backend/src/main/java/org/raddatz/familienarchiv/user/UserService.java

@@ -271,9 +271,10 @@ public class UserService {
 
     @Transactional
     public UserGroup createGroup(GroupDTO dto) {
-        UserGroup group = new UserGroup();
+        UserGroup group = UserGroup.builder()
-        group.setName(dto.getName());
+                .name(dto.getName())
-        group.setPermissions(dto.getPermissions());
+                .permissions(dto.getPermissions() != null ? dto.getPermissions() : new HashSet<>())
+                .build();
         return groupRepository.save(group);
     }
 

backend/src/test/java/org/raddatz/familienarchiv/user/UserServiceTest.java

@@ -902,4 +902,18 @@ class UserServiceTest {
         assertThat(result.getName()).isEqualTo("Familie");
         assertThat(result.getPermissions()).containsExactlyInAnyOrder("READ_ALL", "WRITE_ALL");
     }
+
+    @Test
+    void createGroup_withNullPermissions_savesGroupWithEmptyPermissionSet() {
+        org.raddatz.familienarchiv.user.GroupDTO dto = new org.raddatz.familienarchiv.user.GroupDTO();
+        dto.setName("Leser");
+        dto.setPermissions(null);
+
+        UserGroup saved = UserGroup.builder().id(UUID.randomUUID()).name("Leser").build();
+        when(groupRepository.save(any())).thenReturn(saved);
+
+        userService.createGroup(dto);
+
+        verify(groupRepository).save(argThat(g -> g.getPermissions() != null && g.getPermissions().isEmpty()));
+    }
 }