Added user-group name pattern (issue #33).

Change-Id: I578592045d0e64c2daf4cdfdb2df1d4659629820
diff --git a/full/Changes b/full/Changes
index 3ab4839..0256d49 100644
--- a/full/Changes
+++ b/full/Changes
@@ -1,6 +1,8 @@
 # version 0.62.2
 17/10/2019
-   - Handled vulnerability CVE-2019-17195.
+   - Handled vulnerability CVE-2019-17195. (margaretha)
+8/11/2019
+   - Added user-group name pattern (margaretha, issue #33)
 
 # version 0.62.1
 08/07/2019
diff --git a/full/src/main/java/de/ids_mannheim/korap/service/UserGroupService.java b/full/src/main/java/de/ids_mannheim/korap/service/UserGroupService.java
index e06e9b2..8eee9a4 100644
--- a/full/src/main/java/de/ids_mannheim/korap/service/UserGroupService.java
+++ b/full/src/main/java/de/ids_mannheim/korap/service/UserGroupService.java
@@ -8,6 +8,7 @@
 import java.util.Iterator;
 import java.util.List;
 import java.util.Set;
+import java.util.regex.Pattern;
 
 import org.apache.logging.log4j.LogManager;
 import org.apache.logging.log4j.Logger;
@@ -49,6 +50,8 @@
     public static Logger jlog = LogManager.getLogger(UserGroupService.class);
     public static boolean DEBUG = false;
     
+    public static Pattern groupNamePattern = Pattern.compile("[-\\w.]+");
+    
     @Autowired
     private UserGroupDao userGroupDao;
     @Autowired
@@ -215,9 +218,28 @@
     public void createUserGroup (UserGroupJson groupJson, String createdBy)
             throws KustvaktException {
 
+        String name = groupJson.getName();
+        if (!groupNamePattern.matcher(name).matches()) {
+            throw new KustvaktException(StatusCodes.INVALID_ARGUMENT,
+                    "User-group name must only contains letters, numbers, "
+                            + "underscores, hypens and spaces",
+                    name);
+        }
+        
+        try{
+            userGroupDao.retrieveGroupByName(groupJson.getName());
+            throw new KustvaktException(StatusCodes.GROUP_EXISTS,
+                    "User-group name must be unique.");
+        }
+        catch (KustvaktException e) {
+            if (e.getStatusCode() != StatusCodes.NO_RESOURCE_FOUND){
+                throw e;
+            }
+        }
+        
         int groupId=0;
         try {
-            groupId = userGroupDao.createGroup(groupJson.getName(), createdBy,
+            groupId = userGroupDao.createGroup(name, createdBy,
                     UserGroupStatus.ACTIVE);
         }
         // handle DB exceptions, e.g. unique constraint
diff --git a/full/src/main/java/de/ids_mannheim/korap/web/controller/UserGroupController.java b/full/src/main/java/de/ids_mannheim/korap/web/controller/UserGroupController.java
index 98298c8..4f66530 100644
--- a/full/src/main/java/de/ids_mannheim/korap/web/controller/UserGroupController.java
+++ b/full/src/main/java/de/ids_mannheim/korap/web/controller/UserGroupController.java
@@ -89,10 +89,8 @@
 
     /**
      * Lists user-groups for system-admin purposes. If username
-     * parameter
-     * is not specified, list user-groups of all users. If status is
-     * not
-     * specified, list user-groups of all statuses.
+     * parameter is not specified, list user-groups of all users. If
+     * status is not specified, list user-groups of all statuses.
      * 
      * @param securityContext
      * @param username
@@ -207,10 +205,11 @@
             throw kustvaktResponseHandler.throwit(e);
         }
     }
-    
+
     @DELETE
     @Path("{groupName}")
-    public Response deleteUserGroupByName (@Context SecurityContext securityContext,
+    public Response deleteUserGroupByName (
+            @Context SecurityContext securityContext,
             @PathParam("groupName") String groupName) {
         TokenContext context =
                 (TokenContext) securityContext.getUserPrincipal();
@@ -283,7 +282,8 @@
         }
     }
 
