From 19e35fdee4d15b048a45f99ed2c14c7b7d01e3f4 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Julius=20H=C3=A4rtl?= <jus@bitgrid.net>
Date: Tue, 2 Jul 2024 12:29:10 +0200
Subject: [PATCH] fix: Remove bindParam usage with simpler query
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Julius Härtl <jus@bitgrid.net>
---
 lib/Db/CardMapper.php | 15 +++++++++------
 1 file changed, 9 insertions(+), 6 deletions(-)

diff --git a/lib/Db/CardMapper.php b/lib/Db/CardMapper.php
index f1d2d34c1..64a0f5a1b 100644
--- a/lib/Db/CardMapper.php
+++ b/lib/Db/CardMapper.php
@@ -562,12 +562,15 @@ class CardMapper extends QBMapper implements IPermissionMapper {
 	}
 
 	public function isOwner($userId, $id): bool {
-		$sql = 'SELECT owner FROM `*PREFIX*deck_boards` WHERE `id` IN (SELECT board_id FROM `*PREFIX*deck_stacks` WHERE id IN (SELECT stack_id FROM `*PREFIX*deck_cards` WHERE id = ?))';
-		$stmt = $this->db->prepare($sql);
-		$stmt->bindParam(1, $id, \PDO::PARAM_INT, 0);
-		$stmt->execute();
-		$row = $stmt->fetch();
-		return ($row['owner'] === $userId);
+		$qb = $this->db->getQueryBuilder();
+		$qb->select('c.id')
+			->from($this->getTableName(), 'c')
+			->innerJoin('c', 'deck_stacks', 's', 'c.stack_id = s.id')
+			->innerJoin('s', 'deck_boards', 'b', 'b.id = s.board_id')
+			->where($qb->expr()->eq('c.id', $qb->createNamedParameter($id, IQueryBuilder::PARAM_INT)))
+			->andWhere($qb->expr()->eq('b.owner', $qb->createNamedParameter($userId, IQueryBuilder::PARAM_STR)));
+
+		return count($qb->executeQuery()->fetchAll()) > 0;
 	}
 
 	public function findBoardId($id): ?int {