“App Review required by August 1, 2018 to retain access to Facebook Platform APIs”
You may have noticed this alert appear on your Facebook App in the past day or so and you’re wondering what it is and how it affects Instant Articles. As you may have realised, this is Facebook’s attempt at tightening security after the recent scandal.
When you create a new App on your Facebook Developer account you have the option of submitting it for review. This is where a Facebook developer looks over your app and assess how you’re using it and whether it’s for legitimate use or for more underhand means. Previously you have only needed to submit your App for review if it’s being used widely by end consumers or if it asks for very intrusive permissions (posting to a user’s wall etc). Facebook have now expanded the review requirements and any app that asks for the user_link, user_gender, user_age_range, or user_friends permissions will also require a review.
How this affects Instant Articles
When connecting via the API, WP Native Articles requests the following permissions:
Let’s have a quick look at these individually:
pages_manage_instant_articles – Generally this does require a review, however, if you read the documentation it explicitly states that if the user connecting your site to the App has an admin role on the App then it doesn’t require a review and will work perfectly. WP Native Articles only requires one Facebook account to be connected (it’s not using the Facebook API in such as way as anyone can login) so as long as that account is an admin on the Facebook App then it is fine.
pages_show_list – This is a read only permission that, according to the docs, doesn’t require a review.
read_insights – This is the tricky one. Again, normally this does require a review, however, if you read the info in the review process it states the same clause as pages_manage_instant_articles, as long as the Facebook account used to connect to your Facebook app is listed as an administrator on the app then the review process is fine.
As long as the Facebook user account you used to connect your WordPress site to your Facebook app is listed on the Facebook app with a developer role or higher then everything should still work and you don’t require a review.
As of May 2018 this is correct. It may change as Facebook changes but at the moment we don’t anticipate having to change the API setup. Of course, there’s no harm in submitting your app for review if you wish!
n.b. Of course you could be using the same Facebook App simultaneously for something else entirely that does require a review.