From 0d5a1b36c704f3a79eceb2a1f19894f0438eb1b0 Mon Sep 17 00:00:00 2001
From: Abyss777 <abyss@fox5.ru>
Date: Thu, 20 Jul 2017 10:05:33 +0500
Subject: Make permissions resources more strict

---
 src/org/traccar/api/resource/PermissionsResource.java | 6 ++++++
 1 file changed, 6 insertions(+)

(limited to 'src/org/traccar/api/resource/PermissionsResource.java')

diff --git a/src/org/traccar/api/resource/PermissionsResource.java b/src/org/traccar/api/resource/PermissionsResource.java
index ac7acb93f..e22ffae36 100644
--- a/src/org/traccar/api/resource/PermissionsResource.java
+++ b/src/org/traccar/api/resource/PermissionsResource.java
@@ -39,6 +39,9 @@ public class PermissionsResource  extends BaseResource {
     @POST
     public Response add(Map<String, Long> entity) throws SQLException {
         Context.getPermissionsManager().checkReadonly(getUserId());
+        if (entity.size() != 2) {
+            throw new IllegalArgumentException();
+        }
         for (String key : entity.keySet()) {
             Context.getPermissionsManager().checkPermission(key.replace("Id", ""), getUserId(), entity.get(key));
         }
@@ -51,6 +54,9 @@ public class PermissionsResource  extends BaseResource {
     @DELETE
     public Response remove(Map<String, Long> entity) throws SQLException {
         Context.getPermissionsManager().checkReadonly(getUserId());
+        if (entity.size() != 2) {
+            throw new IllegalArgumentException();
+        }
         for (String key : entity.keySet()) {
             Context.getPermissionsManager().checkPermission(key.replace("Id", ""), getUserId(), entity.get(key));
         }
-- 
cgit v1.2.3