// This is a port of the test suite: // hungry/js/test/parse_acl_test.js const rest = require('../lib/rest'); const Config = require('../lib/Config'); const auth = require('../lib/Auth'); describe('Parse.ACL', () => { it("acl must be valid", (done) => { const user = new Parse.User(); ok(!user.setACL("Ceci n'est pas un ACL.", { error: function(user, error) { equal(error.code, -1); done(); } }), "setACL should have returned false."); }); it("refresh object with acl", async (done) => { // Create an object owned by Alice. const user = new Parse.User(); user.set("username", "alice"); user.set("password", "wonderland"); await user.signUp(null); const object = new TestObject(); const acl = new Parse.ACL(user); object.setACL(acl); await object.save(); await object.fetch(); done(); }); it("acl an object owned by one user and public get", async (done) => { // Create an object owned by Alice. const user = new Parse.User(); user.set("username", "alice"); user.set("password", "wonderland"); await user.signUp(); const object = new TestObject(); const acl = new Parse.ACL(user); object.setACL(acl); await object.save(); equal(object.getACL().getReadAccess(user), true); equal(object.getACL().getWriteAccess(user), true); equal(object.getACL().getPublicReadAccess(), false); equal(object.getACL().getPublicWriteAccess(), false); ok(object.get("ACL")); await Parse.User.logOut(); const query = new Parse.Query(TestObject); try { await query.get(object.id); done.fail('Should not have retrieved the object.'); } catch(error) { equal(error.code, Parse.Error.OBJECT_NOT_FOUND); done(); } }); it("acl an object owned by one user and public find", async (done) => { // Create an object owned by Alice. const user = new Parse.User(); user.set("username", "alice"); user.set("password", "wonderland"); await user.signUp(); const object = new TestObject(); const acl = new Parse.ACL(user); object.setACL(acl); await object.save() equal(object.getACL().getReadAccess(user), true); equal(object.getACL().getWriteAccess(user), true); equal(object.getACL().getPublicReadAccess(), false); equal(object.getACL().getPublicWriteAccess(), false); ok(object.get("ACL")); // Start making requests by the public, which should all fail. await Parse.User.logOut() // Find const query = new Parse.Query(TestObject); const results = await query.find(); equal(results.length, 0); done(); }); it("acl an object owned by one user and public update", async (done) => { // Create an object owned by Alice. const user = new Parse.User(); user.set("username", "alice"); user.set("password", "wonderland"); await user.signUp(); const object = new TestObject(); const acl = new Parse.ACL(user); object.setACL(acl); await object.save(); equal(object.getACL().getReadAccess(user), true); equal(object.getACL().getWriteAccess(user), true); equal(object.getACL().getPublicReadAccess(), false); equal(object.getACL().getPublicWriteAccess(), false); ok(object.get("ACL")); // Start making requests by the public, which should all fail. await Parse.User.logOut() // Update object.set("foo", "bar"); try { await object.save() done.fail('Should not have been able to update the object.'); } catch(err) { equal(err.code, Parse.Error.OBJECT_NOT_FOUND); done(); } }); it("acl an object owned by one user and public delete", async (done) => { // Create an object owned by Alice. const user = new Parse.User(); user.set("username", "alice"); user.set("password", "wonderland"); await user.signUp() const object = new TestObject(); const acl = new Parse.ACL(user); object.setACL(acl); await object.save(); equal(object.getACL().getReadAccess(user), true); equal(object.getACL().getWriteAccess(user), true); equal(object.getACL().getPublicReadAccess(), false); equal(object.getACL().getPublicWriteAccess(), false); ok(object.get("ACL")); // Start making requests by the public, which should all fail. await Parse.User.logOut() try { await object.destroy() done.fail('destroy