From 5b40a589c0d06aa223dd622444da4ea093d5b3a7 Mon Sep 17 00:00:00 2001
From: Francis Lessard <flessard@propage.com>
Date: Tue, 16 Feb 2016 10:45:43 -0500
Subject: [PATCH] Remove public ACL set by default.

---
 src/RestWrite.js | 19 +++++++++++++------
 1 file changed, 13 insertions(+), 6 deletions(-)

diff --git a/src/RestWrite.js b/src/RestWrite.js
index 8dab5344..e43aea94 100644
--- a/src/RestWrite.js
+++ b/src/RestWrite.js
@@ -28,7 +28,7 @@ function RestWrite(config, auth, className, query, data, originalData) {
   this.className = className;
   this.storage = {};
   this.runOptions = {
-    acl:['*']
+    acl:[]
   };
 
   if (!query && data.objectId) {
@@ -95,14 +95,21 @@ RestWrite.prototype.execute = function() {
 
 // Uses the Auth object to get the list of roles, adds the user id
 RestWrite.prototype.getUserAndRoleACL = function() {
-  if (this.auth.isMaster || !this.auth.user) {
+  if (this.auth.isMaster) {
     return Promise.resolve();
   }
-  return this.auth.getUserRoles().then((roles) => {
-    roles.push(this.auth.user.id);
-    this.runOptions.acl = this.runOptions.acl.concat(roles);
+
+  this.runOptions.acl.push("*");
+
+  if( this.auth.user ){
+    return this.auth.getUserRoles().then((roles) => {
+      roles.push(this.auth.user.id);
+      this.runOptions.acl = this.runOptions.acl.concat(roles);
+      return Promise.resolve();
+    });
+  }else{
     return Promise.resolve();
-  });
+  }
 };
 
 // Validates this operation against the schema.