Security Policy should not be a Feature

Currently, there is a "security-policy" feature that is rather undefined in the core-gadget spec... several problems exist:

1. It's not clear what the real difference is between <Optional feature="security-policy" /> and <Require feature="security-policy" />,

2. It's not clear whether it's possible to have optional permissions vs. required permissions (e.g. these are the things I have to have in order to function, these are the things that would be nice), and 

3. There's no api to determine if any given permission has been granted or not (at least none that I can see).

Ideally, Permissions would be a top level concept like Features... so instead of using a feature, these should be a variant of the Require and Optional elements... e.g.

<Module>
  <ModulePrefs>
    <Require feature="foo" />
    <Optional feature="bar"/>
    <Require permission="some.permission" />
    <Optional permission="some.other.permission" />
  </ModulePrefs>
</Module>

Then, we should have a gadgets.util.hasPermission(...) method alongside the gadgets.util.hasFeature API.

http://code.google.com/p/opensocial-resources/issues/detail?id=1299