---
uuid: 7a99e355-14d5-4000-bbc3-561424c9df79
date_created: 2026-01-29T15:29:24.864Z
date_updated: 2026-02-24T17:08:34.323Z
versions:
  - v0.3377.2 (22595)
  - v0.3377.1 (22496)
  - v0.3377.0 (22430)
---
# Release v0.3377.0 → v0.3377.2

This release introduces an important security restriction on booking creation. The POST /v3/bookings endpoint now blocks calls made in "login-as" mode (collaborator logged in as a partner) and returns a 403 FORBIDDEN\_BOOKING\_CREATION error. This measure ensures the consistency of agency data during bookings. Internal optimizations have also been made to improve API performance.

## Notes

## 📦 Version 0.3377.2

### ✨ Key Highlights

* Security Restriction: Creating bookings in "login-as" mode is now prohibited
* Internal request optimization to improve performance

***

### 🔒 Security and Restrictions

**POST /v3/bookings — Blocking login-as mode**

Creating bookings via `POST /v3/bookings` is no longer allowed when a Club Med employee logs in as a partner ("login-as" mode).

**Behavior:**

* If you call `POST /v3/bookings` with an `x-salesman-id` header (login-as mode), the API now returns:
  * **HTTP Code:** `403 Forbidden`
  * **Error Code:** `FORBIDDEN_BOOKING_CREATION`
  * **Message:** "The booking creation is forbidden for G.O authenticated as partner"

**Impact:** This restriction ensures that the agency associated with the booking matches the authenticated partner, and not the logged-in employee.

***

### 🛠️ Technical Improvements

* Cleaning and removal of obsolete requests to optimize response times

***

## 📚 Additional Information

**Related Tickets:** CMAB-3969, CMAB-4001, CMAB-3996