Closed
Description
Issue Description
Create a user:
curl -X POST \
-H "X-Parse-Application-Id: appId" \
-H "X-Parse-REST-API-Key: restKey" \
-H "Content-Type: text/plain" \
-d '{"authData":{"anonymous":{"id":"a"}}}' \
http://myapp.herokuapp.com/parse/users
User is created with following data in db. Note the _rperm and _acl are public read
{
"_id": "TYy7EUpRtP",
"_rperm": [
"*",
"TYy7EUpRtP"
],
"_auth_data_anonymous": {
"id": "a"
},
"username": "MLKHFez8nvR4vylzb2LGHuo9d",
"_wperm": [
"TYy7EUpRtP"
],
"_acl": {
"TYy7EUpRtP": {
"w": true,
"r": true
},
"*": {
"r": true
}
},
"_created_at": {
"$date": "2016-08-31T17:21:41.644Z"
},
"_updated_at": {
"$date": "2016-08-31T17:21:41.644Z"
}
}
Set the ACL to just the user, i.e. remove public read:
curl -X PUT \
-H "X-Parse-Application-Id: appId" \
-H "X-Parse-REST-API-Key: restKey" \
-H "X-Parse-Session-Token: r:sessionToken" \
-H "Content-Type: text/plain" \
-d '{"ACL":{"TYy7EUpRtP":{"read":true,"write":true}}}' \
http://myapp.herokuapp.com/parse/users/TYy7EUpRtP
User data now looks like the following.
Note that _rperm is correct and loses the * access, but _acl * still has r:true
{
"_id": "TYy7EUpRtP",
"_rperm": [
"TYy7EUpRtP"
],
"_auth_data_anonymous": {
"id": "a"
},
"username": "MLKHFez8nvR4vylzb2LGHuo9d",
"_wperm": [
"TYy7EUpRtP"
],
"_acl": {
"TYy7EUpRtP": {
"w": true,
"r": true
},
"*": {
"r": true
}
},
"_created_at": {
"$date": "2016-08-31T17:21:41.644Z"
},
"_updated_at": {
"$date": "2016-08-31T17:25:50.179Z"
}
}
Get the user again, parse-server thinks that the ACL has been changed:
{"objectId":"TYy7EUpRtP","authData":{"anonymous":{"id":"a"}},"username":"MLKHFez8nvR4vylzb2LGHuo9d","createdAt":"2016-08-31T17:21:41.644Z","updatedAt":"2016-08-31T17:25:50.179Z","ACL":{"TYy7EUpRtP":{"read":true,"write":true}}}
The ACL is actually set correctly as far as parse-server is concerned but not parse.com, e.g. viewing the data browser shows the user as Public Read, TYy7EUpRtP
Attempting to get the user with the user's own session token succeeds:
curl -X GET \
-H "X-Parse-Application-Id: appId" \
-H "X-Parse-REST-API-Key: restApiKey" \
-H "X-Parse-Session-Token: r:user-a-session_token" \
-H "Content-Type: text/plain" \
http://myapp.herokuapp.com/parse/users/TYy7EUpRtP
{"objectId":"TYy7EUpRtP","authData":{"anonymous":{"id":"a"}},"username":"MLKHFez8nvR4vylzb2LGHuo9d","createdAt":"2016-08-31T17:21:41.644Z","updatedAt":"2016-08-31T17:25:50.179Z","ACL":{"TYy7EUpRtP":{"read":true,"write":true}},"sessionToken":"r:fc778d100d805889e00ff42fdd51ec83"}
Using user b session token does not succeed as expected:
{"code":101,"error":"Object not found."}
Verbose log of the PUT ACL
verbose: REQUEST for [PUT] /parse/users/TYy7EUpRtP: {
Aug 31 18:42:16 myapp app/web.1: "ACL": {
Aug 31 18:42:16 myapp app/web.1: "TYy7EUpRtP": {
Aug 31 18:42:16 myapp app/web.1: "read": true,
Aug 31 18:42:16 myapp app/web.1: "write": true
Aug 31 18:42:16 myapp app/web.1: }
Aug 31 18:42:16 myapp app/web.1: }
Aug 31 18:42:16 myapp app/web.1: } method=PUT, url=/parse/users/TYy7EUpRtP, host=myapp.herokuapp.com, connection=close, user-agent=curl/7.35.0, accept=*/*, x-parse-application-id=appId, x-parse-rest-api-key=restKey, x-parse-session-token=r:sessionToken, content-type=text/plain, x-request-id=cd7554fd-b39c-41b8-9fbe-3d21eb6c797b, x-forwarded-for=89.197.45.54, x-forwarded-proto=http, x-forwarded-port=80, via=1.1 vegur, connect-time=0, x-request-start=1472665335896, total-route-time=0, content-length=49, read=true, write=true
Aug 31 18:42:16 myapp app/web.1: verbose: RESPONSE from [PUT] /parse/users/TYy7EUpRtP: {
Aug 31 18:42:16 myapp app/web.1: "response": {
Aug 31 18:42:16 myapp app/web.1: "updatedAt": "2016-08-31T17:42:15.945Z"
Aug 31 18:42:16 myapp app/web.1: }
Aug 31 18:42:16 myapp app/web.1: } updatedAt=2016-08-31T17:42:15.945Z
Environment Setup
- Server
- parse-server version: 2.2.18
- Localhost or remote server? (AWS, Heroku, Azure, Digital Ocean, etc): Heroku
- Database
- MongoDB version: 3.2.6
- Storage engine: WT
- Localhost or remote server? (AWS, mLab, ObjectRocket, Digital Ocean, etc): mLab