Make permissions resources more strict

1 files changed, 6 insertions, 0 deletions

diff --git a/src/org/traccar/api/resource/DeviceResource.java b/src/org/traccar/api/resource/DeviceResource.java
index 41a8970e2..0f7579bae 100644
--- a/src/org/traccar/api/resource/DeviceResource.java
+++ b/src/org/traccar/api/resource/DeviceResource.java
@@ -125,6 +125,9 @@ public class DeviceResource extends BaseResource {
     @POST
     public Response add(Map<String, Long> entity) throws SQLException {
         Context.getPermissionsManager().checkReadonly(getUserId());
+        if (entity.size() != 2) {
+            throw new IllegalArgumentException();
+        }
         for (String key : entity.keySet()) {
             Context.getPermissionsManager().checkPermission(key.replace("Id", ""), getUserId(), entity.get(key));
         }
@@ -140,6 +143,9 @@ public class DeviceResource extends BaseResource {
         for (String key : entity.keySet()) {
             Context.getPermissionsManager().checkPermission(key.replace("Id", ""), getUserId(), entity.get(key));
         }
+        if (entity.size() != 2) {
+            throw new IllegalArgumentException();
+        }
         Context.getDataManager().linkObject(entity, false);
         Context.getPermissionsManager().refreshPermissions(entity);
         return Response.noContent().build();