When a developer gives us their paypal id, we already check that the paypal id is ok. https://github.com/jbalogh/zamboni/blob/master/apps/paypal/__init__.py#L89 This is fine for contributions. For the marketplace we'll need to add a check for "third-party access": "A receiver can grant you third-party access to make a refund by logging in to PayPal, choosing API Access on the Profile page, then clicking the link to Grant API permission and selecting Refund after clicking Configure a custom API authorization." According to the paypal Adaptive Payments docs.
I'm not sure what API this is, but it has definitely come up plenty. It would be nice to reveal this on the user detail page with a "verify" button that an admin could press to hit the API and double check. There will be more UI around all this though, so if you just want to write a function to verify this off the user model that's fine for now too.
PayPal's permissions API provides a way to determine whether they've done this, and provide them with a prompt to grant this access. (fligtar says paypal claims that if this access is revoked the full refund amount will be withdrawn from the developer account - we should test this)
sounds like this is almost done, -> 6.2.2
API bits merged here: https://github.com/washort/zamboni/commit/bf8c5e63e9da9065f09bdd357e89221e3fbeafb8 UI bits here: https://github.com/washort/zamboni/commit/1ee278fa33dc8bb261adae84ba068ab6615ff41f It probably makes more sense to put this on a later page, since the paypal id is needed to make the query.