Why can't I set the ACL for a User to read: false + write:false?

Asked 9/8, 2015 at 18:43 Answered 28/1, 2016 at 20:48

I'm trying to create a new user via the REST API, and want the object to be accessible (read+write) only to the user that created it. If I create the user without setting an ACL, setting only the username/password, it automatically gets "Public Read, xxxx" where xxxx is the objectId.

If I include an ACL with the create user call, it silently ignores the field and gives it that same public read access.

{"username":"dummyUsersname","ACL":{"*":{"write":false,"read":false}},"password":"dummyPassword"}

If I try to update the ACL after creating the object, I get:

code: 123 error: Invalid acl {"*":{"read":false,"write":false}}

And yet the web-based data browser will let me revoke the public read access without complaint. Any idea what's going on?

Meanwhile answered 9/8, 2015 at 18:43 Comment(0)

Try using Cloud Code function:

Parse.Cloud.beforeSave(Parse.User, function(request, response) {
    var acl = new Parse.ACL();
    acl.setPublicReadAccess(false);
    acl.setPublicWriteAccess(false);

    request.object.setACL(acl);
    response.success();
});

When using it, request

curl -X POST \
  -H "X-Parse-Application-Id: <app_id>" \
  -H "X-Parse-REST-API-Key: <rest_api_key>" \
  -H "X-Parse-Revocable-Session: 1" \
  -H "Content-Type: application/json" \
  -d '{"username":"cooldude6","password":"p_n7!-e8","phone":"415-392-0202"}' \
  https://api.parse.com/1/users

...returns:

{"ACL":{"adItsbPH0a":{"read":true,"write":true}},"createdAt":"2015-08-13T10:10:09.591Z","objectId":"adItsbPH0a","phone":"415-392-0202","sessionToken":"r:otH4qsd2zmBG4tTj4ePoGSFVE","username":"cooldude6"}

Hope this helps.

Squelch answered 13/8, 2015 at 10:15 Comment(1)

Small nit: you should not pass in a string as the class name if you are adding triggers for pre-defined classes, in this example, use Parse.User instead of "_User" – Bertiebertila 13/8, 2015 at 10:41

Actually, you don't need to build the ACL programmatically to get the right behavior for "master key only" here, you just need to specify an empty object ({}) instead. Calling the methods to set the right parameters works but it doesn't answer the question as to why this is the case.

The answer, although annoying and inconsistent, is that you CAN represent it explicitly in the shorthand form by just providing an empty object for the ACL or no object at all. Proof:

var acl = new Parse.ACL();
acl.toJSON();

Output: {}

acl.setPublicReadAccess(true);
acl.toJSON();

Output: { '*': { read: true } }

acl.setPublicReadAccess(false);
acl.toJSON();

Output: {}

Note that unsetting public read access removes the key entirely instead of setting read to false.

This makes it difficult to programmatically build up ACL's because you'd think { '*': { read: false, write: false} } would be equivalent, but it is not.

Just provide ACL: {} and it will work just fine. Cheers.

Stickseed answered 28/1, 2016 at 20:48 Comment(0)

Recommended topics

Hot tags