From 0d5a1b36c704f3a79eceb2a1f19894f0438eb1b0 Mon Sep 17 00:00:00 2001
From: Abyss777 <abyss@fox5.ru>
Date: Thu, 20 Jul 2017 10:05:33 +0500
Subject: Make permissions resources more strict

---
 src/org/traccar/api/resource/GroupResource.java | 6 ++++++
 1 file changed, 6 insertions(+)

(limited to 'src/org/traccar/api/resource/GroupResource.java')

diff --git a/src/org/traccar/api/resource/GroupResource.java b/src/org/traccar/api/resource/GroupResource.java
index 97b6d671d..0d9572332 100644
--- a/src/org/traccar/api/resource/GroupResource.java
+++ b/src/org/traccar/api/resource/GroupResource.java
@@ -97,6 +97,9 @@ public class GroupResource extends BaseResource {
     @POST
     public Response add(Map<String, Long> entity) throws SQLException {
         Context.getPermissionsManager().checkReadonly(getUserId());
+        if (entity.size() != 2) {
+            throw new IllegalArgumentException();
+        }
         for (String key : entity.keySet()) {
             Context.getPermissionsManager().checkPermission(key.replace("Id", ""), getUserId(), entity.get(key));
         }
@@ -109,6 +112,9 @@ public class GroupResource extends BaseResource {
     @DELETE
     public Response remove(Map<String, Long> entity) throws SQLException {
         Context.getPermissionsManager().checkReadonly(getUserId());
+        if (entity.size() != 2) {
+            throw new IllegalArgumentException();
+        }
         for (String key : entity.keySet()) {
             Context.getPermissionsManager().checkPermission(key.replace("Id", ""), getUserId(), entity.get(key));
         }
-- 
cgit v1.2.3