Right now a regular user (not admin) is able to edit the vacation request from another user. This should be forbidden in the backend. Was this an intended behavior @javiercr ?