Merge pull request #438 from flovilmart/flovilmart.fix-default_User.metadata

Adds locked down ACL on _User

Author: gfosco

spec/ParseUser.spec.js

@@ -8,6 +8,20 @@
 var request = require('request');
 var passwordCrypto = require('../src/password');
 
+function verifyACL(user) {
+  const ACL = user.getACL();
+  expect(ACL.getReadAccess(user)).toBe(true);
+  expect(ACL.getWriteAccess(user)).toBe(true);
+  expect(ACL.getPublicReadAccess()).toBe(true);
+  expect(ACL.getPublicWriteAccess()).toBe(false);
+  const perms = ACL.permissionsById;
+  expect(Object.keys(perms).length).toBe(2);
+  expect(perms[user.id].read).toBe(true);
+  expect(perms[user.id].write).toBe(true);
+  expect(perms['*'].read).toBe(true);
+  expect(perms['*'].write).not.toBe(true);
+}
+
 describe('Parse.User testing', () => {
   it("user sign up class method", (done) => {
     Parse.User.signUp("asdf", "zxcv", null, {
@@ -57,6 +71,7 @@ describe('Parse.User testing', () => {
         Parse.User.logIn("asdf", "zxcv", {
           success: function(user) {
             equal(user.get("username"), "asdf");
+            verifyACL(user);
             done();
           }
         });
@@ -1352,7 +1367,7 @@ describe('Parse.User testing', () => {
         var b = JSON.parse(body);
         expect(b.results.length).toEqual(1);
         var user = b.results[0];
-        expect(Object.keys(user).length).toEqual(6);
+        expect(Object.keys(user).length).toEqual(7);
         done();
       });
     });

src/RestWrite.js

@@ -655,6 +655,13 @@ RestWrite.prototype.runDatabaseOperation = function() {
         this.response.updatedAt = this.updatedAt;
       });
   } else {
+    // Set the default ACL for the new _User
+    if (!this.data.ACL && this.className === '_User') {
+      var ACL = {};
+      ACL[this.data.objectId] = { read: true, write: true };
+      ACL['*'] = { read: true, write: false };
+      this.data.ACL = ACL;
+    } 
     // Run a create
     return this.config.database.create(this.className, this.data, options)
       .then(() => {