Tiers of Pudding, Yummy!

I was grabbing lunch with some co-workers the other day, and one of the guys picked up some pudding. No, not some Ataraxis Pudding, but some tasty (in his opionion) bananna pudding.

(These co-workers also happen to be starting their own software company, Protoh. I told you everyone's better at coming up with names than I am!)

It got me thinking. I should name my service tiers after flavors of pudding.

Vanilla - For freelancers, because it will be the cheapest plan I offer and compared to the other plans will be vanilla.

Chocolate - For design studios. It will cost a little more than Vanilla and EVERYONE LOVES CHOCOLATE PUDDING. (You do, don't you? DON'T YOU? It seriously rocks.) I'm guessing the plan that is in the middle price-wise will be the most popular. Just like chocolate pudding!

At the very least I'm going to have one more tier for larger "corporate" companies. A lot of large companies have an in-house design group.

Anyone have any other flavors of pudding they would like to recommend?

Going it alone, it's insanely hard

I've read 2 interviews in the last 2 days from the founders of software companies.

Joel Spolsky was interviewed (for a book), and one section really caught my attention (the bolding is mine).

Don't start a company unless you can convince one other person to go along with you. If you don't have two people (or I would even say three) that you've convinced to devote their lives to doing this, it's just going to be a different thing. There are a lot of programmers that are very tentative about starting their own companies. There are a lot of working programmers doing something they hate, with some company that they hate, but they need money to pay the mortgage. So they figure, "I'll develop something in my spare time. I'll put in 1 hour every night and 2 hours on the weekends and I'll start selling it by downloads." And you say to them, "Who's your cofounder?" And they say, "My significant other—husband or wife. My cat."

For about a half a second I thought the all-knowing Joel (of whom, I'm a fan) has been following my blog and using my words to destroy my will to continue trying to start my 1-person startup.

I tried working with a friend/partner, but it just didn't work out. And over a year ago, when I stopped working on a big Project Management app (I think it was going to be called Unity) I said,

1 person x 15 hours a week = forever

Yikes! Joel has been reading....

I'm going to launch a beta of Pudding in February of this year. I just checked, I started this blog in May of 2005. The tag line of the blog has changed slightly over the years (gasp! years!), but for as long as I can remember it included this:

This blog chronicles my journey from nothing to my first product launch.

Getting to this point was made possible by the highly productive platform that is Ruby on Rails, and some serious motivation.

3 motivators from the last 22 months

1. Once I say I'm going to accomplish something (and then tell the world about via a blog), I'm frigg'n do it. Even if it means a dramatic shift in focus to accomplish the goal. And the goal is starting a software company. I think that's called self-motivation. (I seem to have a bunch of it. :P )
2. My desire for personal and creative freedom. You can achieve a certain level of "freedom" in certain organizations, but 99.999% of the time you're still working off of someone else's vision. Either due to the culture of the company, or because of the constraints of the "core business". If you work Whole Foods, they probably won't let you grow the company by building what YOU think is a great piece of software.
3. The success stories of others.
   

My personal favorite success story is Ian Landsman, the founder of UserScape. Ian quit his day job and "just did it". By "it" I mean, started a 1-person software company, launched a product, and is now living off of software sales. He's recently "hired" his wife to help with the company. So I guess it's a 2-person software company now. :)

Ian was interviewed recently by Startup Spark. He's got some good advise in the interview, and it's great to read that he's doing well.

1-person startups can succeed. You may not get funding from Y Combinator, but with stories like Ian's. Do you need it?

Left to Beta, 2

My last progress report regarding how close I was to "beta" was accurate, but it didn't account for all the bugs I'd find, and create, and then fix while working on the security of Pudding!

My new short list is:

• Add "and return" to all redirecting before_filters
• At some point my emailing code stopped working, so fix that
• Do not allow the user's Credit Card to be returned to the client (EVER!)
• Polish the Account Management page
• *Implement the credit card processing
• Setup a hosting account for the application

*Which is contingent on setting up all the "business stuff" (merchant account, etc...), BUT I might put the app into beta without that code in there and add it while it's in beta.

I'M ALMOST THERE. I CAN TASTE IT!!!

I've got to buckle down this week and get these last quirks worked out!

Agile and Google

I've been following Eric Sink's blog for a few years now, and he recently wrote a post where he linked to Stevey's blog. Stevey wrote a blog post last year entitled, Good Agile, Bad Agile. If you've got any interest in "Agile" or how Google does software management, it's a must read.

I've done a lot of SDLC/Agile research, experimentation, and practice in my 5 year career (Web Programmer, Project Manager, Web Application Manager - every 2 years I get a promotion. At this rate I should be the ruler of the universe in about 14 years.), so the title caught my eye. About half-way through the post I remembered I had read this post back when it came out. I'm really glad I rediscovered this gem of a post. It makes you realize just how smart the management at Google is.

I think Pudding will be in private beta next month. If Ataraxis Software ends up being something I can do full time, I'll be re-reading this post every year!

---

Update: I've also found, (Not) Managing Software Developers, by Stevey that is really good. On a side note, if you're into reading about software management, Rands in Repose is a really good blog.

