Limited distribution

This is a cluster of features that lets people publish notices that are only readable by the subset of recipients they choose.

See: http://gitorious.org/~evan/statusnet/evans-mainline/commits/limitdist2 now in 1.0.x main branch.

Features we're trying to make work

 * Private groups You can send a notice to a group, and only people in that group can read or respond.
 * Private feeds Everything the user posts is only visible to his/her followers.
 * Public/private sites Essentially, combining my evan.status.net account with my dogfood.status.net/evan account. One account for both public and private posting.

How it works

 * Every notice has a "scope" element. It's a bitmask of the notice's scope. Available bits are:
 * site: only people with accounts on this site can see the notice
 * addressee: only people addressed by the notice ("to") can see the notice
 * group: only people in one of the groups the notice was posted to can see the notice
 * follower: only people who follow the author of the notice can see the notice
 * We check for notice scope at run time -- the ScopingNoticeStream class does the heavy lifting. So, if you join a group, all of a sudden you can see all their private messages. However, older stuff doesn't get put into your inbox.
 * An addressing widget, ToSelector, adds addressability to notice stream

TODO

 * Check for leaks! This design requires that code proactively check the scope of a notice before showing it
 * single-notice view
 * single-thing view for other things
 * Event
 * Poll
 * Bookmark
 * microsummary (!) seems OK
 * last-update in API listings
 * Make these stream use ScopingNoticeStream:
 * public stream
 * group stream
 * inbox stream
 * Add addressing widget and consequent scoping code to
 * Event
 * Poll
 * Bookmark
 * Block all scoped notices (in the future, only site-scoped notices) from leaving the site via
 * Twitter
 * Facebook
 * OStatus
 * Public XMPP
 * Add private distribution to Salmon and PuSH
 * API to insert scoped notices
 * Disallow replies to a notice if the author is out of scope
 * Set reply private if notice is private
 * Flag to make all notices to a group private
 * Flag to make all notices from a user private to followers only
 * Disallow repeats of limited-distribution notices
 * Check privacy of attachments

Open questions

 * With "private groups", is it worthwhile having a UI that lets you restrict joining a group and not requiring every notice to be private? Or that lets you require every notice to be private, but not restrict joining? Or should we just couple the two features and call it "private groups"?
 * With "private feeds", is it worthwhile having posts only visible to followers without restricting who can follow? Or should we just couple the two features and call it "private feed"?