Remove redundant checks for _User as it now uses ACL

[mullwaden]

Fixes #4647

[mullwaden]

Would perhaps make sense to add a test to check that the user can not lock herself out by changing her ACL? Not sure how to go about it however

[flovilmart]

@mullwaden there are 3 tests failing, so obviously, you’re onto something. You can run your tests locally with npm test.

Also, i’m Not sure that all 3 tests should be removed.

[codecov]

Codecov Report

Merging #4792 into master will increase coverage by <.01%.
The diff coverage is 100%.

@@            Coverage Diff             @@
##           master    #4792      +/-   ##
==========================================
+ Coverage   92.69%   92.69%   +<.01%     
==========================================
  Files         119      119              
  Lines        8679     8669      -10     
==========================================
- Hits         8045     8036       -9     
+ Misses        634      633       -1

Impacted Files	Coverage Δ
src/Auth.js	100% <ø> (ø)	⬆️
src/rest.js	98.75% <ø> (-0.04%)	⬇️
src/RestWrite.js	93.77% <100%> (-0.03%)	⬇️
...dapters/Storage/Postgres/PostgresStorageAdapter.js	97.24% <0%> (+0.08%)	⬆️

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 32d8c36...0e8ae5f. Read the comment docs.

[mullwaden]

Ah, rookie mistake... So the 3 errors in question:

Parse.User testing cannot save non-authed user
  - Expected 101 to equal 206.

Parse.User testing cannot delete non-authed user
  - Expected 101 to equal 206.

Parse.User testing cannot saveAll with non-authed user
  - Expected 101 to equal 206.

For user there is a special case that when the Auth.prototype.couldUpdateUserId does not pass it returns 206, all other classes as far as I can tell return 101. Really hard for me to say of course, but to me it makes more sense to consistently return 101.

[aBuder]

@mullwaden Would this PR would accepted. Your solution would help me and let other users modify other users. I would hope 👍

[flovilmart]

@mullwaden sorry I dropped the ball on this one.

Can we add tests that ensure that the safeguards that were in place are still properly working? We removed some security checks so I'd like to be 100% sure that everything is still safe.

[aBuder]

@mullwaden Could you create some tests for it?

[mullwaden]

Bit unsure here, did we not come to the conclusion that it was probably not a good idea to make this change in #4789 ? One quick fix could then be to overwrite the setACL function on _User so that it prints a warning that ACL can't be used on the _User object.

[flovilmart]

We should add tests that by default users can’t be overwritten by another user, or worst by an unauthenticated call. Originally those were protected by code, now it isn’t. The last thing we want, is to have a publicly accessible and opened user table

[stale]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.