diff --git a/scm-webapp/src/main/java/sonia/scm/api/v2/resources/PermissionListDto.java b/scm-webapp/src/main/java/sonia/scm/api/v2/resources/PermissionListDto.java
index 23d57f4d8e..8d48eafc82 100644
--- a/scm-webapp/src/main/java/sonia/scm/api/v2/resources/PermissionListDto.java
+++ b/scm-webapp/src/main/java/sonia/scm/api/v2/resources/PermissionListDto.java
@@ -7,12 +7,15 @@ import lombok.Getter;
 import lombok.NoArgsConstructor;
 import lombok.Setter;
 
+import javax.validation.constraints.NotNull;
+
 @Getter
 @Setter
 @AllArgsConstructor
 @NoArgsConstructor
 public class PermissionListDto extends HalRepresentation {
 
+  @NotNull
   private String[] permissions;
 
   @Override
diff --git a/scm-webapp/src/main/java/sonia/scm/api/v2/resources/UserPermissionResource.java b/scm-webapp/src/main/java/sonia/scm/api/v2/resources/UserPermissionResource.java
index 2b02104646..a961dfaa0e 100644
--- a/scm-webapp/src/main/java/sonia/scm/api/v2/resources/UserPermissionResource.java
+++ b/scm-webapp/src/main/java/sonia/scm/api/v2/resources/UserPermissionResource.java
@@ -8,6 +8,7 @@ import sonia.scm.security.PermissionDescriptor;
 import sonia.scm.web.VndMediaType;
 
 import javax.inject.Inject;
+import javax.validation.Valid;
 import javax.ws.rs.Consumes;
 import javax.ws.rs.GET;
 import javax.ws.rs.PUT;
@@ -69,7 +70,7 @@ public class UserPermissionResource {
     @ResponseCode(code = 500, condition = "internal server error")
   })
   @TypeHint(TypeHint.NO_CONTENT.class)
-  public Response overwritePermissions(@PathParam("id") String id, PermissionListDto newPermissions) {
+  public Response overwritePermissions(@PathParam("id") String id, @Valid PermissionListDto newPermissions) {
     Collection<PermissionDescriptor> permissionDescriptors = Arrays.stream(newPermissions.getPermissions())
       .map(PermissionDescriptor::new)
       .collect(Collectors.toList());