From 8aca48b5ec1b8b905c47ff62108ab343c01aeb27 Mon Sep 17 00:00:00 2001
From: Jan <jan.weber@avatic.de>
Date: Sat, 18 Oct 2025 09:45:26 +0200
Subject: [PATCH] Bugfix: Check premise access rights works as expected.

---
 .../lcc/repositories/premise/PremiseRepository.java    | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/src/main/java/de/avatic/lcc/repositories/premise/PremiseRepository.java b/src/main/java/de/avatic/lcc/repositories/premise/PremiseRepository.java
index ac34be9..757d516 100644
--- a/src/main/java/de/avatic/lcc/repositories/premise/PremiseRepository.java
+++ b/src/main/java/de/avatic/lcc/repositories/premise/PremiseRepository.java
@@ -635,10 +635,14 @@ public class PremiseRepository {
     @Transactional
     public void checkOwner(List<Integer> premiseIds, int userId) {
         String query = """
-                SELECT id FROM premise WHERE premise.id IN (?) AND user_id <> ?
-                """;
+            SELECT id FROM premise WHERE premise.id IN (:premiseIds) AND user_id <> :userId
+            """;
 
-        var otherIds = jdbcTemplate.queryForList(query, Integer.class, premiseIds, userId);
+        MapSqlParameterSource parameters = new MapSqlParameterSource();
+        parameters.addValue("premiseIds", premiseIds);
+        parameters.addValue("userId", userId);
+
+        var otherIds = namedParameterJdbcTemplate.queryForList(query, parameters, Integer.class);
 
         if (!otherIds.isEmpty()) {
             throw new ForbiddenException("Access violation. Cannot open premise with ids = " + otherIds);