Improve channel, user and api_key models with basic scopes, correct references and protect attributes.

Simplify channels & user controllers and models, moving code to the models.
Remove catch-all route and ensure all actions are specified, fixing url paths.
Change clone to dup in feed_controller as using clone seems to affect the cloned object (problem only in ruby 1.9.3?)

app/controllers/api_keys_controller.rb

@@ -1,23 +1,22 @@
 class ApiKeysController < ApplicationController
+  include KeyUtilities
+
 	before_filter :require_user, :set_channels_menu
 
 	def index
-		get_channel_data
+		@channel = current_user.channels.find(params[:channel_id])
-		@read_keys = ApiKey.find(:all, :conditions => { :channel_id => @channel.id, :user_id => current_user.id, :write_flag => 0 })
+		@write_key = @channel.api_keys.write_keys.first
+		@read_keys = @channel.api_keys.read_keys
 	end
 
 	def destroy
-		@api_key = ApiKey.find_by_api_key(params[:api_key])
+		current_user.api_keys.find_by_api_key(params[:id]).try(:destroy)
-		@api_key.delete if @api_key.user_id == current_user.id
 		redirect_to :back
 	end
 
 	def create
-		@channel = Channel.find(params[:channel_id])
+		@channel = current_user.channels.find(params[:channel_id])
-		# make sure channel belongs to current user
+		@api_key = @channel.api_keys.write_keys.first
-		check_permissions(@channel)
-
-		@api_key = ApiKey.find(:first, :conditions => { :channel_id => @channel.id, :user_id => current_user.id, :write_flag => 1 } )
 
 		# if no api key found or read api key
 		if (@api_key.nil? or params[:write] == '0')
@@ -32,14 +31,12 @@ class ApiKeysController < ApplicationController
 		@api_key.save
 
 		# redirect
-		redirect_to channel_api_keys_path(@channel.id) and return
+		redirect_to channel_api_keys_path(@channel)
 	end
 
 	def update
-		@api_key = ApiKey.find_by_api_key(params[:api_key][:api_key])
+		@api_key = current_user.api_keys.find_by_api_key(params[:id])
-
+		@api_key.update_attributes(params[:api_key])
-		@api_key.note = params[:api_key][:note]
+		redirect_to :back
-		@api_key.save if current_user.id == @api_key.user_id
-		redirect_to channel_api_keys_path(@api_key.channel)
 	end
 end

app/controllers/application_controller.rb

@@ -85,24 +85,19 @@ class ApplicationController < ActionController::Base
 
 		# get specified header value
 		def get_header_value(name)
-				value = nil
+			value = nil
-				for header in request.env
+			for header in request.env
-					value = header[1] if (header[0].upcase.index(name.upcase))
+				value = header[1] if (header[0].upcase.index(name.upcase))
-				end
+			end
-				return value
+			return value
-		end
+  	end
 
-		# gets the same data for showing or editing
+    # gets the same data for showing or editing
-		def get_channel_data
+    def get_channel_data
-			@channel = Channel.find(params[:channel_id]) if params[:channel_id]
+      @channel = current_user.channels.find(params[:channel_id]) if params[:channel_id]
-			@channel = Channel.find(params[:id]) if @channel.nil? and params[:id]
+      @channel = current_user.channels.find(params[:id]) if @channel.nil? and params[:id]
-			@key = ''
+      @key = @channel.api_keys.write_keys.first.try(:api_key) || ""
-			# make sure channel belongs to current user
+    end
-			check_permissions(@channel)
-	
-			@api_key = ApiKey.find(:first, :conditions => { :channel_id => @channel.id, :user_id => current_user.id, :write_flag => 1 } )
-			@key = @api_key.api_key if @api_key
-		end
 
 		def check_permissions(channel)
 			render :text => t(:channel_permission) and return if (current_user.nil? || (channel.user_id != current_user.id))
@@ -131,18 +126,6 @@ class ApplicationController < ActionController::Base
 			return feed_unauthorized.to_xml(:only => :entry_id)
 		end
 