-    /** Very similar to addMemberRoles web-service, but allows deletion 
+    /**
+     * Very similar to addMemberRoles web-service, but allows deletion
      * as well.
      * 
      * @param securityContext
@@ -383,8 +383,7 @@
 
     /**
      * Handles requests to accept membership invitation. Only invited
-     * users
-     * can subscribe to the corresponding user-group.
+     * users can subscribe to the corresponding user-group.
      * 
      * @param securityContext
      * @param groupId
@@ -411,8 +410,7 @@
 
     /**
      * Handles requests to reject membership invitation. A member can
-     * only
-     * unsubscribe him/herself from a group.
+     * only unsubscribe him/herself from a group.
      * 
      * Implemented identical to delete group member.
      * 
diff --git a/full/src/main/resources/db/test/V3.1__insert_virtual_corpus.sql b/full/src/main/resources/db/test/V3.1__insert_virtual_corpus.sql
index 3a0a054..ea8f1f7 100644
--- a/full/src/main/resources/db/test/V3.1__insert_virtual_corpus.sql
+++ b/full/src/main/resources/db/test/V3.1__insert_virtual_corpus.sql
@@ -2,61 +2,61 @@
 
 -- user groups
 INSERT INTO user_group(name,status,created_by) 
-	VALUES ("marlin group","ACTIVE","marlin");
+	VALUES ("marlin-group","ACTIVE","marlin");
 	
 INSERT INTO user_group(name,status,created_by) 
-	VALUES ("dory group","ACTIVE","dory");
+	VALUES ("dory-group","ACTIVE","dory");
 
 INSERT INTO user_group(name,status,created_by) 
-	VALUES ("auto group","HIDDEN","system");
+	VALUES ("auto-group","HIDDEN","system");
 
 --INSERT INTO user_group(name,status,created_by) 
 --	VALUES ("all users","HIDDEN","system");
 
 INSERT INTO user_group(name,status,created_by, deleted_by) 
-	VALUES ("deleted group","DELETED","dory", "dory");
+	VALUES ("deleted-group","DELETED","dory", "dory");
 
 
 
 -- user group members
 INSERT INTO user_group_member(user_id, group_id, status, created_by)
 	SELECT "marlin",
-		(SELECT id from user_group where name = "marlin group"),
+		(SELECT id from user_group where name = "marlin-group"),
 		"ACTIVE","marlin";
 
 INSERT INTO user_group_member(user_id, group_id, status, created_by)
 	SELECT "dory",
-		(SELECT id from user_group where name = "marlin group"),
+		(SELECT id from user_group where name = "marlin-group"),
 		"ACTIVE","marlin";
 		
 INSERT INTO user_group_member(user_id, group_id, status, created_by)
 	SELECT "dory",
-		(SELECT id from user_group where name = "dory group"),
+		(SELECT id from user_group where name = "dory-group"),
 		"ACTIVE","dory";
 
 INSERT INTO user_group_member(user_id, group_id, status, created_by)
 	SELECT "nemo",
-		(SELECT id from user_group where name = "dory group"),
+		(SELECT id from user_group where name = "dory-group"),
 		"ACTIVE","dory";
 
 INSERT INTO user_group_member(user_id, group_id, status, created_by)
 	SELECT "marlin",
-		(SELECT id from user_group where name = "dory group"),
+		(SELECT id from user_group where name = "dory-group"),
 		"PENDING","dory";
 	
 INSERT INTO user_group_member(user_id, group_id, status, created_by, deleted_by)
 	SELECT "pearl",
-		(SELECT id from user_group where name = "dory group"),
+		(SELECT id from user_group where name = "dory-group"),
 		"DELETED","dory", "pearl";
 
 INSERT INTO user_group_member(user_id, group_id, status, created_by)
 	SELECT "pearl",
-		(SELECT id from user_group where name = "auto group"),
+		(SELECT id from user_group where name = "auto-group"),
 		"ACTIVE","system";
 
