parse-server: _User ACL not working correctly

Issue Description

Updates to _User record do not adhere to the ACL correctly. If a moderator is editing another _User record (i.e not their own data). With the correct ACL’s in place, the server always denies permission due to this line

if (this.className === '_User' &&
      this.query &&
      !this.auth.couldUpdateUserId(this.query.objectId)) {
    throw new Parse.Error(Parse.Error.SESSION_MISSING, `Cannot modify user ${this.query.objectId}.`);
  }

As you can see the function will only return true if we’re using the master key or the object is the currently logged in user.

// Whether this auth could possibly modify the given user id.
// It still could be forbidden via ACLs even if this returns true.
Auth.prototype.couldUpdateUserId = function(userId) {
  if (this.isMaster) {
    return true;
  }
  if (this.user && this.user.id === userId) {
    return true;
  }
  return false;
};

The comment implies that the ACL can still override, but this is not the case.

Steps to reproduce

1. Correctly assign ACLs to the user record so that the currently authenticated user should be able to edit the record.

2. Edit the _User record

Expected Results

A successful outcome.

Actual Outcome

{"code":206,"message":"Cannot modify user IyYUu90HdL.","level":"error","timestamp":"2017-03-01T17:41:56.373Z"}

Environment Setup

• Server

  • parse-server version (Be specific! Don’t say ‘latest’.) : 2.3.6
  • Operating System: OSX 10.12.1
  • Hardware: MBP-2015
  • Localhost or remote server? (AWS, Heroku, Azure, Digital Ocean, etc): localhost

• Database

  • MongoDB version: 3.2.11
  • Storage engine: MMAPv1
  • Hardware: ??
  • Localhost or remote server? (AWS, mLab, ObjectRocket, Digital Ocean, etc): mLab

Logs/Trace

Include all relevant logs. You can turn on additional logging by configuring VERBOSE=1 in your environment.