docs: Clarify user lockout when setting empty ACL (#10174)

mtrezza · web-flow · commit 0744225caf2e · 2026-03-10T15:29:34.000Z
diff --git a/src/Options/Definitions.js b/src/Options/Definitions.js
@@ -54,7 +54,7 @@ module.exports.SchemaOptions = {
 module.exports.ParseServerOptions = {
   accountLockout: {
     env: 'PARSE_SERVER_ACCOUNT_LOCKOUT',
-    help: 'The account lockout policy for failed login attempts.',
+    help: "The account lockout policy for failed login attempts.<br><br>Note: Setting a user's ACL to an empty object `{}` via master key is a separate mechanism that only prevents new logins; it does not invalidate existing session tokens. To immediately revoke a user's access, destroy their sessions via master key in addition to setting the ACL.",
     action: parsers.objectParser,
     type: 'AccountLockoutOptions',
   },
diff --git a/src/Options/docs.js b/src/Options/docs.js
diff --git a/src/Options/index.js b/src/Options/index.js
@@ -251,7 +251,9 @@ export interface ParseServerOptions {
     | boolean
     | (SendEmailVerificationRequest => boolean | Promise<boolean>)
   );
-  /* The account lockout policy for failed login attempts. */
+  /* The account lockout policy for failed login attempts.
+  <br><br>
+  Note: Setting a user's ACL to an empty object `{}` via master key is a separate mechanism that only prevents new logins; it does not invalidate existing session tokens. To immediately revoke a user's access, destroy their sessions via master key in addition to setting the ACL. */
   accountLockout: ?AccountLockoutOptions;
   /* The password policy for enforcing password related rules. */
   passwordPolicy: ?PasswordPolicyOptions;
diff --git a/src/Routers/UsersRouter.js b/src/Routers/UsersRouter.js
@@ -132,10 +132,10 @@ export class UsersRouter extends ClassesRouter {
           if (!isValidPassword) {
             throw new Parse.Error(Parse.Error.OBJECT_NOT_FOUND, 'Invalid username/password.');
           }
-          // Ensure the user isn't locked out
-          // A locked out user won't be able to login
-          // To lock a user out, just set the ACL to `masterKey` only  ({}).
-          // Empty ACL is OK
+          // A user with an empty ACL (master key only) is considered locked out and
+          // cannot log in. This only prevents new logins; existing session tokens
+          // remain valid. To immediately revoke access, also destroy the user's
+          // sessions via master key.
           if (!req.auth.isMaster && user.ACL && Object.keys(user.ACL).length == 0) {
             throw new Parse.Error(Parse.Error.OBJECT_NOT_FOUND, 'Invalid username/password.');
           }