should fail'); } catch(error) { expect(error.code).toEqual(Parse.Error.OBJECT_NOT_FOUND); done(); } }); it("acl an object owned by one user and logged in get", async (done) => { // Create an object owned by Alice. const user = new Parse.User(); user.set("username", "alice"); user.set("password", "wonderland"); await user.signUp() const object = new TestObject(); const acl = new Parse.ACL(user); object.setACL(acl); await object.save(); equal(object.getACL().getReadAccess(user), true); equal(object.getACL().getWriteAccess(user), true); equal(object.getACL().getPublicReadAccess(), false); equal(object.getACL().getPublicWriteAccess(), false); ok(object.get("ACL")); await Parse.User.logOut(); await Parse.User.logIn("alice", "wonderland"); // Get const query = new Parse.Query(TestObject); const result = await query.get(object.id); ok(result); equal(result.id, object.id); equal(result.getACL().getReadAccess(user), true); equal(result.getACL().getWriteAccess(user), true); equal(result.getACL().getPublicReadAccess(), false); equal(result.getACL().getPublicWriteAccess(), false); ok(object.get("ACL")); done(); }); it("acl an object owned by one user and logged in find", async (done) => { // Create an object owned by Alice. const user = new Parse.User(); user.set("username", "alice"); user.set("password", "wonderland"); await user.signUp(); const object = new TestObject(); const acl = new Parse.ACL(user); object.setACL(acl); await object.save(); equal(object.getACL().getReadAccess(user), true); equal(object.getACL().getWriteAccess(user), true); equal(object.getACL().getPublicReadAccess(), false); equal(object.getACL().getPublicWriteAccess(), false); ok(object.get("ACL")); await Parse.User.logOut() await Parse.User.logIn("alice", "wonderland"); // Find const query = new Parse.Query(TestObject); const results = await query.find(); equal(results.length, 1); const result = results[0]; ok(result); if (!result) { return fail(); } equal(result.id, object.id); equal(result.getACL().getReadAccess(user), true); equal(result.getACL().getWriteAccess(user), true); equal(result.getACL().getPublicReadAccess(), false); equal(result.getACL().getPublicWriteAccess(), false); ok(object.get("ACL")); done(); }); it("acl an object owned by one user and logged in update", async (done) => { // Create an object owned by Alice. const user = new Parse.User(); user.set("username", "alice"); user.set("password", "wonderland"); await user.signUp(); const object = new TestObject(); const acl = new Parse.ACL(user); object.setACL(acl); await object.save(); equal(object.getACL().getReadAccess(user), true); equal(object.getACL().getWriteAccess(user), true); equal(object.getACL().getPublicReadAccess(), false); equal(object.getACL().getPublicWriteAccess(), false); ok(object.get("ACL")); await Parse.User.logOut(); await Parse.User.logIn("alice", "wonderland"); // Update object.set("foo", "bar"); await object.save(); done(); }); it("acl an object owned by one user and logged in delete", async (done) => { // Create an object owned by Alice. const user = new Parse.User(); user.set("username", "alice"); user.set("password", "wonderland"); await user.signUp(); const object = new TestObject(); const acl = new Parse.ACL(user); object.setACL(acl); await object.save() equal(object.getACL().getReadAccess(user), true); equal(object.getACL().getWriteAccess(user), true); equal(object.getACL().getPublicReadAccess(), false); equal(object.getACL().getPublicWriteAccess(), false); ok(object.get("ACL")); await Parse.User.logOut() await Parse.User.logIn("alice", "wonderland"); // Delete await object.destroy(); done(); }); it("acl making an object publicly readable and public get", async (done) => { // Create an object owned by Alice. const user = new Parse.User(); user.set("username", "alice"); user.set("password", "wonderland"); await user.signUp(); const object = new TestObject(); const acl = new