http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=13799 --- Comment #140 from Julian Maurice <julian.maurice@biblibre.com> --- The 'borrowers' permission is required for both /borrowers and /borrowers/XXXX except if XXXX is the borrowernumber of the loggedinuser Test plan for authentication: 1/ Log in to staff interface with a borrower that have 'borrowers' permission 2/ Go to http://INTRANET/api/v1/borrowers and http://INTRANET/api/v1/borrowers/XXXX (where XXXX is a valid borrowernumber). You should see borrowers data 3/ Remove the 'borrowers' permission 4/ Go to http://INTRANET/api/v1/borrowers. You should see an error (and HTTP code 403) 5/ Go to http://INTRANET/api/v1/borrowers/XXXX (where XXXX is a valid borrowernumber different from the logged-in user's borrowernumber). You should see an error (and HTTP code 403) 6/ Go to http://INTRANET/api/v1/borrowers/XXXX (where XXXX is the logged-in user's borrowernumber). You should see borrower's data. -- You are receiving this mail because: You are watching all bug changes.