 INSERT INTO user_group_member(user_id, group_id, status, created_by)
 	SELECT "dory",
-		(SELECT id from user_group where name = "deleted group"),
+		(SELECT id from user_group where name = "deleted-group"),
 		"ACTIVE","dory";
 
 		
@@ -89,7 +89,7 @@
 INSERT INTO virtual_corpus_access(virtual_corpus_id, user_group_id, status, created_by) 
 	SELECT 
 		(SELECT id from virtual_corpus where name = "group-vc"), 
-		(SELECT id from user_group where name = "dory group"), 
+		(SELECT id from user_group where name = "dory-group"), 
 		"ACTIVE", "dory";
 
 --INSERT INTO virtual_corpus_access(virtual_corpus_id, user_group_id, status, created_by) 
@@ -101,13 +101,13 @@
 INSERT INTO virtual_corpus_access(virtual_corpus_id, user_group_id, status, created_by) 
 	SELECT 
 		(SELECT id from virtual_corpus where name = "published-vc"),
-		(SELECT id from user_group where name = "marlin group"),
+		(SELECT id from user_group where name = "marlin-group"),
 		"ACTIVE", "marlin";
 
 INSERT INTO virtual_corpus_access(virtual_corpus_id, user_group_id, status, created_by) 
 	SELECT 
 		(SELECT id from virtual_corpus where name = "published-vc"),
-		(SELECT id from user_group where name = "auto group"),
+		(SELECT id from user_group where name = "auto-group"),
 		"HIDDEN", "system";
 
 	
diff --git a/full/src/test/java/de/ids_mannheim/korap/web/controller/UserGroupControllerAdminTest.java b/full/src/test/java/de/ids_mannheim/korap/web/controller/UserGroupControllerAdminTest.java
index 5e66b23..cabc5da 100644
--- a/full/src/test/java/de/ids_mannheim/korap/web/controller/UserGroupControllerAdminTest.java
+++ b/full/src/test/java/de/ids_mannheim/korap/web/controller/UserGroupControllerAdminTest.java
@@ -153,7 +153,8 @@
             ClientHandlerException, KustvaktException {
 
         UserGroupJson json = new UserGroupJson();
-        json.setName("admin test group");
+        String groupName = "admin-test-group";
+        json.setName(groupName);
         json.setMembers(new String[] { "marlin", "nemo" });
 
         ClientResponse response = resource().path(API_VERSION).path("group").path("create")
@@ -171,7 +172,7 @@
         JsonNode node = listGroup(testUsername);
         assertEquals(1, node.size());
         node = node.get(0);
-        assertEquals("admin test group", node.get("name").asText());
+        assertEquals(groupName, node.get("name").asText());
 
         String groupId = node.get("id").asText();
         testMemberRole("marlin", groupId);
diff --git a/full/src/test/java/de/ids_mannheim/korap/web/controller/UserGroupControllerTest.java b/full/src/test/java/de/ids_mannheim/korap/web/controller/UserGroupControllerTest.java
index a0876ee..52880e7 100644
--- a/full/src/test/java/de/ids_mannheim/korap/web/controller/UserGroupControllerTest.java
+++ b/full/src/test/java/de/ids_mannheim/korap/web/controller/UserGroupControllerTest.java
@@ -70,7 +70,7 @@
         assertEquals(Status.OK.getStatusCode(), response.getStatus());
     }
 
-    // dory is a group admin in dory group
+    // dory is a group admin in dory-group
     @Test
     public void testListDoryGroups () throws KustvaktException {
         ClientResponse response = resource().path(API_VERSION).path("group")
@@ -86,12 +86,12 @@
         JsonNode node = JsonUtils.readTree(entity);
         JsonNode group = node.get(1);
         assertEquals(2, group.at("/id").asInt());
-        assertEquals("dory group", group.at("/name").asText());
+        assertEquals("dory-group", group.at("/name").asText());
         assertEquals("dory", group.at("/owner").asText());
         assertEquals(3, group.at("/members").size());
     }
 