-		# generates a database unique api key
-		def generate_api_key(size = 16)
-			alphanumerics = ('0'..'9').to_a + ('A'..'Z').to_a
-			k = (0..size).map {alphanumerics[Kernel.rand(36)]}.join
-	
-			# if key exists in database, regenerate key
-			k = generate_api_key if ApiKey.find_by_api_key(k)
-	
-			# output the key
-			return k
-		end
-
 		# options: days = how many days ago, start = start date, end = end date, offset = timezone offset
 		def get_date_range(params)
 			# set timezone correctly

app/controllers/channels_controller.rb

@@ -21,72 +21,33 @@ class ChannelsController < ApplicationController
 	end
 
 	def update
-		@channel = Channel.find(params[:id])
+		@channel = current_user.channels.find(params[:id])
-		# make sure channel belongs to current user
-		check_permissions(@channel)
-		# protect against bots
-		render :text => '' and return if params[:userlogin].length > 0
-
 		@channel.update_attributes(params[:channel])
-		@channel.name = "#{t(:channel_default_name)} #{@channel.id}" if params[:channel][:name].empty?
-		@channel.save
 
-		redirect_to channel_path(@channel.id) and return
+		redirect_to channel_path(@channel.id)
 	end
 
-	def create
+  def create
-		# protect against bots
+    channel = current_user.channels.create(:field1 => "#{t(:channel_default_field)} 1")
-		render :text => '' and return if params[:userlogin].length > 0
+    channel.add_write_api_key
    
-		# get default name for field
+    # redirect to edit the newly created channel 
-		@d = t(:channel_default_field)
+    redirect_to edit_channel_path(channel)
+  end
 
-		# add channel with defaults
+  # clear all data from a channel
-		@channel = Channel.new(:field1 => "#{@d}1")
+  def clear
-		@channel.user_id = current_user.id
+    channel = current_user.channels.find(params[:id])
-		@channel.save
+    channel.feeds.delete_all
+    channel.update_attribute(:last_entry_id, nil)
 
-		# now that the channel is saved, we can create the default name
+    redirect_to channels_path
-		@channel.name = "#{t(:channel_default_name)} #{@channel.id}"
-		@channel.save
-
-		# create an api key for this channel
-		@api_key = ApiKey.new
-		@api_key.channel_id = @channel.id
-		@api_key.user_id = current_user.id
-		@api_key.write_flag = 1
-		@api_key.api_key = generate_api_key
-		@api_key.save
-
-		# redirect to edit the newly created channel
-		redirect_to edit_channel_path(@channel.id)
-	end
-
-	# clear all data from a channel
-	def clear
-		channel = Channel.find(params[:id])
-		# make sure channel belongs to current user
-		check_permissions(channel)
-		
-		# do the delete
-		channel.feeds.each do |f|
-			f.delete
-		end
-
-		# set the channel's last_entry_id to nil
-		channel.last_entry_id = nil
-		channel.save
-
-		redirect_to channels_path
 	end
 
 	def destroy
-		@channel = Channel.find(params[:id])
+		channel = current_user.channels.find(params[:id])
-		# make sure channel belongs to current user
+		channel.destroy
-		check_permissions(@channel)
 
-		# do the delete
-		@channel.delete
 		redirect_to channels_path
 	end
 
@@ -255,6 +216,9 @@ class ChannelsController < ApplicationController
 		redirect_to channel_path(channel.id)
 	end
 
