From f7727a302db7b4d1aa12165f1f41ea4536ab36f6 Mon Sep 17 00:00:00 2001
From: Florent Vilmart <florentvilmart@me.com>
Date: Fri, 8 Apr 2016 08:45:37 -0400
Subject: [PATCH] Prevents _User lock out when setting ACL on signup or
 afterwards

---
 spec/ParseUser.spec.js | 49 ++++++++++++++++++++++++++++++++++++++++++
 src/RestWrite.js       | 16 +++++++++++---
 2 files changed, 62 insertions(+), 3 deletions(-)

diff --git a/spec/ParseUser.spec.js b/spec/ParseUser.spec.js
index aacb24099c..16ff4dcd23 100644
--- a/spec/ParseUser.spec.js
+++ b/spec/ParseUser.spec.js
@@ -88,6 +88,55 @@ describe('Parse.User testing', () => {
     });
   });
 
+  it('should respect ACL without locking user out', (done) => {
+    let user = new Parse.User();
+    let ACL = new Parse.ACL();
+    ACL.setPublicReadAccess(false);
+    ACL.setPublicWriteAccess(false);
+    user.setUsername('asdf');
+    user.setPassword('zxcv');
+    user.setACL(ACL);
+    user.signUp().then((user) => {
+      return Parse.User.logIn("asdf", "zxcv");
+    }).then((user) => {
+      equal(user.get("username"), "asdf");
+      const ACL = user.getACL();
+      expect(ACL.getReadAccess(user)).toBe(true);
+      expect(ACL.getWriteAccess(user)).toBe(true);
+      expect(ACL.getPublicReadAccess()).toBe(false);
+      expect(ACL.getPublicWriteAccess()).toBe(false);
+      const perms = ACL.permissionsById;
+      expect(Object.keys(perms).length).toBe(1);
+      expect(perms[user.id].read).toBe(true);
+      expect(perms[user.id].write).toBe(true);
+      expect(perms['*']).toBeUndefined();
+      // Try to lock out user
+      let newACL = new Parse.ACL();
+      newACL.setReadAccess(user.id, false);
+      newACL.setWriteAccess(user.id, false);
+      user.setACL(newACL);
+      return user.save();
+    }).then((user) => {
+      return Parse.User.logIn("asdf", "zxcv");
+    }).then((user) => {
+      equal(user.get("username"), "asdf");
+      const ACL = user.getACL();
+      expect(ACL.getReadAccess(user)).toBe(true);
+      expect(ACL.getWriteAccess(user)).toBe(true);
+      expect(ACL.getPublicReadAccess()).toBe(false);
+      expect(ACL.getPublicWriteAccess()).toBe(false);
+      const perms = ACL.permissionsById;
+      expect(Object.keys(perms).length).toBe(1);
+      expect(perms[user.id].read).toBe(true);
+      expect(perms[user.id].write).toBe(true);
+      expect(perms['*']).toBeUndefined();
+      done();
+    }).catch((err) => {
+      fail("Should not fail");
+      done();
+    })
+  });
+
   it("user login with files", (done) => {
     let file = new Parse.File("yolo.txt", [1,2,3], "text/plain");
     file.save().then((file) => {
diff --git a/src/RestWrite.js b/src/RestWrite.js
index 0bdaac5b9f..bd220b8653 100644
--- a/src/RestWrite.js
+++ b/src/RestWrite.js
@@ -716,6 +716,11 @@ RestWrite.prototype.runDatabaseOperation = function() {
   }
 
   if (this.query) {
+    // Force the user to not lockout
+    // Matched with parse.com
+    if (this.className === '_User' && this.data.ACL) {
+      this.data.ACL[this.query.objectId] = { read: true, write: true };
+    }
     // Run an update
     return this.config.database.update(
       this.className, this.query, this.data, this.runOptions).then((resp) => {
@@ -732,10 +737,15 @@ RestWrite.prototype.runDatabaseOperation = function() {
       });
   } else {
     // Set the default ACL for the new _User
-    if (!this.data.ACL && this.className === '_User') {
-      var ACL = {};
+    if (this.className === '_User') {
+      var ACL = this.data.ACL;
+      // default public r/w ACL
+      if (!ACL) {
+        ACL = {};
+        ACL['*'] = { read: true, write: false };
+      }
+      // make sure the user is not locked down
       ACL[this.data.objectId] = { read: true, write: true };
-      ACL['*'] = { read: true, write: false };
       this.data.ACL = ACL;
     }