diff --git a/tests/test_api.py b/tests/test_api.py
index 960f6bfba..151251e5a 100644
--- a/tests/test_api.py
+++ b/tests/test_api.py
@@ -47,12 +47,14 @@ def local_user():
     user.store()
     return user
 
-def sign_uri(uri, user):
+def sign_uri(uri, user=None):
     timestamp = datetime.datetime.utcnow().isoformat()[:19] + 'Z'
     scheme, netloc, path, params, query, fragment = urlparse.urlparse(uri)
     if query:
         query += '&'
-    query += 'format=json&orig=coucou&algo=sha256&email=' + urllib.quote(user.email) + '&timestamp=' + timestamp
+    query += 'format=json&orig=coucou&algo=sha256&timestamp=' + timestamp
+    if user:
+        query += '&email=' + urllib.quote(user.email)
     query += '&signature=%s' % urllib.quote(
             base64.b64encode(
                 hmac.new('1234',
@@ -383,11 +385,13 @@ def test_roles(local_user):
     role = Role(name='Hello World')
     role.store()
 
-    resp = get_app(pub).get(sign_uri('/api/roles', user=local_user), headers={'Accept': 'application/json'})
+    resp = get_app(pub).get('/api/roles', status=403)
+
+    resp = get_app(pub).get(sign_uri('/api/roles'))
     assert resp.json['data'][0]['text'] == 'Hello World'
     assert resp.json['data'][0]['slug'] == 'hello-world'
 
     # also check old endpoint, for compatibility
-    resp = get_app(pub).get(sign_uri('/roles', user=local_user), headers={'Accept': 'application/json'})
+    resp = get_app(pub).get(sign_uri('/roles'), headers={'Accept': 'application/json'})
     assert resp.json['data'][0]['text'] == 'Hello World'
     assert resp.json['data'][0]['slug'] == 'hello-world'
diff --git a/wcs/api.py b/wcs/api.py
index 52921f4d1..a400ae7fa 100644
--- a/wcs/api.py
+++ b/wcs/api.py
@@ -177,8 +177,8 @@ class ApiDirectory(Directory):
 
     def roles(self):
         get_response().set_content_type('application/json')
-        if not (get_request().user and get_request().user.can_go_in_admin()) and \
-                not get_user_from_api_query_string():
+        if not (is_url_signed() or (
+                get_request().user and get_request().user.can_go_in_admin())):
             raise AccessForbiddenError()
         list_roles = []
         charset = get_publisher().site_charset