From 1943b7e9a1784e4cc38f62edb279fdd6b7a6999b Mon Sep 17 00:00:00 2001
From: Marcel <marcel@familienarchiv>
Date: Thu, 14 May 2026 16:12:02 +0200
Subject: [PATCH] =?UTF-8?q?fix(invites):=20validate=20groupIds=20existence?=
 =?UTF-8?q?=20in=20createInvite=20=E2=80=94=20throw=20GROUP=5FNOT=5FFOUND?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 .../raddatz/familienarchiv/user/InviteService.java |  3 +++
 .../familienarchiv/user/InviteServiceTest.java     | 14 ++++++++++++++
 2 files changed, 17 insertions(+)

diff --git a/backend/src/main/java/org/raddatz/familienarchiv/user/InviteService.java b/backend/src/main/java/org/raddatz/familienarchiv/user/InviteService.java
index e1cedf02..1836d7e1 100644
--- a/backend/src/main/java/org/raddatz/familienarchiv/user/InviteService.java
+++ b/backend/src/main/java/org/raddatz/familienarchiv/user/InviteService.java
@@ -53,6 +53,9 @@ public class InviteService {
         Set<UUID> groupIds = new HashSet<>();
         if (dto.getGroupIds() != null && !dto.getGroupIds().isEmpty()) {
             List<UserGroup> groups = userService.findGroupsByIds(dto.getGroupIds());
+            if (groups.size() != dto.getGroupIds().size()) {
+                throw DomainException.notFound(ErrorCode.GROUP_NOT_FOUND, "One or more group IDs do not exist");
+            }
             groups.forEach(g -> groupIds.add(g.getId()));
         }
 
diff --git a/backend/src/test/java/org/raddatz/familienarchiv/user/InviteServiceTest.java b/backend/src/test/java/org/raddatz/familienarchiv/user/InviteServiceTest.java
index 8826dfd4..60e87066 100644
--- a/backend/src/test/java/org/raddatz/familienarchiv/user/InviteServiceTest.java
+++ b/backend/src/test/java/org/raddatz/familienarchiv/user/InviteServiceTest.java
@@ -156,6 +156,20 @@ class InviteServiceTest {
         assertThat(result.getGroupIds()).contains(g.getId());
     }
 
+    @Test
+    void createInvite_throwsGroupNotFound_whenSubmittedGroupIdDoesNotExist() {
+        UUID unknownGroupId = UUID.randomUUID();
+        when(userService.findGroupsByIds(List.of(unknownGroupId))).thenReturn(List.of());
+
+        CreateInviteRequest req = new CreateInviteRequest();
+        req.setGroupIds(List.of(unknownGroupId));
+
+        assertThatThrownBy(() -> inviteService.createInvite(req, admin))
+                .isInstanceOf(DomainException.class)
+                .extracting(e -> ((DomainException) e).getCode())
+                .isEqualTo(ErrorCode.GROUP_NOT_FOUND);
+    }
+
     // ─── redeemInvite ─────────────────────────────────────────────────────────
 
     @Test