From acb294dba7c91a8aa6d3ee8a0f440ac6b41b422c Mon Sep 17 00:00:00 2001
From: Simonas Karuzas <simonas@not.cat>
Date: Mon, 11 Apr 2016 14:26:42 +0300
Subject: [PATCH] Removing sessionToken and authData from _User objects
 included in a query

This bug caused sessionToken to be replaced on client side to some old
sessionToken from DB.
---
 src/RestQuery.js | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/src/RestQuery.js b/src/RestQuery.js
index e825a5448c..767f03b637 100644
--- a/src/RestQuery.js
+++ b/src/RestQuery.js
@@ -477,8 +477,9 @@ function includePath(config, auth, response, path) {
         obj.__type = 'Object';
         obj.className = includeResponse.className;
 
-        if(className == "_User"){
+        if (obj.className == "_User") {
           delete obj.sessionToken;
+          delete obj.authData;
         }
         replace[obj.objectId] = obj;
       }