+
+private
+
 	# determine if the date can be parsed
 	def date_parsable?(date)
 		return !is_a_number?(date)

app/controllers/feed_controller.rb

@@ -556,7 +556,7 @@ class FeedController < ApplicationController
 
 		# creates an empty clone of an object
 		def create_empty_clone(object)
-			empty_clone = object.clone
+			empty_clone = object.dup
 			empty_clone.attribute_names.each { |attr| empty_clone[attr] = nil }
 			return empty_clone
 		end

app/controllers/mailer_controller.rb

@@ -1,23 +1,20 @@
 class MailerController < ApplicationController
 
 	def resetpassword
-		# protect against bots
-		render :text => '' and return if params[:userlogin].length > 0
-
 		@user = User.find_by_login_or_email(params[:user][:login])
+
 		if @user.nil?
-			sleep 2
 			session[:mail_message] = t(:account_not_found)
 		else
 			begin
 				@user.reset_perishable_token!
-				#Mailer.password_reset(@user, "https://www.thingspeak.com/users/reset_password/#{@user.id}?token=#{@user.perishable_token}").deliver
+				# Mailer.password_reset(@user, "https://www.thingspeak.com/users/#{@user.id}/reset_password?token=#{@user.perishable_token}").deliver
 				session[:mail_message] = t(:password_reset_mailed)
 			rescue
 				session[:mail_message] = t(:password_reset_error)
 			end
 		end
-		redirect_to :controller => 'user_session', :action => 'new'
+		redirect_to login_path
 	end
 
 end

app/controllers/users_controller.rb

@@ -8,15 +8,12 @@ class UsersController < ApplicationController
   end
   
   def create
-		# protect against bots
-		render :text => '' and return if params[:userlogin].length > 0
-
 		@user = User.new(params[:user])
 
 		# save user
 		if @user.valid?
 			if @user.save
-				redirect_back_or_default account_path and return
+				redirect_back_or_default account_path
 			end	
 		else
 			render :action => :new
@@ -26,17 +23,16 @@ class UsersController < ApplicationController
   
   def show
 		@menu = 'account'
-    @user = @current_user
+    @user = current_user
   end
  
   def edit
 		@menu = 'account'
-    @user = @current_user
+    @user = current_user
   end
 
 	# displays forgot password page
 	def forgot_password
-		@user = User.new
 	end
 
 	# this action is called from an email link when a password reset is requested
@@ -44,7 +40,7 @@ class UsersController < ApplicationController
 		# if user has been logged in (due to previous form submission)
 		if !current_user.nil?
 			@user = current_user
-			@user.errors.add_to_base(t(:password_problem))
+			@user.errors.add(t(:password_problem))
 			@valid_link = true
 		else
 			@user = User.find_by_id(params[:id])
@@ -76,13 +72,13 @@ class UsersController < ApplicationController
 
   def update
 		@menu = 'account'
-    @user = @current_user # makes our views "cleaner" and more consistent
+    @user = current_user # makes our views "cleaner" and more consistent
 		# check current password and update
 		if @user.valid_password?(params[:password_current]) && @user.update_attributes(params[:user])
       redirect_to account_path
     else
-			@user.errors.add_to_base(t(:password_incorrect))
+      @user.errors.add :base, t(:password_incorrect)
-      render :action => :edit
+      render :edit      
     end
   end
 

app/models/api_key.rb

@@ -1,7 +1,22 @@
 class ApiKey < ActiveRecord::Base
-	belongs_to :channel
+  belongs_to :channel
+  belongs_to :user
 
-	validates_uniqueness_of :api_key
+  validates_uniqueness_of :api_key
+
+  scope :write_keys, :conditions => { :write_flag => true }
+  scope :read_keys, :conditions => { :write_flag => false }
+
+  attr_readonly :created_at
+  attr_accessible :note
+
+  def to_s
+    api_key
+  end
+
+  def to_param
+    api_key
+  end
 end
 
