USER

[Polarbear2121]

I'm using the REST API to sign up new user and I noticed that Parse creates the ACL with a public read and objectId of the user. Why? Is there a reason behind that default behavior? If we only use the objectId of the user, that should make the record more secure, right? Maybe, it needs to be that way so Parse Server can obtain the objectId before setting up the ACL? Is there a way when signing a new user to set up the ACL for the user only (of course I don't want to make a second call to the REST API to set up the ACL).

[montymxb]

Partially. A user can't be signed up unless the current user (public generally) has access in that object's ACL. Beyond that publicly checking users keeps additional lookup features from requiring the masterKey, without divulging anything sensitive. Technically you could make that user readable by the user only, but this would be like making a hidden user of sorts, and I would imagine it might cause issues with later functionality, such as logging in (just a hunch).

[stale]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.