I used to frequently use the Sell a Script section in the Marketplace forums but unfortunately the new setup now requires me to link my PayPal account to post in that section. I could understand the need to link my PayPal account if it was just to verify I am who I say I am and not just a scammer but the permissions granted when linking my PayPal account are ridiculous. Once linking a PayPal account DigitalPoint basically has the keys to your account and can do any of the following. Use Express Checkout to process payments Issue a refund for a specific transaction Authorize and capture your PayPal transactions Obtain your PayPal account balance Obtain information about a single transaction Search your transactions for items that match specific criteria and display the results Access your PayPal contact information I notice other sections in Marketplace don't need these permission, why the Scripts section? There is no way I am going to give this kind of access to my PayPal account to ANY website.
It has nothing to do with the Scripts section. If you don't want to do it and aren't comfortable with it, don't... simple. Basically that's the permissions needed to do the things we need to do for you (set up transactions, let you view transaction detail, allow you to issue a refund, etc.)
I understand that, and there are certain permissions I can understand granting access to (i.e information about a specific transactions performed on DigitalPoint, access to contact details etc). However I don't see the need for the following permissions which give away far too much access to my account. Authorize and capture your PayPal transactions Obtain your PayPal account balance Search your transactions for items that match specific criteria and display the results Allowing access to transaction items performed on DigitalPoint I can understand and endorse in order to create a more secure environment and enable better features within the site, but giving unrestricted access to ALL of my PayPal transaction information and balance information goes beyond what I see being needed by they site. I'm not saying DigitalPoint would do anything they shouldn't be with this information, however sites get hacked all the time and if DigitalPoint gets hacked then all of my PayPal account will be exposed as well to the hacker.
Authorize and capture isn't "capturing" as in the definition of us getting it. Auth/Capture allows us to set up a transaction with a buyer for the seller where the buyer pre-authorizes a certain amount. The capture part is just completing the preauth. https://cms.paypal.com/us/cgi-bin/?cmd=_render-content&content_ID=developer/howto_admin_authcapture In the context of this site, it's used for link sale auctions in Digital Point Ads where people buy a static link for a month, but it's a bidding system... so people pre-auth a certain amount, place their bid, and then only the winning high bidder ends up paying. The PayPal balance is for showing to you in the upper right (it serves no purpose other than just being a convenient way to see what your balance is without needing to log into PayPal). When it comes down to it, we never see it, we don't log it or query for it beyond once an hour when you are logged into the site (it refreshes hourly). And at the end of the day, we couldn't give a rat's ass what anyone's balance is in their PayPal account. Not like we are going to find people with high balances and show up at their house somehow and rob them. lol The transaction search function isn't something we've implemented yet, but at some point we'd like to be able to give users an interface where they can search for specific PayPal transactions (in case they need to do a refund or something). Destroying pre-existing authorization and forcing everyone to later relink their PayPal account when the function is there isn't worth the effort. That's why it was there proactively. Either way, we can't take any money from your account with the permissions, nor can we find any transactions unless we already know something about them (like transaction ID). So yes... if your account was compromised somehow, the hacker *could* see your PayPal balance, but that's about it (they couldn't even see your PayPal email address). All the more reason to enable two-factor authentication to your account: https://forums.digitalpoint.com/account/security