-    // nemo is a group member in dory group
+    // nemo is a group member in dory-group
     @Test
     public void testListNemoGroups () throws KustvaktException {
         ClientResponse response = resource().path(API_VERSION).path("group")
@@ -106,7 +106,7 @@
         JsonNode node = JsonUtils.readTree(entity);
 
         assertEquals(2, node.at("/0/id").asInt());
-        assertEquals("dory group", node.at("/0/name").asText());
+        assertEquals("dory-group", node.at("/0/name").asText());
         assertEquals("dory", node.at("/0/owner").asText());
         // group members are not allowed to see other members
         assertEquals(0, node.at("/0/members").size());
@@ -151,15 +151,7 @@
         json.setName(groupName);
         json.setMembers(new String[] {});
 
-        ClientResponse response = resource().path(API_VERSION).path("group")
-                .path("create").type(MediaType.APPLICATION_JSON)
-                .header(Attributes.AUTHORIZATION, HttpAuthorizationHandler
-                        .createBasicAuthorizationHeaderValue(username, "pass"))
-                .header(HttpHeaders.X_FORWARDED_FOR, "149.27.0.32").entity(json)
-                .post(ClientResponse.class);
-
-        assertEquals(Status.OK.getStatusCode(), response.getStatus());
-     
+        testCreateUserGroup(json);
         deleteGroupByName(groupName);
     }
 
@@ -171,6 +163,12 @@
         UserGroupJson json = new UserGroupJson();
         json.setName(groupName);
 
+        testCreateUserGroup(json);
+        deleteGroupByName(groupName);
+    }
+    
+    private void testCreateUserGroup (UserGroupJson json) throws UniformInterfaceException,
+            ClientHandlerException, KustvaktException {
         ClientResponse response = resource().path(API_VERSION).path("group")
                 .path("create").type(MediaType.APPLICATION_JSON)
                 .header(Attributes.AUTHORIZATION, HttpAuthorizationHandler
@@ -179,16 +177,30 @@
                 .post(ClientResponse.class);
 
         assertEquals(Status.OK.getStatusCode(), response.getStatus());
+    }
+    
+    private void testCreateSameGroupName (UserGroupJson json)
+            throws UniformInterfaceException, ClientHandlerException,
+            KustvaktException {
+        ClientResponse response = resource().path(API_VERSION).path("group")
+                .path("create").type(MediaType.APPLICATION_JSON)
+                .header(Attributes.AUTHORIZATION, HttpAuthorizationHandler
+                        .createBasicAuthorizationHeaderValue(username, "pass"))
+                .header(HttpHeaders.X_FORWARDED_FOR, "149.27.0.32").entity(json)
+                .post(ClientResponse.class);
+
+        assertEquals(Status.BAD_REQUEST.getStatusCode(), response.getStatus());
         
-        deleteGroupByName(groupName);
+        JsonNode node = JsonUtils.readTree(response.getEntity(String.class));
+        assertEquals(StatusCodes.GROUP_EXISTS, node.at("/errors/0/0").asInt());
     }
     
     @Test
-    public void testUserGroup () throws UniformInterfaceException,
+    public void testCreateGroupInvalidName () throws UniformInterfaceException,
             ClientHandlerException, KustvaktException {
-
         UserGroupJson json = new UserGroupJson();
-        json.setName("new user group");
+        String groupName = "invalid-group-name$"; 
+        json.setName(groupName);
         json.setMembers(new String[] { "marlin", "nemo" });
 
         ClientResponse response = resource().path(API_VERSION).path("group")
@@ -197,22 +209,33 @@
                         .createBasicAuthorizationHeaderValue(username, "pass"))
                 .header(HttpHeaders.X_FORWARDED_FOR, "149.27.0.32").entity(json)
                 .post(ClientResponse.class);
+        
+        assertEquals(Status.BAD_REQUEST.getStatusCode(), response.getStatus());
+        
+        JsonNode node = JsonUtils.readTree(response.getEntity(String.class));
+        assertEquals(StatusCodes.INVALID_ARGUMENT, node.at("/errors/0/0").asInt());
+        assertEquals("User-group name must only contains letters, numbers, "
+                + "underscores, hypens and spaces", node.at("/errors/0/1").asText());
+        assertEquals("invalid-group-name$", node.at("/errors/0/2").asText());
+    }
+    
+    @Test
+    public void testUserGroup () throws UniformInterfaceException,
+            ClientHandlerException, KustvaktException {
 
