[DGD] reassigning objects of an ex admin

[Shentino]

Already got that part.

I use capital names as somewhat trusted as subsystems.  They also have
some confinement restrictions in the sense that they cannot take
advantage of anyone's access other than their own without the user
him/herself having a hand in it.

Heck, for Game to permit Common to write log files to ~Game/data/log,
Game has to grant Common write access to ~Game/data/log, and Common
uses a proxy object ~System/lwo/proxy, granted to it by
~System/sys/proxyd, in order to take advantage of the cross-domain
access.  And only ~Game can grant ~Common the access.

Game and Common both often use proxies for users, which can only be
granted if this_user() currently refers to that user.  Examples are
saves of parts of the object tree to a file.  I eventually plan to
revoke such proxies when the user logs out.

As far as keeping my object tree (aka game world) intact, I forbid the
insertion of any object into an environment whose owner is not the
same as its object.  By the rising domino rule, all trees are
homogeneously owned, and rogue admins cannot tamper with the game
world in this manner.

I plan to have mixdown properties (sorta like archetypes, only using
containment instead of archetyping to inherit through) specifying
access controls.