diff --git a/TODO.md b/TODO.md
index 40b4da8..d1e3577 100644
--- a/TODO.md
+++ b/TODO.md
@@ -12,6 +12,12 @@ In the same time, some exceptions (such as **AdminAuthenticationException**) are
 Currently, some operations are restricted to an admin, defined explicitely by the user *admin* boolean.
 These operations could be delegated to simple users with some specific fine-grained authorizations.
 
+Requests work mostly on current user, but some take a *UserID* to identify another user.
+Requests should either always work on current user (which implies to create new requests working on another user) or always take an optional *UserID* parameter.
+
+Some requests require to be authenticated without either accessing confidential data or modifying any entry in the database.
+**Check for inconsistencies**.
+
 ### Structures, not classes
 
 Maybe in some cases, it could be great to use structures instead of classes.