1 files changed, 56 insertions, 62 deletions

diff --git a/docs/design-api b/docs/design-api
index e51c677..3324620 100644
--- a/docs/design-api
+++ b/docs/design-api
@@ -12,93 +12,87 @@ Introduction
     See the documentation for Wallet::Object::Base and Wallet::ACL::Base,
     which contain additional information about creating new object and
     ACL verifier implementations and the documentation for all generic
-    methods.
+    methods.  Wallet::Object::Base also provides some utility methods that
+    are useful for subclasses.
 
 Object API
 
-  new(NAME, TYPE, DBH)
-
-    Creates a new object with the given object name and type based on data
-    already in the database.  Takes a database handle, which should be
-    stored with the object and used for any further operations.  This
-    method should inherit from the generic Wallet::Object::Base object,
-    which implements the following methods:
-
-        new(NAME, DBH)
-        create(NAME, DBH)
-        owner([ACL-ID, PRINCIPAL, HOSTNAME [, DATETIME]])
-        acl(TYPE [, ACL-ID, PRINCIPAL, HOSTNAME [, DATETIME]])
-        expires([DATETIME, PRINCIPAL, HOSTNAME [, DATETIME]])
-        store(DATA, PRINCIPAL, HOSTNAME [, DATETIME])
-        show()
-        destroy(PRINCIPAL, HOSTNAME [, DATETIME])
-        error()
-
-    that manipulate the basic object data.  Generally all this function
-    needs to do is call the parent new() constructor.  If the object
-    couldn't be found, throws an exception.  (Just returning undef would
-    provide no way of communicating the error message.)
+    All object implementations should inherit from Wallet::Object::Base
+    and most of the methods of that module can be used without change.
+    Below are summaries of the methods that a typical object
+    implementation will need to override.  Methods other than create()
+    should set the error with error() and return undef on failure.
 
   create(NAME, TYPE, DBH, PRINCIPAL, HOSTNAME [, DATETIME])
 
-    Like new(), but instead creates a new entry in the database with the
-    given name.  As with new(), the generic function will normally do all
-    of the work.  Takes some additional information to put into the
-    created fields in the database.  If the object already exists or
-    creating it fails, throws an exception.  (Just returning undef would
-    provide no way of communicating the error message.)
+    Creates a new object of a particular type.  The parent method will
+    take care of all of the database manipulation.  A new object
+    implementation should override this method if it needs to create
+    something in an external system when an object is created.  For
+    example, the keytab backend overrides create() to create the principal
+    in the Kerberos KDC and then calls the parent method to do the
+    database setup.
+
+    This method should throw an exception on error.
 
   destroy(PRINCIPAL, HOSTNAME [, DATETIME])
 
-    Destroys the given object.  This should include destroying any
-    representation of the object in other systems as well (such as
-    deleting Kerberos principals out of a KDC).  Takes the information
-    about who is doing the deletion to store log entries.  The result is
-    true on success and false on failure.  On error, the caller should
-    call error() to get the error text.
+    Destroys the given object.  Backend implementations should override
+    this method if they need to destroy the object in an external system.
+    For example, the keytab backend overrides this method to destroy the
+    principal in the Kerberos KDC.  Be careful not to require that the
+    object exist in a remote system for destroy() to work, since an
+    administrator will want to destroy an orphaned wallet database entry
+    after something happened to the remote system entry.
 
   get(PRINCIPAL, HOSTNAME [, DATETIME])
 
-    Applied to a returned object, retrieves the data contained in the
-    object in question.  Takes the information about who is doing the
-    retrieval so that the database metadata can be updated.  The result is
-    either the relevant data or undef in the event of an error.  On error,
-    the caller should call error() to get the error text.
+    This is the one method that all object implementations must override.
+    Wallet::Object::Base just throws an exception if its get() method is
+    called.  Retrieves the object data from wherever that backend stores
+    it, or generates new object data, and should return it as a string.
+    Don't forget to call log_action() after successfully retrieving the
+    data to update the history and trace information.
 
   store(DATA, PRINCIPAL, HOSTNAME [, DATETIME])
 
     Store user-supplied data into the given object.  This may not be
     supported by all backends (for instance, backends that automatically
-    generate the data will not support this).  Takes the information about
-    who is doing the store so that the database metadata can be updated.
-    The result is true on success and false on failure.  On error, the
-    caller should call error() to get the error text.
-
-  show()
+    generate the data will not support this).  Backends that don't support
+    storing data can just not implement this method and the default
+    store() method will return an appropriate error.
 
-    Returns a formatted text description of the object suitable for human
-    display, or undef on error.  On error, the caller should call error()
-    to get the error text.
+    If this method is implemented, don't forget to call log_action() after
+    successfully storing the data to update the history and trace
+    information.
 
-  error()
+  show()
 
-    Returns the error text from the last failed call.
+    Normally, new backends don't need to override this method, since it
+    displays all the metadata in the database.  It's only necessary to
+    override it if the backend stores additional metadata separately.
+    When overriding, call the parent method first and then edit the
+    resulting string to add additional information as needed.
 
 ACL Verifier API
 
+    New ACL verifiers should inherit from Wallet::ACL::Base.  There are
+    only two methods that a new ACL verifier needs to override, and new()
+    is only needed if the ACL verifier has some setup that needs to be
+    done before starting to check ACLs.
+
   new()
 
-    Creates a persistant ACL verifier for the given ACL type.  This may do
-    nothing, but some ACL verifiers require some persistant data, like a
-    persistant LDAP connection.
+    Creates a persistant ACL verifier for the given ACL type.  The default
+    does nothing except create a blessed object.  Override if the verifier
+    needs persistant data, like a persistant LDAP connection.  On failure,
+    throw an exception.
 
   check(PRINCIPAL, ACL)
 
-    Checks whether the given PRINCIPAL should be allowed access given ACL.
-    Returns 1 if access is granted, 0 if access is declined, and undef on
-    error.  On error, the caller should call error() to get the error text
-    but generally should continue with checking other ACLs.
-
-  error()
-
-    Returns the error text of the last error.
+    This method must be overridden by any new ACL verifier implemenetation
+    since the default declines all access.  Checks whether the given
+    PRINCIPAL should be allowed access given ACL.  Returns 1 if access is
+    granted, 0 if access is declined, and undef on error.  On error, the
+    method should pass the error to error() to store it in the object for
+    retrieval by the caller.