When using the SolarUser API with a user token that includes a security policy with specific node IDs, it is possible to use the /user/auth-tokens/policy update endpoints to add additional node IDs.

This should not be allowed: a token with node ID restrictions should be restricted to just those nodes, and using a different token that has no restrictions, or allows the "new" node ID, should be required when modifying a given token.