 

app/models/channel.rb

@@ -1,7 +1,40 @@
 class Channel < ActiveRecord::Base
-	belongs_to :user
+  include KeyUtilities
+  
+  belongs_to :user
 	has_many :feeds
 	has_many :api_keys
+
+  attr_readonly :created_at
+  attr_protected :user_id, :last_entry_id
+
+  after_create :set_initial_default_name
+  before_validation :set_default_name
+  
+  validates :name, :presence => true, :on => :update
+
+  def add_write_api_key
+    write_key = self.api_keys.new
+    write_key.user = self.user
+    write_key.write_flag = true
+    write_key.api_key = generate_api_key
+    write_key.save
+  end
+
+  def field_label(field_number)
+    self["field#{field_number}"]
+  end
+
+private
+
+  def set_default_name    
+    self.name = "#{I18n.t(:channel_default_name)} #{self.id}" if self.name.blank?
+  end
+
+  def set_initial_default_name
+    update_attribute(:name, "#{I18n.t(:channel_default_name)} #{self.id}")
+  end
+
 end
 
 

app/models/feed.rb

@@ -1,7 +1,10 @@
 class Feed < ActiveRecord::Base
 	belongs_to :channel
 
-	self.include_root_in_json = false
+  self.include_root_in_json = false
+  
+  attr_readonly :created_at
+  attr_protected :channel_id
 end
 
 

app/models/user.rb

@@ -1,11 +1,12 @@
 class User < ActiveRecord::Base
-	has_many :channels
+  has_many :channels
+  has_many :api_keys
 
-	acts_as_authentic
+  acts_as_authentic
 
-	def self.find_by_login_or_email(login)
+  def self.find_by_login_or_email(login)
-		User.find_by_login(login) || User.find_by_email(login)
+    User.find_by_login(login) || User.find_by_email(login)
-	end
+  end
 end
 
 

app/views/api_keys/index.html.erb

@@ -5,7 +5,7 @@
 </h2>
    
 <h3><%= t(:api_key_write) %></h3>
-<%= @key %>
+<%= @write_key %>
 
 <br /><br />
 
@@ -18,21 +18,21 @@
         <table>
             <tr>
                 <td><%= t(:api_key_key) %>:</td>
-                <td><%= read_key.api_key %></td>
+                <td><%= read_key %></td>
             </tr>
             <tr>
                 <td class="VAT"><%= t(:note) %>:</td>
                 <td>
-                    <%= form_for read_key, :as => :api_key, :url => { :controller => 'api_keys', :action => 'update' }, :html => {:method => 'put'} do |f| %>
+                    <%= form_for read_key, :as => :api_key, :url => channel_api_key_path(@channel, read_key), :html => {:method => 'put'} do |f| %>
                     <%= f.text_area :note, :cols => 30, :rows => 4 %>
                 </td>
             </tr>
             <tr>
-                <td><%= f.hidden_field :api_key, :value => read_key.api_key %></td>
+                <td></td>
                 <td>
                     <div class="FL"><%= f.submit t(:note_save) %></div>
                     <% end %>
-                    <%= button_to t(:api_key_delete), { :controller => 'api_keys', :action => 'destroy', :api_key => read_key.api_key}, :confirm => t(:confirm_read_key_delete) %></td>
+                    <%= button_to t(:api_key_delete), channel_api_key_path(@channel, read_key) , :method => 'delete', :confirm => t(:confirm_read_key_delete) %></td>
             </tr>
         </table>
         <br /><br />

app/views/channels/edit.html.erb

@@ -78,12 +78,12 @@
 <br /><br />
 
 <h2><%= t(:channel_clear_message) %></h2>
-<%= button_to t(:channel_clear), { :controller => 'channels', :action => 'clear', :id => @channel.id }, :confirm => t(:confirm_channel_clear) %>
+<%= button_to t(:channel_clear), clear_channel_path(@channel), :confirm => t(:confirm_channel_clear) %>
 
 <br /><br />
 
 <h2><%= t(:channel_delete_message) %></h2>
-<%= button_to t(:channel_delete), channel_path(@channel.id), :method => 'delete', :confirm => t(:confirm_channel_delete) %>
+<%= button_to t(:channel_delete), channel_path(@channel), :method => 'delete', :confirm => t(:confirm_channel_delete) %>
 
