Ensure users with undefined ACL are treated as readable (#4795)

* Adds test to reproduce issue #4790

* Attempt to allow failure on node STABLE

* Use new format for apt packages

.travis.yml

@@ -7,8 +7,9 @@ services:
   - docker
 addons:
   postgresql: '9.5'
-  apt_packages:
-  - postgresql-9.5-postgis-2.3
+  apt:
+    packages:
+      - postgresql-9.5-postgis-2.3
 branches:
   only:
   - master
@@ -32,6 +33,9 @@ env:
   - PARSE_SERVER_TEST_DB=postgres
   - PARSE_SERVER_TEST_CACHE=redis
   - NODE_VERSION=stable
+matrix:
+  allow_failures:
+    - env: NODE_VERSION=stable
 before_install:
 - nvm install $NODE_VERSION
 - nvm use $NODE_VERSION

spec/ParseUser.spec.js

@@ -7,6 +7,7 @@
 
 "use strict";
 
+import MongoStorageAdapter from '../src/Adapters/Storage/Mongo/MongoStorageAdapter';
 const request = require('request');
 const passwordCrypto = require('../src/password');
 const Config = require('../src/Config');
@@ -239,6 +240,41 @@ describe('Parse.User testing', () => {
     });
   });
 
+  it_only_db('mongo')('should let legacy users without ACL login', async() => {
+    const databaseURI = 'mongodb://localhost:27017/parseServerMongoAdapterTestDatabase';
+    const adapter = new MongoStorageAdapter({ collectionPrefix: 'test_', uri: databaseURI });
+    await adapter.connect();
+    await adapter.database.dropDatabase();
+    delete adapter.connectionPromise;
+
+    const user = new Parse.User();
+    await user.signUp({
+      username: 'newUser',
+      password: 'password',
+    });
+
+    const collection = await adapter._adaptiveCollection('_User');
+    await collection.insertOne({
+      // the hashed password is 'password' hashed
+      "_hashed_password": "$2b$10$mJ2ca2UbCM9hlojYHZxkQe8pyEXe5YMg0nMdvP4AJBeqlTEZJ6/Uu",
+      "_session_token": "xxx",
+      "email": "xxx@a.b",
+      "username": "oldUser",
+      "emailVerified": true,
+      "_email_verify_token": "yyy",
+    });
+
+    // get the 2 users
+    const users = await collection.find();
+    expect(users.length).toBe(2);
+
+    const aUser = await Parse.User.logIn('oldUser', 'password');
+    expect(aUser).not.toBeUndefined();
+
+    const newUser = await Parse.User.logIn('newUser', 'password');
+    expect(newUser).not.toBeUndefined();
+  });
+
   it('should be let masterKey lock user out with authData', (done) => {
     let objectId;
     let sessionToken;

src/Routers/UsersRouter.js

@@ -117,7 +117,8 @@ export class UsersRouter extends ClassesRouter {
         // Ensure the user isn't locked out
         // A locked out user won't be able to login
         // To lock a user out, just set the ACL to `masterKey` only  ({}).
-        if (!req.auth.isMaster && (!user.ACL || Object.keys(user.ACL).length == 0)) {
+        // Empty ACL is OK
+        if (!req.auth.isMaster && user.ACL && Object.keys(user.ACL).length == 0) {
           throw new Parse.Error(Parse.Error.OBJECT_NOT_FOUND, 'Invalid username/password.');
         }
         if (req.config.verifyUserEmails && req.config.preventLoginWithUnverifiedEmail && !user.emailVerified) {