Release note - v0.3377.0 ... v0.3377.2

January 29, 2026

This release introduces an important security restriction on booking creation. The POST /v3/bookings endpoint now blocks calls made in "login-as" mode (collaborator logged in as a partner) and returns a 403 FORBIDDEN_BOOKING_CREATION error. This measure ensures the consistency of agency data during bookings. Internal optimizations have also been made to improve API performance.

📦 Version 0.3377.2

✨ Key Highlights

Security Restriction: Creating bookings in "login-as" mode is now prohibited
Internal request optimization to improve performance

🔒 Security and Restrictions

POST /v3/bookings — Blocking login-as mode

Creating bookings via POST/v3/bookings is no longer allowed when a Club Med employee logs in as a partner ("login-as" mode).

Behavior:

If you call POST/v3/bookings with an x-salesman-id header (login-as mode), the API now returns:
- HTTP Code: 403 Forbidden
- Error Code: FORBIDDEN_BOOKING_CREATION
- Message: "The booking creation is forbidden for G.O authenticated as partner"

Impact: This restriction ensures that the agency associated with the booking matches the authenticated partner, and not the logged-in employee.

🛠️ Technical Improvements

Cleaning and removal of obsolete requests to optimize response times

📚 Additional Information

Related Tickets: CMAB-3969, CMAB-4001, CMAB-3996

Previous release