[sldev] Patch to Address Debit Permission Spoofing

[Kelly Washington]

Erik Anderson wrote:
> Is there any way we can ask LL to provide two permission tiers here? 
> Considering that a significant chunk of L$-authorized objects are
> probably vendor scripts of which you are not the owner, having those
> objects use a lesser "refund-only" permission could help seperate out
> the potentially dangerous scripts from the ones that can only give up
> to the amount of money that they have themselves been given...
>
> And yes, I probably should have looked at Jira before posting this...
>
Unfortunately there are currently no transaction mechanisms in LSL. 
Vendors work in an asynchronous manner - they collect money and then
they give items.  Or they collect money and do something else.  This
makes a refund permission a little more difficult, although I suppose a
new function llRefund() that only worked inside the money() event could
make sense.  It is possible this may not help some of the more
complicated systems, but is probably the best middle ground.

Should a permission even be required for llRefund()?  No permission is
required for money() events, and the only "trick" would be to ensure
that refund() can't be called multiple times or is a noop when called
after the first time.

I actually do like this idea.

 - Kelly