diff --git a/server/users/user_handler.coffee b/server/users/user_handler.coffee
index 571bae538..1a1900c91 100644
--- a/server/users/user_handler.coffee
+++ b/server/users/user_handler.coffee
@@ -238,11 +238,11 @@ UserHandler = class UserHandler extends Handler
   getLevelSessions: (req, res, userID) ->
     query = creator: userID
     isAuthorized = req.user._id+'' is userID or req.user.isAdmin()
-    projection = null
+    projection = {}
     if req.query.project
-      projection = {}
       projection[field] = 1 for field in req.query.project.split(',') when isAuthorized or not (field in LevelSessionHandler.privateProperties)
-    # If no req.query.project, then LevelSessionHandler.formatEntity will remove private properties if needed.
+    else unless isAuthorized
+      projection[field] = 0 for field in LevelSessionHandler.privateProperties
 
     LevelSession.find(query).select(projection).exec (err, documents) =>
       return @sendDatabaseError(res, err) if err