From fb411b20cc8b6a15d0843bde2f996bac76b4d767 Mon Sep 17 00:00:00 2001
From: Moxie Marlinspike <moxie@thoughtcrime.org>
Date: Mon, 22 Jun 2015 11:01:08 -0700
Subject: [PATCH] Make adding and removing master device operations.

// FREEBIE
---
 .../textsecuregcm/controllers/DeviceController.java       | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/src/main/java/org/whispersystems/textsecuregcm/controllers/DeviceController.java b/src/main/java/org/whispersystems/textsecuregcm/controllers/DeviceController.java
index 5431dd66e..f2e7d638d 100644
--- a/src/main/java/org/whispersystems/textsecuregcm/controllers/DeviceController.java
+++ b/src/main/java/org/whispersystems/textsecuregcm/controllers/DeviceController.java
@@ -94,6 +94,10 @@ public class DeviceController {
   @DELETE
   @Path("/{device_id}")
   public void removeDevice(@Auth Account account, @PathParam("device_id") long deviceId) {
+    if (account.getAuthenticatedDevice().get().getId() != Device.MASTER_ID) {
+      throw new WebApplicationException(Response.Status.UNAUTHORIZED);
+    }
+
     account.removeDevice(deviceId);
     accounts.update(account);
   }
@@ -111,6 +115,10 @@ public class DeviceController {
       throw new DeviceLimitExceededException(account.getDevices().size(), MAX_DEVICES);
     }
 
+    if (account.getAuthenticatedDevice().get().getId() != Device.MASTER_ID) {
+      throw new WebApplicationException(Response.Status.UNAUTHORIZED);
+    }
+
     VerificationCode verificationCode = generateVerificationCode();
     pendingDevices.store(account.getNumber(), verificationCode.getVerificationCode());