 <script type="text/javascript">
 	// remember default field label

app/views/channels/import.html.erb

@@ -6,7 +6,7 @@
 
 <%= t(:upload_select) %>
 <br /><br />
-<%= form_for :upload, :url => {:controller => 'channels', :action => 'upload', :channel_id => params[:channel_id]}, :html => { :multipart => true } do |f| %>
+<%= form_for :upload, :url => upload_channel_path(@channel), :html => { :multipart => true } do |f| %>
   <%= f.file_field :csv %>
   <br /><br />
   <%= t(:time_zone) %>

app/views/charts/index.html.erb

@@ -1,4 +1,5 @@
-<%= javascript_include_tag 'rest' %>
+<script type="text/javascript" src="/javascripts/rest.js"></script>
+  
 
 <h2>
 	<%= link_to t(:channels), channels_path %> &raquo;

app/views/layouts/_header.html.erb

@@ -1,6 +1,6 @@
 <div id="options">
 	<% if current_user %>		
-		<span class="action"> <%= link_to t(:signout), logout_path %></span>	
+		<span class="action"> <%= link_to t(:signout), logout_path, :method => 'delete' %></span>	
 	<% else %>
 		<span class="action">
 			<%= link_to t(:signup), new_user_path %>

app/views/users/_login.html.erb

@@ -1,4 +1,4 @@
-<%= form_for (@user_session = UserSession.new), :url => user_session_path, :html => { :id => 'loginform' } do |f| %>
+<%= form_for @user_session, :url => user_session_path, :html => { :id => 'loginform' } do |f| %>
 	<input name='userlogin' class='userlogin' />
 	<%= f.hidden_field :remember_me, :value => false %>
 	<table id="login" class="round">
@@ -21,7 +21,7 @@
 		</tr>
 		<tr>
 			<td></td>
-			<td><%= link_to t(:forgot), forgot_password_path, :id => 'forgot_password' %></td>
+			<td><%= link_to t(:forgot), forgot_password_users_path, :id => 'forgot_password' %></td>
 		</tr>
 		<tr>
 			<td></td>

app/views/users/forgot_password.html.erb

@@ -1,7 +1,7 @@
 <h2><%= t(:password_forgot) %></h2>
 <%= t(:password_forgot_message) %>
 <br /><br />
-<%= form_for @user, :url => { :controller => 'mailer', :action => 'resetpassword' } do |f| %>
+<%= form_for :user, :url => resetpassword_path do |f| %>
 	<input name='userlogin' class='userlogin' />
 	<%= f.text_field :login %>
 	<%= f.submit t(:submit) %>

app/views/users/reset_password.html.erb

@@ -1,6 +1,6 @@
 <% if @valid_link %>
 	<h2><%= t(:password_new) %></h2>
-	<%= form_for @user, :url => { :controller => 'users', :action => 'change_password', :id => @user.id } do |f| %>
+	<%= form_for @user, :url => change_password_user_path(@user) do |f| %>
 		<%= error_messages_for 'user', :header_message => t(:try_again), :message => t(:password_new_error) %>
 		<input name='userlogin' class='userlogin' />
 		<table class="bigtable">

config/initializers/wrap_parameters.rb

@@ -0,0 +1,12 @@
+# This file contains settings for ActionController::ParamsWrapper which
+# is enabled by default.
+
+# Enable parameter wrapping for JSON. You can disable this by setting :format to an empty array.
+ActiveSupport.on_load(:action_controller) do
+  wrap_parameters format: [:json]
+end
+
+# # Disable root element in JSON by default.
+# ActiveSupport.on_load(:active_record) do
+#   self.include_root_in_json = false
+# end

config/routes.rb

@@ -1,42 +1,52 @@
 Thingspeak::Application.routes.draw do
-	# main data posts using this route
+  # main data posts using this route
-	match 'update', :to => 'channels#post_data', :as => 'update', :via => ((GET_SUPPORT) ? ['get', 'post'] : 'post')
+  match 'update', :to => 'channels#post_data', :as => 'update', :via => ((GET_SUPPORT) ? ['get', 'post'] : 'post')
 
