Possible to create duplicate SecurableResourceGroupRoles

[joe-crawford]

Description

Validation in SecurableResourceGroupRole class on securableResourceId field should prevent creating multiple SRGRs with the same securableResourceId and userGroupId, however repeated POSTs to the /api/${securableResourceDomainType}/${securableResourceId}/groupRoles/${groupRoleId}/userGroups/${userGroupId} endpoint in quick succession can bypass this validation. The system then will be unable to start again once shut down as SRGR validation will fail at next startup.

Steps to reproduce

1. Using the UI as Admin, create a top level folder.
2. Open folder and click change permissions button to open user access groups modal
3. Select Add Group, select editors, Editor in Group name and Access Level columns
4. Quickly click green tick multiple times, multiple requests to add the SRGR will succeed

Expected behavior

Only one request to create the same SRGR should succeed, as per the SecurableResourceGroupRole domain validation.

Environment

Please complete the following information:

• mdm-core latest develop
• recent version of mdm-ui

Additional context

Related to mdm-ui/443 which has an approach to workaround the issue in the UI by greying out submission buttons. Creating multiple DataModels with the same label is likely to be a similar issue with non-atomic validation.

Grails unique documentation: http://docs.grails.org/latest/ref/Constraints/unique.html. Save does not fail in this case because the unique constraint isn't enforced at the database level.

Some thoughts:

• Try to add constraint at DB level where possible so that save fails after validate
• Can validates be removed so they happen within the save methods?