fixes #2166

app/models/api_key.rb

@@ -0,0 +1,10 @@
+class ApiKey < ActiveRecord::Base
+  belongs_to :user
+  validates_uniqueness_of :user_id
+  validates_uniqueness_of :key
+  attr_accessible :user_id, :key
+
+  def self.generate!(user)
+    create(:user_id => user.id, :key => SecureRandom.urlsafe_base64(32))
+  end
+end

app/models/user.rb

@@ -59,6 +59,7 @@ class User < ActiveRecord::Base
   has_many :posts, :foreign_key => "uploader_id"
   has_many :bans, lambda {order("bans.id desc")}
   has_one :recent_ban, lambda {order("bans.id desc")}, :class_name => "Ban"
+  has_one :api_key
   has_many :subscriptions, lambda {order("tag_subscriptions.name")}, :class_name => "TagSubscription", :foreign_key => "creator_id"
   has_many :note_versions, :foreign_key => "updater_id"
   has_many :dmails, lambda {order("dmails.id desc")}, :foreign_key => "owner_id"
@@ -192,6 +193,15 @@ class User < ActiveRecord::Base
         authenticate_hash(name, sha1(pass))
       end
 
+      def authenticate_api_key(name, api_key)
+        key = ApiKey.where(:key => api_key).first
+        return nil if key.nil?
+        user = find_by_name(name)
+        return nil if user.nil?
+        return user if key.user_id == user.id
+        nil
+      end
+
       def authenticate_hash(name, hash)
         user = find_by_name(name)
         if user && user.bcrypt_password == hash
@@ -531,9 +541,9 @@ class User < ActiveRecord::Base
     end
     
     def api_hourly_limit
-      if is_platinum?
+      if is_platinum? && api_key.present?
         20_000
-      elsif is_gold?
+      elsif is_gold? && api_key.present?
         10_000
       else
         3_000