-	# handle subdomain routes
+  # handle subdomain routes
-	match '/', :to => 'subdomains#index', :constraints => { :subdomain => 'api' }
+  match '/', :to => 'subdomains#index', :constraints => { :subdomain => 'api' }
-	match 'crossdomain', :to => 'subdomains#crossdomain', :constraints => { :subdomain => 'api' }
+  match 'crossdomain', :to => 'subdomains#crossdomain', :constraints => { :subdomain => 'api' }
-	match 'crossdomain', :to => 'subdomains#crossdomain'
+  match 'crossdomain', :to => 'subdomains#crossdomain'
 
-	root :to => 'pages#home'
+  root :to => 'pages#home'
 
-	resource :user_session
+  resource :user_session
-	resource 'account', :to => 'users'
+  resource 'account', :to => 'users'
-	resources :users
+  resources :users do
+    member do      
+      get :reset_password
+      put :change_password
+    end
+    collection do
+      get :forgot_password
+    end
+  end
 
-	# specific feeds
+  # specific feeds
   match 'channels/:channel_id/feed(s)(.:format)' => 'feed#index'
-	match 'channels/:channel_id/field(s)/:field_id(.:format)' => 'feed#index'
+  match 'channels/:channel_id/field(s)/:field_id(.:format)' => 'feed#index'
-	match 'channels/:channel_id/field(s)/:field_id/:id(.:format)' => 'feed#show'
+  match 'channels/:channel_id/field(s)/:field_id/:id(.:format)' => 'feed#show'
-	match 'channels/:channel_id/feed(s)/entry/:id(.:format)' => 'feed#show'
+  match 'channels/:channel_id/feed(s)/entry/:id(.:format)' => 'feed#show'
 
-	# import
+  # import
-	match 'channels/:channel_id/import' => 'channels#import', :as => 'channel_import'
+  match 'channels/:channel_id/import' => 'channels#import', :as => 'channel_import'
-	match 'channels/:channel_id/upload' => 'channels#upload'
+  match 'channels/:channel_id/upload' => 'channels#upload'
 
-	# nest feeds into channels
+  # nest feeds into channels
-	resources :channels do
+  resources :channels do
-		resources :feed
+    member do
+      get :import
+      post :upload
+      post :clear
+    end
+    resources :feed
     resources :feeds, :to => 'feed'
-		resources :api_keys
+    resources :api_keys, :except => [:show, :edit]
-		resources :status
+    resources :status
     resources :statuses, :to => 'statuses'
-		resources :charts
+    resources :charts
-	end
+  end
 
-	match 'login' => 'user_sessions#new', :as => :login
+  match 'login' => 'user_sessions#new', :as => :login, :via => :get
-	match 'logout' => 'user_sessions#destroy', :as => :logout
+  match 'logout' => 'user_sessions#destroy', :as => :logout, :via => :delete
-	match 'users/reset_password', :to => 'users#reset_password', :as => 'reset_password'
+  match 'mailer/resetpassword', :to => 'mailer#resetpassword', :as => :resetpassword, :via => :post
-	match 'forgot_password', :to => 'users#forgot_password', :as => 'forgot_password'
-
-  match ':controller(/:action(/:id(.:format)))'
 end

lib/key_utilities.rb

@@ -0,0 +1,14 @@
+module KeyUtilities
+    
+  # generates a database unique api key
+  def generate_api_key(size = 16)
+    alphanumerics = ('0'..'9').to_a + ('A'..'Z').to_a
+    k = (0..size).map {alphanumerics[Kernel.rand(36)]}.join
+  
+    # if key exists in database, regenerate key
+    k = generate_api_key if ApiKey.find_by_api_key(k)
+  
+    # output the key
+    k
+  end
+end