Why can't I set the ACL for a User to read: false + write:false?

Question

I'm trying to create a new user via the REST API, and want the object to be accessible (read+write) only to the user that created it. If I create the user without setting an ACL, setting only the username/password, it automatically gets "Public Read, xxxx" where xxxx is the objectId.

If I include an ACL with the create user call, it silently ignores the field and gives it that same public read access.

{"username":"dummyUsersname","ACL":{"*":{"write":false,"read":false}},"password":"dummyPassword"}

If I try to update the ACL after creating the object, I get:

code: 123 error: Invalid acl {"*":{"read":false,"write":false}}

And yet the web-based data browser will let me revoke the public read access without complaint. Any idea what's going on?

Answer 1

Try using Cloud Code function:

Parse.Cloud.beforeSave(Parse.User, function(request, response) {
    var acl = new Parse.ACL();
    acl.setPublicReadAccess(false);
    acl.setPublicWriteAccess(false);

    request.object.setACL(acl);
    response.success();
});

When using it, request

curl -X POST \
  -H "X-Parse-Application-Id: <app_id>" \
  -H "X-Parse-REST-API-Key: <rest_api_key>" \
  -H "X-Parse-Revocable-Session: 1" \
  -H "Content-Type: application/json" \
  -d '{"username":"cooldude6","password":"p_n7!-e8","phone":"415-392-0202"}' \
  https://api.parse.com/1/users

...returns:

{"ACL":{"adItsbPH0a":{"read":true,"write":true}},"createdAt":"2015-08-13T10:10:09.591Z","objectId":"adItsbPH0a","phone":"415-392-0202","sessionToken":"r:otH4qsd2zmBG4tTj4ePoGSFVE","username":"cooldude6"}

Hope this helps.