diff --git a/spec/ParseACL.spec.js b/spec/ParseACL.spec.js
index 370550c0a5..f7cabf2ac2 100644
--- a/spec/ParseACL.spec.js
+++ b/spec/ParseACL.spec.js
@@ -1141,4 +1141,18 @@ describe('Parse.ACL', () => {
     }));
   });
 
+  it('restricted ACL does not have public access', (done) => {
+    var obj = new Parse.Object("TestClassMasterACL");
+    var acl = new Parse.ACL();
+    obj.set('ACL', acl);
+    obj.save().then(() => {
+      var query = new Parse.Query("TestClassMasterACL");
+      return query.find();
+    }).then((results) => {
+      console.log(JSON.stringify(results[0]));
+      ok(!results.length, 'Should not have returned object with secure ACL.');
+      done();
+    });
+  });
+
 });
diff --git a/spec/Schema.spec.js b/spec/Schema.spec.js
index a5c28c5bee..76bc2a5940 100644
--- a/spec/Schema.spec.js
+++ b/spec/Schema.spec.js
@@ -14,9 +14,6 @@ var hasAllPODobject = () => {
   obj.set('aArray', ['contents', true, 5]);
   obj.set('aGeoPoint', new Parse.GeoPoint({latitude: 0, longitude: 0}));
   obj.set('aFile', new Parse.File('f.txt', { base64: 'V29ya2luZyBhdCBQYXJzZSBpcyBncmVhdCE=' }));
-  var objACL = new Parse.ACL();
-  objACL.setPublicWriteAccess(false);
-  obj.setACL(objACL);
   return obj;
 };
 
@@ -545,7 +542,7 @@ describe('Schema', () => {
         done();
         Parse.Object.enableSingleInstance();
       });
-    })
+    });
   });
 
   it('can delete pointer fields and resave as string', done => {
diff --git a/src/transform.js b/src/transform.js
index 4606b063dd..f254f0d464 100644
--- a/src/transform.js
+++ b/src/transform.js
@@ -262,12 +262,8 @@ function transformACL(restObject) {
       wperm.push(entry);
     }
   }
-  if (rperm.length) {
-    output._rperm = rperm;
-  }
-  if (wperm.length) {
-    output._wperm = wperm;
-  }
+  output._rperm = rperm;
+  output._wperm = wperm;
   delete restObject.ACL;
   return output;
 }