fixed
Get Avatar: Change to permission handling
16 days ago
The Read avatar for an employee ID (v1/avatars/{employeeId})
, and Read avatar for an employee email (v1/avatars
) endpoints now enforces permission checks.
Background
Previously, service users could access employee profile pictures without being assigned to any permission group.
What this change?
Moving forward, visibility of avatars through the API is restricted based on the About category permission, aligning it with other employee data access rules.
To allow the service user to read the avatar, you now need to enable the permission:
- People's data > About > View selected employees' About sections.