. That DataResponse object is an object bundle made up of ResponseItem objects, that are responses to the individual Requests that made up the original DataRequest.

The DataResponse object has an hadError function which will tell you if there was an error with one (or more) of the ResponseItems. But the ResponseItems are still present, since it's only there that you can determine what the error is, through the getErrorMessage and getErrorCode functions. This is done to handle multiple errors from multiple Requests bundled in the original DataRequest.

That's why you still get a ResponseItem object from a VIEWER request even if the VIEWER does not have the App installed. If you investigate it further (you can check this in the  debugger), getErrorMessage from the VIEWER ResponseItem will have an "Authorization Error" I believe (or something similar).

Jeremy:

That's why you still get a ResponseItem object from a VIEWER request even if the VIEWER does not have the App installed. If you investigate it further (you can check this in the  debugger), getErrorMessage from the VIEWER ResponseItem will have an "Authorization Error" I believe (or something similar).

Jeremy: thanks for the insight. Awesome. I really appreciate you chiming in on this.

So here's the wacky thing: All the errors hanging off the VIEWER request are empty. No errors at all. And we're getting the full set of data back on the user (name, id, etc, etc.). That doesn't seem right... does it?

...Nope, that doesn't seem right at all. Unless they changed things (which I know some developers wanted), but that's a rather serious threat to viewer privacy if any ol' App can snag personal data without installation (i.e. permission).

This only happens intermittenly (I missed that the first time)? That tells me it's an error MDP side (if it just always worked, I'd say it's 'cause you're accidentally using a VIEWER who has the App installed). Unless it's a new part of the internal permission security now? That non-installed users have to change a setting to block non-installed Apps from accessing their data set? But, again, why only intermittenly?

That's beyond me -- I'm guessing you uncovered a bug.