diff --git a/src/api/api_paper.php b/src/api/api_paper.php
index 88543d2a0..74bb24a47 100644
--- a/src/api/api_paper.php
+++ b/src/api/api_paper.php
@@ -141,10 +141,12 @@ private function run_post(Qrequest $qreq, ?PaperInfo $prow) {
             return $this->run_post_single_json($prow, $jp);
         } else if ($this->single) {
             return JsonResult::make_error(400, "<0>Expected object");
-        } else if (is_array($jp)) {
-            return $this->run_post_multi_json($jp);
-        } else {
+        } else if (!is_array($jp)) {
             return JsonResult::make_error(400, "<0>Expected array of objects");
+        } else if (!$this->user->privChair) {
+            return JsonResult::make_permission_error();
+        } else {
+            return $this->run_post_multi_json($jp);
         }
     }
 
@@ -281,10 +283,8 @@ static function analyze_json_pid(Conf $conf, $j, $pidflags = 0) {
             }
         }
         $pid = $j->pid ?? $j->id ?? null;
-        if (is_int($pid) && $pid > 0) {
-            return $pid;
-        } else if ($pid === null || $pid === "new") {
-            return "new";
+        if ($pid === null || (is_int($pid) && $pid > 0) || $pid === "new") {
+            return $pid ?? "new";
         } else {
             return null;
         }
@@ -292,14 +292,13 @@ static function analyze_json_pid(Conf $conf, $j, $pidflags = 0) {
 
     private function set_json_landmark($index, $jp, $expected = null) {
         $pidish = self::analyze_json_pid($this->conf, $jp, 0);
-        if (!$pidish) {
-            $mi = $this->error_at(null, "Bad `pid`");
-        } else if (($expected ?? $pidish) !== $pidish) {
-            $mi = $this->error_at(null, "`pid` does not match");
-        } else {
+        if ($pidish && ($expected === null || $pidish === $expected)) {
             $this->landmark = $pidish === "new" ? "index {$index}" : "#{$pidish}";
             return true;
         }
+        $pidkey = isset($jp->pid) || !isset($jp->id) ? "pid" : "id";
+        $msg = $pidish ? "<0>ID does not match" : "<0>Format error";
+        $mi = $this->error_at($pidkey, $msg);
         if (!$this->single) {
             $mi->landmark = "index {$index}";
         }
diff --git a/test/t_paperapi.php b/test/t_paperapi.php
index e528ed4df..ca068a893 100644
--- a/test/t_paperapi.php
+++ b/test/t_paperapi.php
@@ -126,33 +126,34 @@ function test_update_paper_pleb() {
     function test_update_attack_paper_pleb() {
         $prow = $this->conf->checked_paper_by_id(2);
         xassert_eqq($this->u_puneet->can_view_paper($prow), false);
-        $qreq = $this->make_post_json_qreq([
-            ["pid" => 2, "title" => "Scalable Timers for Soft State Protocols: Taylor’s Version"],
-            ["pid" => 10000, "title" => "Scalable Timers for Soft State Protocols: Taylor’s Version"]
-        ]);
+        $qreq = $this->make_post_json_qreq(["pid" => 2, "title" => "Scalable Timers for Soft State Protocols: Taylor’s Version"]);
         $jr = call_api("=paper", $this->u_puneet, $qreq);
         xassert_eqq($jr->ok, false);
-        xassert_eqq($jr->change_lists[0], []);
-        xassert_eqq($jr->change_lists[1], []);
+        xassert_eqq($jr->change_list, []);
         xassert_eqq($jr->message_list[0]->message, "<0>You aren’t allowed to view submission #2");
-        xassert_eqq($jr->message_list[1]->message, "<0>You aren’t allowed to view submission #10000");
+
+        $qreq = $this->make_post_json_qreq(["pid" => 10000, "title" => "Scalable Timers for Soft State Protocols: Taylor’s Version"]);
+        $jr = call_api("=paper", $this->u_puneet, $qreq);
+        xassert_eqq($jr->ok, false);
+        xassert_eqq($jr->change_list, []);
+        xassert_eqq($jr->message_list[0]->message, "<0>You aren’t allowed to view submission #10000");
     }
 
     function test_assigned_paper_id() {
         // Only chairs can assign papers with a specific ID
         $qreq = $this->make_post_json_qreq([
-            ["pid" => 10000, "title" => "Scalable Timers for Soft State Protocols: György’s Version",
-             "abstract" => "Hello", "authors" => [["name" => "My Name"]],
-             "status" => "draft"]
+            "pid" => 10000, "title" => "Scalable Timers for Soft State Protocols: György’s Version",
+            "abstract" => "Hello", "authors" => [["name" => "My Name"]],
+            "status" => "draft"
         ]);
         $jr = call_api("=paper", $this->u_estrin, $qreq);
         xassert_eqq($jr->ok, false);
-        xassert_eqq($jr->change_lists[0], []);
+        xassert_eqq($jr->change_list, []);
         xassert_eqq($jr->message_list[0]->message, "<0>Submission #10000 does not exist");
 
         $jr = call_api("=paper", $this->u_chair, $qreq);
         xassert_eqq($jr->ok, true);
-        xassert_eqq($jr->papers[0]->pid, 10000);
+        xassert_eqq($jr->paper->pid, 10000);
     }
 
     function test_dry_run() {