In Requesting extended permissions, I explained how to request extended permissions with the Facebook Android SDK. If you use this method to request different kinds of permissions at different stages, you would notice that making a call to
session.reauthorizeForPublish() with new permissions clears the already existing permissions from the session object and thus the call
session.getPermissions() would later return just the new permissions that are recently granted. This means that the Session object's notion of its permissions is out of sync with the Facebook service and the access token associated with the Session still has those permissions and can still be used to make Graph API calls requiring any of the permissions it has been granted earlier (unless the user has subsequently revoked any of them, of course). This is a bug with the Facebook Android SDK.
In this post, I describe how to work around this by persisting permissions in Application class.