Parse.ACL(user); object.setACL(acl); await object.save(); equal(object.getACL().getReadAccess(user), true); equal(object.getACL().getWriteAccess(user), true); equal(object.getACL().getPublicReadAccess(), false); equal(object.getACL().getPublicWriteAccess(), false); ok(object.get("ACL")); // Now make it public. object.getACL().setPublicReadAccess(true); await object.save(); equal(object.getACL().getReadAccess(user), true); equal(object.getACL().getWriteAccess(user), true); equal(object.getACL().getPublicReadAccess(), true); equal(object.getACL().getPublicWriteAccess(), false); ok(object.get("ACL")); await Parse.User.logOut() // Get const query = new Parse.Query(TestObject); const result = await query.get(object.id); ok(result); equal(result.id, object.id); done(); }); it("acl making an object publicly readable and public find", async (done) => { // Create an object owned by Alice. const user = new Parse.User(); user.set("username", "alice"); user.set("password", "wonderland"); await user.signUp(); const object = new TestObject(); const acl = new Parse.ACL(user); object.setACL(acl); await object.save(); equal(object.getACL().getReadAccess(user), true); equal(object.getACL().getWriteAccess(user), true); equal(object.getACL().getPublicReadAccess(), false); equal(object.getACL().getPublicWriteAccess(), false); ok(object.get("ACL")); // Now make it public. object.getACL().setPublicReadAccess(true); await object.save(); equal(object.getACL().getReadAccess(user), true); equal(object.getACL().getWriteAccess(user), true); equal(object.getACL().getPublicReadAccess(), true); equal(object.getACL().getPublicWriteAccess(), false); ok(object.get("ACL")); await Parse.User.logOut() // Find const query = new Parse.Query(TestObject); const results = await query.find(); equal(results.length, 1); const result = results[0]; ok(result); equal(result.id, object.id); done(); }); it("acl making an object publicly readable and public update", async (done) => { // Create an object owned by Alice. const user = new Parse.User(); user.set("username", "alice"); user.set("password", "wonderland"); await user.signUp(); const object = new TestObject(); const acl = new Parse.ACL(user); object.setACL(acl); await object.save(); equal(object.getACL().getReadAccess(user), true); equal(object.getACL().getWriteAccess(user), true); equal(object.getACL().getPublicReadAccess(), false); equal(object.getACL().getPublicWriteAccess(), false); ok(object.get("ACL")); // Now make it public. object.getACL().setPublicReadAccess(true); await object.save(); equal(object.getACL().getReadAccess(user), true); equal(object.getACL().getWriteAccess(user), true); equal(object.getACL().getPublicReadAccess(), true); equal(object.getACL().getPublicWriteAccess(), false); ok(object.get("ACL")); await Parse.User.logOut() object.set("foo", "bar"); object.save().then(() => { fail('the save should fail'); }, error => { expect(error.code).toEqual(Parse.Error.OBJECT_NOT_FOUND); done(); }); }); it("acl making an object publicly readable and public delete", async (done) => { // Create an object owned by Alice. const user = new Parse.User(); user.set("username", "alice"); user.set("password", "wonderland"); await user.signUp(); const object = new TestObject(); const acl = new Parse.ACL(user); object.setACL(acl); await object.save(); equal(object.getACL().getReadAccess(user), true); equal(object.getACL().getWriteAccess(user), true); equal(object.getACL().getPublicReadAccess(), false); equal(object.getACL().getPublicWriteAccess(), false); ok(object.get("ACL")); // Now make it public. object.getACL().setPublicReadAccess(true); await object.save(); equal(object.getACL().getReadAccess(user), true); equal(object.getACL().getWriteAccess(user), true); equal(object.getACL().getPublicReadAccess(), true); equal(object.getACL().getPublicWriteAccess(), false); ok(object.get("ACL")); Parse.User.logOut() .then(() => object.destroy()) .then(() => { fail('expected