_acl not being saved correctly

[steven-supersolid]

Issue Description

Create a user:

curl -X POST \
-H "X-Parse-Application-Id: appId" \
-H "X-Parse-REST-API-Key: restKey" \
-H "Content-Type: text/plain" \
-d '{"authData":{"anonymous":{"id":"a"}}}' \
http://myapp.herokuapp.com/parse/users

User is created with following data in db. Note the _rperm and _acl are public read

{
    "_id": "TYy7EUpRtP",
    "_rperm": [
        "*",
        "TYy7EUpRtP"
    ],
    "_auth_data_anonymous": {
        "id": "a"
    },
    "username": "MLKHFez8nvR4vylzb2LGHuo9d",
    "_wperm": [
        "TYy7EUpRtP"
    ],
    "_acl": {
        "TYy7EUpRtP": {
            "w": true,
            "r": true
        },
        "*": {
            "r": true
        }
    },
    "_created_at": {
        "$date": "2016-08-31T17:21:41.644Z"
    },
    "_updated_at": {
        "$date": "2016-08-31T17:21:41.644Z"
    }
}

Set the ACL to just the user, i.e. remove public read:

curl -X PUT \
-H "X-Parse-Application-Id: appId" \
-H "X-Parse-REST-API-Key: restKey" \
-H "X-Parse-Session-Token: r:sessionToken" \
-H "Content-Type: text/plain" \
-d '{"ACL":{"TYy7EUpRtP":{"read":true,"write":true}}}' \
http://myapp.herokuapp.com/parse/users/TYy7EUpRtP

User data now looks like the following.
Note that _rperm is correct and loses the * access, but _acl * still has r:true

{
    "_id": "TYy7EUpRtP",
    "_rperm": [
        "TYy7EUpRtP"
    ],
    "_auth_data_anonymous": {
        "id": "a"
    },
    "username": "MLKHFez8nvR4vylzb2LGHuo9d",
    "_wperm": [
        "TYy7EUpRtP"
    ],
    "_acl": {
        "TYy7EUpRtP": {
            "w": true,
            "r": true
        },
        "*": {
            "r": true
        }
    },
    "_created_at": {
        "$date": "2016-08-31T17:21:41.644Z"
    },
    "_updated_at": {
        "$date": "2016-08-31T17:25:50.179Z"
    }
}

Get the user again, parse-server thinks that the ACL has been changed:

{"objectId":"TYy7EUpRtP","authData":{"anonymous":{"id":"a"}},"username":"MLKHFez8nvR4vylzb2LGHuo9d","createdAt":"2016-08-31T17:21:41.644Z","updatedAt":"2016-08-31T17:25:50.179Z","ACL":{"TYy7EUpRtP":{"read":true,"write":true}}}

The ACL is actually set correctly as far as parse-server is concerned but not parse.com, e.g. viewing the data browser shows the user as Public Read, TYy7EUpRtP

Attempting to get the user with the user's own session token succeeds:

curl -X GET \
-H "X-Parse-Application-Id: appId" \
-H "X-Parse-REST-API-Key: restApiKey" \
-H "X-Parse-Session-Token: r:user-a-session_token" \
-H "Content-Type: text/plain" \
http://myapp.herokuapp.com/parse/users/TYy7EUpRtP

{"objectId":"TYy7EUpRtP","authData":{"anonymous":{"id":"a"}},"username":"MLKHFez8nvR4vylzb2LGHuo9d","createdAt":"2016-08-31T17:21:41.644Z","updatedAt":"2016-08-31T17:25:50.179Z","ACL":{"TYy7EUpRtP":{"read":true,"write":true}},"sessionToken":"r:fc778d100d805889e00ff42fdd51ec83"}

Using user b session token does not succeed as expected:

{"code":101,"error":"Object not found."}

Verbose log of the PUT ACL

verbose: REQUEST for [PUT] /parse/users/TYy7EUpRtP: { 
Aug 31 18:42:16 myapp app/web.1:    "ACL": { 
Aug 31 18:42:16 myapp app/web.1:      "TYy7EUpRtP": { 
Aug 31 18:42:16 myapp app/web.1:        "read": true, 
Aug 31 18:42:16 myapp app/web.1:        "write": true 
Aug 31 18:42:16 myapp app/web.1:      } 
Aug 31 18:42:16 myapp app/web.1:    } 
Aug 31 18:42:16 myapp app/web.1:  } method=PUT, url=/parse/users/TYy7EUpRtP, host=myapp.herokuapp.com, connection=close, user-agent=curl/7.35.0, accept=*/*, x-parse-application-id=appId, x-parse-rest-api-key=restKey, x-parse-session-token=r:sessionToken, content-type=text/plain, x-request-id=cd7554fd-b39c-41b8-9fbe-3d21eb6c797b, x-forwarded-for=89.197.45.54, x-forwarded-proto=http, x-forwarded-port=80, via=1.1 vegur, connect-time=0, x-request-start=1472665335896, total-route-time=0, content-length=49, read=true, write=true 
Aug 31 18:42:16 myapp app/web.1:  verbose: RESPONSE from [PUT] /parse/users/TYy7EUpRtP: { 
Aug 31 18:42:16 myapp app/web.1:    "response": { 
Aug 31 18:42:16 myapp app/web.1:      "updatedAt": "2016-08-31T17:42:15.945Z" 
Aug 31 18:42:16 myapp app/web.1:    } 
Aug 31 18:42:16 myapp app/web.1:  } updatedAt=2016-08-31T17:42:15.945Z 

Environment Setup

• Server
  • parse-server version: 2.2.18
  • Localhost or remote server? (AWS, Heroku, Azure, Digital Ocean, etc): Heroku
• Database
  • MongoDB version: 3.2.6
  • Storage engine: WT
  • Localhost or remote server? (AWS, mLab, ObjectRocket, Digital Ocean, etc): mLab

[johanarnor]

We also experienced this issue. Not really sure if the "_acl" property in db is deprecated or something. When viewing the ACLs in the open-source-dashboard it displays them correctly (meaning that parse-server must calculate them from "_wperm" and "_rperm"), but for the hosted dashboard (https://dashboard.parse.com), the ACLs are wrong (meaning that they must read the "_acl" property).

[steven-supersolid]

I've tracked the issue down and it was introduced in 2.2.14 via #2021
Will see if I can add a test and fix

[flovilmart]

Will be released with 2.2.20! Thanks for the PR!