(multisig) potential inconsistency between the role and the account metadata

[s8sato]

Suppose that there are:

• multisig account msa01 whose signatories are sig0 and sig1
• accounts sig0 and sig1, each has the multisig role for msa01

They can be inconsistent e.g. multisig account can include/exclude some signatories by democracy without granting/revoking their roles. To prevent this, we should rely on either of them to know the relationship between a multisig account and its signatories:

1. multisig account metadata
2. multisig roles

One approach needs an complemental implementation to the other:

1. e.g. participates_in key-value as a multisig account metadata, to know the multisig account from the signatory
2. new query e.g. FindAccountsByRole, to know the signatories from the multisig account

Concerns of each approach:

1. self-modification:
   • by self-modifying signatories, an account can pretend to be a multisig account and have any signatories
     • problematic unless multisig accounts are supposed to be able to reorganize its signatories
     • needs a way other than checking the signatories existence to discern a personal and a multisig account
       • Deny external access to non-personal accounts #5022
   • by self-modifying participates_in, an account can pretend to be a signatory of any multisig account
     • not so much harm unless the multisig account recognizes the account as a signatory
2. the domain owner can break everything as usual, other than that I see no specific problems atm

So my current outlook is 2. -- remove signatories metadata and introduce FindAccountsByRole or something

[s8sato]

Updated concerns of each approach:

1. membership by account metadata
   • as long as taking either account's perspective, there would be two-way references, which would lead to inconsistency, unless controlled by some super authority over both accounts
2. membership by roles
   • needs to retrieve each signatory's weight from somewhere non-writable by either account