failure'); }, error => { expect(error.code).toEqual(Parse.Error.OBJECT_NOT_FOUND); done(); }); }); it("acl making an object publicly writable and public get", async (done) => { // Create an object owned by Alice. const user = new Parse.User(); user.set("username", "alice"); user.set("password", "wonderland"); await user.signUp(); const object = new TestObject(); const acl = new Parse.ACL(user); object.setACL(acl); await object.save(); equal(object.getACL().getReadAccess(user), true); equal(object.getACL().getWriteAccess(user), true); equal(object.getACL().getPublicReadAccess(), false); equal(object.getACL().getPublicWriteAccess(), false); ok(object.get("ACL")); // Now make it public. object.getACL().setPublicWriteAccess(true); await object.save(); equal(object.getACL().getReadAccess(user), true); equal(object.getACL().getWriteAccess(user), true); equal(object.getACL().getPublicReadAccess(), false); equal(object.getACL().getPublicWriteAccess(), true); ok(object.get("ACL")); await Parse.User.logOut() // Get const query = new Parse.Query(TestObject); query.get(object.id) .then(done.fail) .catch((error) => { equal(error.code, Parse.Error.OBJECT_NOT_FOUND); done(); }); }); it("acl making an object publicly writable and public find", async (done) => { // Create an object owned by Alice. const user = new Parse.User(); user.set("username", "alice"); user.set("password", "wonderland"); await user.signUp(); const object = new TestObject(); const acl = new Parse.ACL(user); object.setACL(acl); await object.save(); equal(object.getACL().getReadAccess(user), true); equal(object.getACL().getWriteAccess(user), true); equal(object.getACL().getPublicReadAccess(), false); equal(object.getACL().getPublicWriteAccess(), false); ok(object.get("ACL")); // Now make it public. object.getACL().setPublicWriteAccess(true); await object.save(); equal(object.getACL().getReadAccess(user), true); equal(object.getACL().getWriteAccess(user), true); equal(object.getACL().getPublicReadAccess(), false); equal(object.getACL().getPublicWriteAccess(), true); ok(object.get("ACL")); await Parse.User.logOut() // Find const query = new Parse.Query(TestObject); query.find().then(function(results) { equal(results.length, 0); done(); }); }); it("acl making an object publicly writable and public update", async (done) => { // Create an object owned by Alice. const user = new Parse.User(); user.set("username", "alice"); user.set("password", "wonderland"); await user.signUp(); const object = new TestObject(); const acl = new Parse.ACL(user); object.setACL(acl); await object.save(); equal(object.getACL().getReadAccess(user), true); equal(object.getACL().getWriteAccess(user), true); equal(object.getACL().getPublicReadAccess(), false); equal(object.getACL().getPublicWriteAccess(), false); ok(object.get("ACL")); // Now make it public. object.getACL().setPublicWriteAccess(true); await object.save(); equal(object.getACL().getReadAccess(user), true); equal(object.getACL().getWriteAccess(user), true); equal(object.getACL().getPublicReadAccess(), false); equal(object.getACL().getPublicWriteAccess(), true); ok(object.get("ACL")); Parse.User.logOut() .then(() => { // Update object.set("foo", "bar"); object.save().then(done); }); }); it("acl making an object publicly writable and public delete", async (done) => { // Create an object owned by Alice. const user = new Parse.User(); user.set("username", "alice"); user.set("password", "wonderland"); await user.signUp(); const object = new TestObject(); const acl = new Parse.ACL(user); object.setACL(acl); await object.save(); equal(object.getACL().getReadAccess(user), true); equal(object.getACL().getWriteAccess(user), true); equal(object.getACL().getPublicReadAccess(), false); equal(object.getACL().getPublicWriteAccess(), false); ok(object.get("ACL")); // Now make it public. object.getACL().setPublicWriteAccess(true); await