API for non admin user lets them check-out/in as any other user, including admin

[vzickus]

Describe the bug Creating an API key from a non-admin user, still allows the non-admin user to check out/in as any other user.

To Reproduce Create a user with limited access rights on the server, but allow them to create API keys. Link the API key to the app without modifying PHP (as it only makes sense that an admin would do that).

Expected behavior API key should only allow the user to check-out/in using their own username.

Smartphone (please complete the following information):

• Device: NOKIA XR20
• OS: Android 13

Additional context Alternative suggestions: have a login for user.

[diegogarciadev]

I'm not sure if I understand your message. Thanks.