Ensure users with undefined ACL are treated as readable (#4795)

* Adds test to reproduce issue #4790 * Attempt to allow failure on node STABLE * Use new format for apt packages
2018-05-30 12:55:15 -04:00
parent f4422c491e
commit 9bff44b446
3 changed files with 44 additions and 3 deletions
--- a/src/Routers/UsersRouter.js
+++ b/src/Routers/UsersRouter.js
@@ -117,7 +117,8 @@ export class UsersRouter extends ClassesRouter {
        // Ensure the user isn't locked out
        // A locked out user won't be able to login
        // To lock a user out, just set the ACL to `masterKey` only  ({}).
-        if (!req.auth.isMaster && (!user.ACL || Object.keys(user.ACL).length == 0)) {
+        // Empty ACL is OK
+        if (!req.auth.isMaster && user.ACL && Object.keys(user.ACL).length == 0) {
          throw new Parse.Error(Parse.Error.OBJECT_NOT_FOUND, 'Invalid username/password.');
        }
        if (req.config.verifyUserEmails && req.config.preventLoginWithUnverifiedEmail && !user.emailVerified) {