object.save(); equal(object.getACL().getReadAccess(user), true); equal(object.getACL().getWriteAccess(user), true); equal(object.getACL().getPublicReadAccess(), false); equal(object.getACL().getPublicWriteAccess(), true); ok(object.get("ACL")); Parse.User.logOut() .then(() => { // Delete object.destroy().then(done); }); }); it("acl making an object privately writable (#3194)", (done) => { // Create an object owned by Alice. let object; let user2; const user = new Parse.User(); user.set("username", "alice"); user.set("password", "wonderland"); user.signUp().then(() => { object = new TestObject(); const acl = new Parse.ACL(user); acl.setPublicWriteAccess(false); acl.setPublicReadAccess(true); object.setACL(acl); return object.save().then(() => { return Parse.User.logOut(); }) }).then(() => { user2 = new Parse.User(); user2.set("username", "bob"); user2.set("password", "burger"); return user2.signUp(); }).then(() => { return object.destroy({sessionToken: user2.getSessionToken() }); }).then(() => { fail('should not be able to destroy the object'); done(); }, (err) => { expect(err).not.toBeUndefined(); done(); }); }); it("acl sharing with another user and get", async (done) => { // Sign in as Bob. const bob = await Parse.User.signUp("bob", "pass"); await Parse.User.logOut() const alice = await Parse.User.signUp("alice", "wonderland"); // Create an object shared by Bob and Alice. const object = new TestObject(); const acl = new Parse.ACL(alice); acl.setWriteAccess(bob, true); acl.setReadAccess(bob, true); object.setACL(acl); await object.save(); equal(object.getACL().getReadAccess(alice), true); equal(object.getACL().getWriteAccess(alice), true); equal(object.getACL().getReadAccess(bob), true); equal(object.getACL().getWriteAccess(bob), true); equal(object.getACL().getPublicReadAccess(), false); equal(object.getACL().getPublicWriteAccess(), false); // Sign in as Bob again. await Parse.User.logIn("bob", "pass"); const query = new Parse.Query(TestObject); query.get(object.id).then((result) => { ok(result); equal(result.id, object.id); done(); }); }); it("acl sharing with another user and find", async (done) => { // Sign in as Bob. const bob = await Parse.User.signUp("bob", "pass"); await Parse.User.logOut() // Sign in as Alice. const alice = await Parse.User.signUp("alice", "wonderland"); // Create an object shared by Bob and Alice. const object = new TestObject(); const acl = new Parse.ACL(alice); acl.setWriteAccess(bob, true); acl.setReadAccess(bob, true); object.setACL(acl); await object.save(); equal(object.getACL().getReadAccess(alice), true); equal(object.getACL().getWriteAccess(alice), true); equal(object.getACL().getReadAccess(bob), true); equal(object.getACL().getWriteAccess(bob), true); equal(object.getACL().getPublicReadAccess(), false); equal(object.getACL().getPublicWriteAccess(), false); // Sign in as Bob again. await Parse.User.logIn("bob", "pass"); const query = new Parse.Query(TestObject); query.find().then((results) => { equal(results.length, 1); const result = results[0]; ok(result); if (!result) { fail("should have result"); } else { equal(result.id, object.id); } done(); }); }); it("acl sharing with another user and update", async (done) => { // Sign in as Bob. const bob = await Parse.User.signUp("bob", "pass"); await Parse.User.logOut() // Sign in as Alice. const alice = await Parse.User.signUp("alice", "wonderland"); // Create an object shared by Bob and Alice. const object = new TestObject(); const acl = new Parse.ACL(alice); acl.setWriteAccess(bob, true); acl.setReadAccess(bob, true); object.setACL(acl); await object.save(); equal(object.getACL().getReadAccess(alice), true); equal(object.getACL().getWriteAccess(alice), true); equal(object.getACL().getReadAccess(bob), true); equal(object.getACL().getWriteAccess(bob), true); equal(object.getACL().getPublicReadAccess(), false); equal(object.getACL().getPublicWriteAccess(), false); // Sign in as Bob again. await