cloud code : User can't access object which has ACL for the role it belongs

cloud code : User can't access object which has ACL for the role it belongs

The functionality i want to achieve is this
When a user registers, two roles(admin, users) are created
If the user is an admin he should be able to invite other users to join
for the same account with user privilege (non admin)
A user who is not admin should not be able to invite people to join
This is how i am trying to achieve this in cloud code
Create two roles when an account is created
Create two dummy objects with admin and user ACLs, below is the code for
these two steps
Parse.Cloud.afterSave("account", function(request) {
var accountName = request.object.get("name");
//create admin role
var adminRoleACL = new Parse.ACL();
adminRoleACL.setPublicReadAccess(false);
adminRoleACL.setPublicWriteAccess(false);
var adminRole = new Parse.Role(accountName + ADMINISTRATOR,
adminRoleACL);
adminRole.save();
//create user role
var userRoleACL = new Parse.ACL();
userRoleACL.setPublicReadAccess(false);
userRoleACL.setPublicWriteAccess(false);
var userRole = new Parse.Role(accountName + USER, userRoleACL);
userRole.save();
// create dummy object for each role with access to only that role
// we will use these dummy objects in cloud code to figure out whether
// the user belongs to that group.
//create dummy for admin
var dummy = new Dummy();
dummy.set("name", accountName + ADMINISTRATOR + DUMMY);
var dummyACL = new Parse.ACL();
dummyACL.setPublicReadAccess(false);
dummyACL.setRoleReadAccess(adminRole, true);
dummy.setACL(dummyACL);
dummy.save();
//create dummy for user
dummy = new Dummy();
dummy.set("name", accountName + USER + DUMMY);
dummyACL = new Parse.ACL();
dummyACL.setPublicReadAccess(false);
dummyACL.setRoleReadAccess(userRole, true);
dummy.setACL(dummyACL);
dummy.save();
});
After account is created i add this user to both admin as well as to the
user group, here is the code
Parse.Cloud.define("addUsersToRole", function(request, response) {
Parse.Cloud.useMasterKey();
var currentUser = request.user;
var accountName = request.params.accountname;
var query = new Parse.Query(Parse.Role);
query.contains("name", accountName);
query.find({
success : function(roles) {
console.log("roles: " + roles.length);
for (var i = 0; i < roles.length; i++) {
roles[i].getUsers().add(currentUser);
roles[i].save();
}
response.success();
},
error : function(error) {
response.error("error adding to admin role " + error);
}
});
});
Now when i try to do signup i just want to check if the current user can
find the admin dummy object which was created (since the ACL for that was
set to be accessed by only admin role). If the object can be read then it
should mean that the current user belongs to admin role right? Here is the
code
Parse.Cloud.define("inviteToSignUp", function(request, response) {
var userEmail = request.params.email;
var currentUser = request.user;
var accountName = currentUser.get("accountname");
//do it only if the user is admin
var query = new Parse.Query(Dummy);
query.equalTo("name", + accountName + ADMINISTRATOR + DUMMY);
query.first({
success : function(dummy) {
if(dummy) {
sendSignupEmail(userEmail, currentUser, request, response);
} else {
response.error("Invitation failed. You don't have the
priviledges to add new user. Please contact your
administrator'");
}
},
error : function(error) {
response.error("error while inviting users. " + error.message);
}
})
});
Now the problem is that even though the admin user is logged in the dummy
object created doesn't get returned in the query in the above method. Is
there anything i am missing? Is there a better way to achieve this
functionality?
I checked the data browser and i can see the two roles being created, the
user being member of both the groups. I also see that two dummy objects
are created each with these two ACL
{"role:XYZ_Administrator":{"read":true}}
{"role:XYZ_user":{"read":true}}