In order to stop a user from viewing open loans
the API needs to filter them out based upon the presence of a specific permission
- Should this apply at both the storage and business logic levels? If so, it may be that multiple stories are needed.
- Is this a breaking behavioural change? (I believe it likely is)
- Need to consider the impact of these permissions on queries mod-circulation makes to make decisions during processes, for example, the check out API needs to identify an open loan already exists for an item