Parse.User.logIn("bob", "pass"); object.set("foo", "bar"); object.save().then(done); }); it("acl sharing with another user and delete", async (done) => { // Sign in as Bob. const bob = await Parse.User.signUp("bob", "pass"); await Parse.User.logOut(); // Sign in as Alice. const alice = await Parse.User.signUp("alice", "wonderland"); // Create an object shared by Bob and Alice. const object = new TestObject(); const acl = new Parse.ACL(alice); acl.setWriteAccess(bob, true); acl.setReadAccess(bob, true); object.setACL(acl); await object.save(); equal(object.getACL().getReadAccess(alice), true); equal(object.getACL().getWriteAccess(alice), true); equal(object.getACL().getReadAccess(bob), true); equal(object.getACL().getWriteAccess(bob), true); equal(object.getACL().getPublicReadAccess(), false); equal(object.getACL().getPublicWriteAccess(), false); // Sign in as Bob again. await Parse.User.logIn("bob", "pass"); object.set("foo", "bar"); object.destroy().then(done); }); it("acl sharing with another user and public get", async (done) => { const bob = await Parse.User.signUp("bob", "pass"); await Parse.User.logOut(); // Sign in as Alice. const alice = await Parse.User.signUp("alice", "wonderland"); // Create an object shared by Bob and Alice. const object = new TestObject(); const acl = new Parse.ACL(alice); acl.setWriteAccess(bob, true); acl.setReadAccess(bob, true); object.setACL(acl); await object.save(); equal(object.getACL().getReadAccess(alice), true); equal(object.getACL().getWriteAccess(alice), true); equal(object.getACL().getReadAccess(bob), true); equal(object.getACL().getWriteAccess(bob), true); equal(object.getACL().getPublicReadAccess(), false); equal(object.getACL().getPublicWriteAccess(), false); // Start making requests by the public. await Parse.User.logOut() const query = new Parse.Query(TestObject); query.get(object.id).then((result) => { fail(result); }, (error) => { expect(error.code).toEqual(Parse.Error.OBJECT_NOT_FOUND); done(); }); }); it("acl sharing with another user and public find", async (done) => { const bob = await Parse.User.signUp("bob", "pass"); await Parse.User.logOut(); // Sign in as Alice. const alice = await Parse.User.signUp("alice", "wonderland"); // Create an object shared by Bob and Alice. const object = new TestObject(); const acl = new Parse.ACL(alice); acl.setWriteAccess(bob, true); acl.setReadAccess(bob, true); object.setACL(acl); await object.save(); equal(object.getACL().getReadAccess(alice), true); equal(object.getACL().getWriteAccess(alice), true); equal(object.getACL().getReadAccess(bob), true); equal(object.getACL().getWriteAccess(bob), true); equal(object.getACL().getPublicReadAccess(), false); equal(object.getACL().getPublicWriteAccess(), false); // Start making requests by the public. Parse.User.logOut() .then(() => { const query = new Parse.Query(TestObject); query.find().then(function(results) { equal(results.length, 0); done(); }); }); }); it("acl sharing with another user and public update", async (done) => { // Sign in as Bob. const bob = await Parse.User.signUp("bob", "pass"); await Parse.User.logOut(); // Sign in as Alice. const alice = await Parse.User.signUp("alice", "wonderland"); // Create an object shared by Bob and Alice. const object = new TestObject(); const acl = new Parse.ACL(alice); acl.setWriteAccess(bob, true); acl.setReadAccess(bob, true); object.setACL(acl); await object.save(); equal(object.getACL().getReadAccess(alice), true); equal(object.getACL().getWriteAccess(alice), true); equal(object.getACL().getReadAccess(bob), true); equal(object.getACL().getWriteAccess(bob), true); equal(object.getACL().getPublicReadAccess(), false); equal(object.getACL().getPublicWriteAccess(), false); // Start making requests by the public. Parse.User.logOut() .then(() => { object.set("foo", "bar"); object.save().then(() => { fail('expected failure'); }, (error) => { expect(error.code).toEqual(Parse.Error.OBJECT_NOT_FOUND); done(); }); }); }); it("acl