One of the programming projects I both love and dread is refactoring. I dread it because some of the code I have to refactor is amazingly old, dense, uncommented, undocumented and really hairy. But it's also the most satisfying feeling in the world to take code like that and turn it into something much better.

For the past few weeks, most of my work life has consisted of refactoring in some way, shape, or form. I have one major refactoring project that I am working on, as well as some smaller "clean up" jobs. As I get burnt out with the one task, I can easily switch to the other and feel like I'm making major head way. It's a very nice symbiosis, if you ask me.

Previously, I brought up a hypothetical API discussion to see what different people thought about the idea. The basic premise of the discussion was: what do you do when you've published an API to interact with something, and then the rules for that interaction change?

Now I want to make that hypothetical discussion more concrete with a real world issue that's interesting to me. But, I want to preface this with: this post has no bearing on reality. Anything we discuss here is purely academic. I'm in no way saying that REAL Software is going to do something, change anything, drink anything, purchase anything, deploy anything or take over a third world country. Basically: I don't want to hear any "Aaron said" crap at my day job. Got it? ;-)

So here's an interesting question that I'd like to pose to my silent readership: how would *you* solve this particular issue, and why would you solve it in that particular way.

Let's say you have a published API called Foobar, and Foobar's job is to tell you whether the user can access a particular resource. This API was sensible when you first published it, but over the years, the operating system has changed the game a bit. Now the OS has decided that the user can have "pretend access" to a particular resource in some circumstances, but they don't have true access to it. Instead, they have access to a resource that mimics the original, but is really just a proxy. What should the behavior of your API be? Should it report back whether the caller has access to the *actual* resource, or whether it has access to the *proxy* resource when dealing with this special case?