Take a look at this if you are going to implement Open-Graph actions in your existing Facebook apps.
I get a Facebook application that requests only birthday and email permission from the user. Recently, I planned to added the “Read” Open-Graph action to it. However, to avoid any impact to the existing users, I want this feature to be available to new users only. In other words, I need to control whether to request for the “publish_actions” permission on using my own application logic. However, based on what I have tested, I cannot control this.
Right after I specify in my Facebook App Settings that it will use the “Read” action, the authorization dialog that I see when kicking off the authentication flow (by redirecting the user to following URL) will request for the publish_actions permission
As seen in the “scope” param, I only request for user_birthday and email, but I see the publish_actions is also requested in the dialog.
A bug report had been opened for this. It is located here https://developers.facebook.com/bugs/462322807113376?browse=search_4fe182369e7a16a79585813.