sharing with another user and public delete", async (done) => { // Sign in as Bob. const bob = await Parse.User.signUp("bob", "pass"); await Parse.User.logOut(); // Sign in as Alice. const alice = await Parse.User.signUp("alice", "wonderland"); // Create an object shared by Bob and Alice. const object = new TestObject(); const acl = new Parse.ACL(alice); acl.setWriteAccess(bob, true); acl.setReadAccess(bob, true); object.setACL(acl); await object.save(); equal(object.getACL().getReadAccess(alice), true); equal(object.getACL().getWriteAccess(alice), true); equal(object.getACL().getReadAccess(bob), true); equal(object.getACL().getWriteAccess(bob), true); equal(object.getACL().getPublicReadAccess(), false); equal(object.getACL().getPublicWriteAccess(), false); // Start making requests by the public. Parse.User.logOut() .then(() => object.destroy()) .then(() => { fail('expected failure'); }, (error) => { expect(error.code).toEqual(Parse.Error.OBJECT_NOT_FOUND); done(); }); }); it("acl saveAll with permissions", async (done) => { const alice = await Parse.User.signUp("alice", "wonderland"); const acl = new Parse.ACL(alice); const object1 = new TestObject(); const object2 = new TestObject(); object1.setACL(acl); object2.setACL(acl); await Parse.Object.saveAll([object1, object2]); equal(object1.getACL().getReadAccess(alice), true); equal(object1.getACL().getWriteAccess(alice), true); equal(object1.getACL().getPublicReadAccess(), false); equal(object1.getACL().getPublicWriteAccess(), false); equal(object2.getACL().getReadAccess(alice), true); equal(object2.getACL().getWriteAccess(alice), true); equal(object2.getACL().getPublicReadAccess(), false); equal(object2.getACL().getPublicWriteAccess(), false); // Save all the objects after updating them. object1.set("foo", "bar"); object2.set("foo", "bar"); await Parse.Object.saveAll([object1, object2]); const query = new Parse.Query(TestObject); query.equalTo("foo", "bar"); query.find().then(function(results) { equal(results.length, 2); done(); }); }); it("empty acl works", async (done) => { await Parse.User.signUp("tdurden", "mayhem", { ACL: new Parse.ACL(), foo: "bar" }); await Parse.User.logOut() const user = await Parse.User.logIn("tdurden", "mayhem"); equal(user.get("foo"), "bar"); done(); }); it("query for included object with ACL works", async (done) => { const obj1 = new Parse.Object("TestClass1"); const obj2 = new Parse.Object("TestClass2"); const acl = new Parse.ACL(); acl.setPublicReadAccess(true); obj2.set("ACL", acl); obj1.set("other", obj2); await obj1.save(); obj2._clearServerData(); const query = new Parse.Query("TestClass1"); const obj1Again = await query.first(); ok(!obj1Again.get("other").get("ACL")); query.include("other"); const obj1AgainWithInclude = await query.first(); ok(obj1AgainWithInclude.get("other").get("ACL")); done(); }); it('restricted ACL does not have public access', (done) => { const obj = new Parse.Object("TestClassMasterACL"); const acl = new Parse.ACL(); obj.set('ACL', acl); obj.save().then(() => { const query = new Parse.Query("TestClassMasterACL"); return query.find(); }).then((results) => { ok(!results.length, 'Should not have returned object with secure ACL.'); done(); }); }); it('regression test #701', done => { const config = Config.get('test'); const anonUser = { authData: { anonymous: { id: '00000000-0000-0000-0000-000000000001' } } }; Parse.Cloud.afterSave(Parse.User, req => { if (!req.object.existed()) { const user = req.object; const acl = new Parse.ACL(user); user.setACL(acl); user.save(null, {useMasterKey: true}).then(user => { new Parse.Query('_User').get(user.objectId).then(() => { fail('should not have fetched user without public read enabled'); done(); }, error => { expect(error.code).toEqual(Parse.Error.OBJECT_NOT_FOUND); done(); }); }, done.fail); } }); rest.create(config, auth.nobody(config), '_User', anonUser) }) });