[sldev] Patch to Address Debit Permission Spoofing

Chance Unknown chance at kalacia.com
Tue May 29 07:55:12 PDT 2007


** WARNING WILL ROBINSON: A PRIM IS GOING TO ROB YOU BLIND FROM NOW ON. DO
YOU AUTHORIZE THIS?? ***

On 5/28/07, Able Whitman <able.whitman at gmail.com> wrote:
>
> Howdy,
>
> Thanks to everyone who provided feedback on my patch. The general
> concensus seems to be that raising the visibity of debit permissions prompts
> is a good thing, as long as it doesn't become too intrusive.
>
> I've attached the second version of my patch, along with the second drafts
> of both the feature spec and test plan. If this patch looks to be pretty
> good, I will attach it to VWR-650 and edit the bug appropriately to include
> this information.
>
> A summary of the changes to the patch:
> * Color is no longer the only differentiating factor between prompts for
> normal permissions and for the debit permission:
>     * Prompts for the debit permission are much taller than regular
> permission prompts, helping to mitigate the "click-click-click-oops"
> problem.
>     * The new caution permission prompts also include a white title at the
> top, to further differentiate them visually from normal permission prompts.
>     * The caution prompts also have a "Details..." button that displays a
> modal dialog with additional information about the debit permission.
> * Instead of just disabling the new style of permission prompts, the
> "PermissionsCautionEnabled" setting completely disables the changes made by
> this patch, but this setting does not persist, and will revert to True at
> the start of each session.
> * The chat message that is logged at the granting or denial of the debit
> permission now includes the region and location of the object.
>
> I've only attached screenshots of the actual caution permission prompts.
> The format of the chat message looks like this:
>
> "'ObjectName', an object owned by 'OwnerName', located in RegionName at
> LocationX, LocationY, LocationZ has been Granted|Denied permission to: Take
> Linden dollars (L$) from your account."
>
> (Unfortunately it doesn't appear to be possible for the client to easily
> determine the creator of the object that is requesting permissions, although
> I am still investigating this.)
>
> The contents of the "Details" dialog is as follows:
>
> "You should be careful about granting an object permission to take Linden
> dollars (L$) from your account.
>
> Some objects, such as vendors, legitimately require this permission in
> order to function properly, but unless you trust both the object and its
> creator, you should generally deny it permission to debit money from you.
>
> Once you have granted this permission to an object, it will be allowed to
> automatically debit money from your account without additional prompting.
> The only way to revoke this permission is to delete the object or to reset
> the scripts in the object."
>
> Again, thank you all very much for all your comments so far. Please let me
> know if you have any more questions or concerns.
>
> Cheers,
> --Able
>
>
> On 5/25/07, Able Whitman <able.whitman at gmail.com> wrote:
> >
> > My apologies, I had intended the patch file to be an attachment, but
> > apparently it didn't come out that way. This was the original body of my
> > patch email:
> >
> >
> > Howdy,
> >
> > I've just recently started learning about the SL client source. As a
> > sort of introductory project to help me learn my way around, I thought I
> > would pick a small feature request from  JIRA and set about implementing it.
> >
> >
> > The feature request I chose deals with the fact that it's relatively
> > easy for someone who isn't attentive to permissions prompts to
> > unintentionally grant debit permissions to an object.
> >
> > I've produced a patch based on the 1.16.0.5 client source, which I've
> > attached, along with a few screen caps to illustrate the UI changes that the
> > patch makes. I've included a short spec for the feature below, since the
> > JIRA bugs didn't have much in the way of functional details.
> >
> > This is my first such contribution to a project like this, so please let
> > me know if you have any questions or feedback (good or bad).
> >
> > Thanks,
> > --Able
> >
>
>
> _______________________________________________
> Click here to unsubscribe or manage your list subscription:
> /index.html
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.secondlife.com/pipermail/sldev/attachments/20070529/0d21edd6/attachment.htm


More information about the SLDev mailing list