Improve email verification (#3681)

* Removed hidden keys from users/me.

* Ensured that general users cannot update email verified flag.

* Updated tests to reflect email verification changes.

src/RestWrite.js

@@ -349,6 +349,11 @@ RestWrite.prototype.transformUser = function() {
     return promise;
   }
 
+  if (!this.auth.isMaster && "emailVerified" in this.data) {
+    const error = `Clients aren't allowed to manually update email verification.`
+    throw new Parse.Error(Parse.Error.OPERATION_FORBIDDEN, error);
+  }
+
   if (this.query) {
     // If we're updating a _User object, we need to clear out the cache for that user. Find all their
     // session tokens, and remove them from the cache.

src/Routers/UsersRouter.js

@@ -57,6 +57,17 @@ export class UsersRouter extends ClassesRouter {
           const user = response.results[0].user;
           // Send token back on the login, because SDKs expect that.
           user.sessionToken = sessionToken;
+
+          // Remove hidden properties.
+          for (var key in user) {
+            if (user.hasOwnProperty(key)) {
+              // Regexp comes from Parse.Object.prototype.validate
+              if (key !== "__type" && !(/^[A-Za-z][0-9A-Za-z_]*$/).test(key)) {
+                delete user[key];
+              }
+            }
+          }
+
           return { response: user };
         }
       });