Rails Tip : Creating New Data (locked to the User)

(Update: Great post at the Rails Way site.)

This is a small continuation from yesterday's, "Access to Data", Rails Tip. (The biggest, "duh", tip ever. I promise, this one is a little less obvious!)

The code I used to illustrate constraining your find methods to the current user's account was this:

def show
@project = Project.find_by_id_and_account_id(params[:id], account_of_user().id)
end

You can do something similiar for creating new objects, by using associations.

def create
@project = account_of_user.projects.build(params[:project])
end

This binds the new project to the account of the user. ("account_of_user" being a reference to the account of the user you've authenticated.)

I can't believe I didn't know you could do this until I came across this post while researching Rails-related security.

Rails Tip : Access to Data

This wasn't immediately obvious to me when I started writing Ruby on Rails code. The solution(s) I was using prior to this dawning-on-me worked, but weren't as easy as what I've got illustrated below.

Once you're done reading this you'll probably say, "This is the biggest duh ever!" And to be honest, it really is.

But when you're first starting with Ruby on Rails, and you're seeing all these examples that say, "It's so easy! you just do this, SomeTotallyAwesomeClass.find(params[:id]), and it returns the model object!", it's easy to code in gigantic security holes into your controllers.

Let's say you've got the following:
-A web app that allows people to create their own account for the purpose of creating projects.
-Each project is associated with the account.
-Only users that are associated with the account that created a project can access the project.

For example, Bob creates an account named, "evilness", so he can manage his project, "Take Over The World". Bob adds his friend Bill to the account so they can both access it. They can reach their account via:

http://evilness.projectsarecool.com

The web application prompts them for their user/pass, once provided, they're in. They can view their taking-over-the-world progress when clicking on the url:

http://evilness.projectsarecool.com/project/show/23

Note: 23 is the ID of their project, "Take Over The World"

Now let's say that Bill (because he's totally evil), after logging into his account, types in this url:

http://evilness.projectsarecool.com/project/show/24

Note: 24 is the ID of the project, "Save the African Swallows". A project being managed by a Monty Python fan, Michael. Michael has nothing to do with the "evilness" account, and Bill and Bob have nothing to do with Michael's totally-awesome account, "holygraillovers".

Michael reaches his project via the url:

http://holygraillovers.projectsarecool.com/project/show/24

What does the web application do when Bill, the evil bastard, types in that 24?

Well, let's find out. Here are the objects in play: Account, which can have one or more User objects, and one or more Project objects.

A very lazy way to look up a project object in your controller is to do this:

def show
@project = Project.find(params[:id])
end

That takes the "ID" in the URL, looks up the Project, and returns it to the view.

A very lazy way that happens to protect Michael from Bill and Bob's evil eyes is the following:

def show
@project = Project.find_by_id_and_account_id(params[:id], account_of_user().id)
end

When a user logs into your application, the application should know who they are. I.e. The app knows it's Bill, Bob, or Michael. Since the app knows who is logged in, it should know which account they are associated with. Use that information (illustrated by the function call to account_of_user()) when you do "find" calls in the controller and you'll be better off.

Using this technique the project just won't be found. It will look up the Project ID, "24", but since Bill's "evilness" account doesnt' have the same ID as Michael, "holygraillovers" account, the "find" won't find it.

This is by no means the end-all-be-all of security for a Rails app. This is meant to illustrate one tiny little thing you can do to help yourself. The above example sure as heck won't help you when the model object you're looking up isn't directly associated with the account.

For more things to "watch out for", read this nice list.

(Update: Check out this great post on the Rails Way site.)

Pudding Update, Working on Security

I'm gutting a lot of the security code in Pudding. It's to hard to work with, and it has more holes than swiss cheese. I'm finding that having 1 controller for every model object is a lot easier to secure. There is just a lot less each controller has to worry about. I'm not going full REST routing, but I'm running away from crap like this:

/client_management/client_company?client_company_id=1
/client_management/client?client_id=1

and enjoying these:

/client_company/1
/client/1

Ataraxis Software Trademark Progress

I applied for the trademark registration of Ataraxis Software over a year ago, and after some back-'n-forth with the reviewing attorney over last year, I've finally received something in the mail regarding the application.

I have yet to use the mark in commerce, so I've got 6 months to do so or I have to either apply for an extension or give it up. Apparently being a real company, Ataraxis Software is an LLC in the state of Florida, isn't enough.

With my beta launch getting closer this should be a non-issue.

So much work for a little circle-R. I wish this post about trademarks from Seth Godin existed before I spent the money and time dealing with the registration. I.e. It ain't worth it. Just go TM.

Left to Beta

I've got to do the following to get Pudding into "beta".

• Finish up security code
• Finish the "Cancel Account" feature
• Polish the Account Management page
• *Implement the credit card processing
• Setup a hosting account for the application

*Which is contingent on setting up all the "business stuff" (merchant account, etc...), BUT I might put the app into beta without that code in there and add it while it's in beta.

Almost there!

Google Docs Tanks

I was in the middle of writing my '06 recap in Google Docs, and Google Docs "crashed". I hit the button to add a hyper link, the UI froze and now I can't even log in to get into any of my documents.

Lame, huh?