[sldev] Patch to Address Debit Permission Spoofing

[Tateru Nino]

In my experience, from a usability perspective and from a long mile of
live help, the average user is increasingly less likely to read a
warning or error message the longer it is. They want the popup to go away.

The existing permissions request, if you enquire about it, the user
responds "Umm. Oh, there was something about... permissions... something."

People aren't dumb, but they _are_ in something of a rush. I'm wondering
if some sort of graphical iconic(s) might be useful to focus the user on
the meaning of the text below.

Able Whitman wrote:
> Howdy,
>
> Thanks to everyone who provided feedback on my patch. The general
> concensus seems to be that raising the visibity of debit permissions
> prompts is a good thing, as long as it doesn't become too intrusive.
>
> I've attached the second version of my patch, along with the second
> drafts of both the feature spec and test plan. If this patch looks to
> be pretty good, I will attach it to VWR-650 and edit the bug
> appropriately to include this information.
>
> A summary of the changes to the patch:
> * Color is no longer the only differentiating factor between prompts
> for normal permissions and for the debit permission:
>     * Prompts for the debit permission are much taller than regular
> permission prompts, helping to mitigate the "click-click-click-oops"
> problem.
>     * The new caution permission prompts also include a white title at
> the top, to further differentiate them visually from normal permission
> prompts.
>     * The caution prompts also have a "Details..." button that
> displays a modal dialog with additional information about the debit
> permission.
> * Instead of just disabling the new style of permission prompts, the
> "PermissionsCautionEnabled" setting completely disables the changes
> made by this patch, but this setting does not persist, and will revert
> to True at the start of each session.
> * The chat message that is logged at the granting or denial of the
> debit permission now includes the region and location of the object.
>
> I've only attached screenshots of the actual caution permission
> prompts. The format of the chat message looks like this:
>
> "'ObjectName', an object owned by 'OwnerName', located in RegionName
> at LocationX, LocationY, LocationZ has been Granted|Denied permission
> to: Take Linden dollars (L$) from your account."
>
> (Unfortunately it doesn't appear to be possible for the client to
> easily determine the creator of the object that is requesting
> permissions, although I am still investigating this.)
>
> The contents of the "Details" dialog is as follows:
>
> "You should be careful about granting an object permission to take
> Linden dollars (L$) from your account.
>
> Some objects, such as vendors, legitimately require this permission in
> order to function properly, but unless you trust both the object and
> its creator, you should generally deny it permission to debit money
> from you.
>
> Once you have granted this permission to an object, it will be allowed
> to automatically debit money from your account without additional
> prompting. The only way to revoke this permission is to delete the
> object or to reset the scripts in the object."
>
> Again, thank you all very much for all your comments so far. Please
> let me know if you have any more questions or concerns.
>
> Cheers,
> --Able
>
>
> On 5/25/07, * Able Whitman* <able.whitman at gmail.com
> <mailto:able.whitman at gmail.com>> wrote:
>
>     My apologies, I had intended the patch file to be an attachment,
>     but apparently it didn't come out that way. This was the original
>     body of my patch email:
>
>
>     Howdy,
>
>     I've just recently started learning about the SL client source. As
>     a sort of introductory project to help me learn my way around, I
>     thought I would pick a small feature request from  JIRA and set
>     about implementing it.
>
>     The feature request I chose deals with the fact that it's
>     relatively easy for someone who isn't attentive to permissions
>     prompts to unintentionally grant debit permissions to an object.
>
>     I've produced a patch based on the 1.16.0.5 <http://1.16.0.5/>
>     client source, which I've attached, along with a few screen caps
>     to illustrate the UI changes that the patch makes. I've included a
>     short spec for the feature below, since the JIRA bugs didn't have
>     much in the way of functional details.
>
>     This is my first such contribution to a project like this, so
>     please let me know if you have any questions or feedback (good or
>     bad).
>
>     Thanks,
>     --Able
>
>
>
> ------------------------------------------------------------------------
>
>
> ------------------------------------------------------------------------
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> Click here to unsubscribe or manage your list subscription:
> /index.html

-- 
Tateru Nino
http://dwellonit.blogspot.com/