From e9e561f5e85005d2974c82b9756e94f530206c5b Mon Sep 17 00:00:00 2001
From: Simonas Karuzas <simonas@not.cat>
Date: Tue, 12 Apr 2016 14:57:31 +0300
Subject: [PATCH] Removing sessionToken and authData from _User objects
 included in a query (#1450)

* Removing sessionToken and authData from _User objects included in a query

This bug caused sessionToken to be replaced on client side to some old
sessionToken from DB.

* Removing dangling variable that is never used
---
 src/RestQuery.js | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/RestQuery.js b/src/RestQuery.js
index e825a544..68b50173 100644
--- a/src/RestQuery.js
+++ b/src/RestQuery.js
@@ -450,7 +450,6 @@ function includePath(config, auth, response, path) {
     return response;
   }
   let pointersHash = {};
-  var className = null;
   var objectIds = {};
   for (var pointer of pointers) {
     let className = pointer.className;
@@ -477,8 +476,9 @@ function includePath(config, auth, response, path) {
         obj.__type = 'Object';
         obj.className = includeResponse.className;
 
-        if(className == "_User"){
+        if (obj.className == "_User") {
           delete obj.sessionToken;
+          delete obj.authData;
         }
         replace[obj.objectId] = obj;
       }