diff --git a/tests/api/test_carddef.py b/tests/api/test_carddef.py
index d991db66c..bf6dcc249 100644
--- a/tests/api/test_carddef.py
+++ b/tests/api/test_carddef.py
@@ -253,6 +253,9 @@ def test_cards_restricted_api(pub, local_user):
     resp = get_app(pub).get(sign_uri('/api/cards/test/list', orig='test', key='12345'))
     assert len(resp.json['data']) == 1
 
+    resp = get_app(pub).get(sign_uri('/api/cards/test/%s/' % formdata.id, orig='test', key='12345'))
+    assert resp.json['id'] == str(formdata.id)
+
     # restricted to another role, do not get it
     role2 = pub.role_class(name='second')
     role2.store()
@@ -261,6 +264,11 @@ def test_cards_restricted_api(pub, local_user):
     resp = get_app(pub).get(sign_uri('/api/cards/test/list', orig='test', key='12345'), status=403)
     assert resp.json['err_desc'] == 'unsufficient roles'
 
+    resp = get_app(pub).get(
+        sign_uri('/api/cards/test/%s/' % formdata.id, orig='test', key='12345'), status=403
+    )
+    assert resp.json['err_desc'] == 'unsufficient roles'
+
 
 def test_cards_http_auth_access(pub, local_user):
     pub.role_class.wipe()
diff --git a/wcs/api_access.py b/wcs/api_access.py
index c8b0c53d7..b3d22662d 100644
--- a/wcs/api_access.py
+++ b/wcs/api_access.py
@@ -87,6 +87,7 @@ class ApiAccess(XmlStorableObject):
             id = Ellipsis  # make sure it fails all over the place if used
             is_admin = False
             is_api_user = True
+            anonymous = False
 
             def can_go_in_admin(self):
                 return False