Makes sure we don't strip authData or session token from users using masterKey (#2348)

* Makes sure we don't strip auth data or session token from users queried with masterKey (#2342)) * nit: test title
2016-07-23 20:14:53 +02:00
parent 88d913f3a2
commit c9fc80984a
2 changed files with 31 additions and 1 deletions
--- a/src/RestQuery.js
+++ b/src/RestQuery.js
@@ -504,7 +504,7 @@ function includePath(config, auth, response, path) {
        obj.__type = 'Object';
        obj.className = includeResponse.className;

-        if (obj.className == "_User") {
+        if (obj.className == "_User" && !auth.isMaster) {
          delete obj.sessionToken;
          delete obj.authData;
        }