What could be more straightforward and easy to understand than an a-la-carte permissions model?
Everybody wants this. Every Twitter-enabled app developer and every user has wanted this for a long time now. Twitter has a dream team of hotshot software engineers and all they've come up with on this issue is excuses that it just doesn't work that way.
Make every bullet point on the user's auth screen correspond to a checkbox on the developer's control panel. I need this, this, and this, not that, not that, this, this, but not that.
The auth level is then a byte: 11100110
The existing permission sets can be put into the new system (for example)-
11100000 11111100 11111111
If it's possible to check which of the 3 permission levels the app has and whether they allow the action requested, you can just as well be able to do a bitwise comparison between the permission:
and the unique code for the action:
00000100 (= true, you can do that)
00010000 (= false, you can't do that)
How is that a difficult thing to program?