From 90504dd7bb66086ede10bf023db1c0620c51291f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Patrick=20Ha=C3=9Fel?= <git@patrick-hassel.de>
Date: Tue, 29 Oct 2024 15:09:39 +0100
Subject: [PATCH] FIX changePassword ownership-check was not negated

---
 src/main/java/de/ph87/tools/group/GroupService.java | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/main/java/de/ph87/tools/group/GroupService.java b/src/main/java/de/ph87/tools/group/GroupService.java
index 5297a76..35bf00b 100644
--- a/src/main/java/de/ph87/tools/group/GroupService.java
+++ b/src/main/java/de/ph87/tools/group/GroupService.java
@@ -79,7 +79,7 @@ public class GroupService {
   public GroupDto changePassword(@NonNull final String privateUuid, @NonNull final GroupChangePasswordInbound request) {
     final User user = userService.getByPrivateUuidOrThrow(privateUuid);
     final Group group = groupOfUserService.getGroupOfUser(request.uuid, user);
-    if (group.isOwnedBy(user)) {
+    if (!group.isOwnedBy(user)) {
       throw new ResponseStatusException(HttpStatus.FORBIDDEN);
     }
     group.setPassword(request.password);