>>I worded that badly. I meant "allow a user to change the owner of
>>something to what it already is". ie. Just make the no-op allowed by
>>everyone. session_auth already does this.
>
>
> Ah. Okay, no objection to that. (In fact I believe we put in the
> special case for session_auth for exactly the same reason.)
Actually, do I make it that anyone can do a no-op user change, or can
only the user who is the existing owner do the no-op? It's a very tiny
different and probably won't make much difference but perhaps it's
better to make it a bit tighter check? What do you think?
Chris