-        assertEquals(Status.OK.getStatusCode(), response.getStatus());
+        UserGroupJson json = new UserGroupJson();
+        String groupName = "new-user-group"; 
+        json.setName(groupName);
+        json.setMembers(new String[] { "marlin", "nemo" });
+
+        testCreateUserGroup(json);
+        testCreateSameGroupName(json);
 
         // list user group
-        response = resource().path(API_VERSION).path("group").path("list")
-                .header(Attributes.AUTHORIZATION, HttpAuthorizationHandler
-                        .createBasicAuthorizationHeaderValue(username, "pass"))
-                .header(HttpHeaders.X_FORWARDED_FOR, "149.27.0.32")
-                .get(ClientResponse.class);
-
-        String entity = response.getEntity(String.class);
-        // System.out.println(entity);
-        JsonNode node = JsonUtils.readTree(entity);
+        JsonNode node = retrieveUserGroups(username);;
         assertEquals(1, node.size());
         node = node.get(0);
-        assertEquals("new user group", node.get("name").asText());
+        assertEquals("new-user-group", node.get("name").asText());
         String groupId = node.get("id").asText();
 
         assertEquals(username, node.get("owner").asText());
@@ -290,7 +313,7 @@
         // dory delete pearl
         ClientResponse response = resource().path(API_VERSION).path("group")
                 .path("member")
-                // dory group
+                // dory-group
                 .path("delete").path("2").path("pearl")
                 .header(Attributes.AUTHORIZATION, HttpAuthorizationHandler
                         .createBasicAuthorizationHeaderValue("dory", "pass"))
@@ -320,9 +343,9 @@
         assertEquals(Status.BAD_REQUEST.getStatusCode(), response.getStatus());
         assertEquals(StatusCodes.GROUP_MEMBER_DELETED,
                 node.at("/errors/0/0").asInt());
-        assertEquals("pearl has already been deleted from the group dory group",
+        assertEquals("pearl has already been deleted from the group dory-group",
                 node.at("/errors/0/1").asText());
-        assertEquals("[pearl, dory group]", node.at("/errors/0/2").asText());
+        assertEquals("[pearl, dory-group]", node.at("/errors/0/2").asText());
     }
 
     private void testDeleteGroup (String groupId)
@@ -398,9 +421,9 @@
         String entity = response.getEntity(String.class);
         JsonNode node = JsonUtils.readTree(entity);
         assertEquals(StatusCodes.GROUP_DELETED, node.at("/errors/0/0").asInt());
-        assertEquals("Group deleted group has been deleted.",
+        assertEquals("Group deleted-group has been deleted.",
                 node.at("/errors/0/1").asText());
-        assertEquals("deleted group", node.at("/errors/0/2").asText());
+        assertEquals("deleted-group", node.at("/errors/0/2").asText());
     }
 
     @Test
@@ -491,7 +514,7 @@
     @Test
     public void testInviteDeletedMember2 () throws UniformInterfaceException,
             ClientHandlerException, KustvaktException {
-        // pearl has status deleted in dory group
+        // pearl has status deleted in dory-group
         String[] members = new String[] { "pearl" };
 
         UserGroupJson userGroup = new UserGroupJson();
@@ -521,7 +544,7 @@
     @Test
     public void testInvitePendingMember () throws UniformInterfaceException,
             ClientHandlerException, KustvaktException {
-        // marlin has status PENDING in dory group
+        // marlin has status PENDING in dory-group
         String[] members = new String[] { "marlin" };
 
         UserGroupJson userGroup = new UserGroupJson();
@@ -543,16 +566,16 @@
                 node.at("/errors/0/0").asInt());
         assertEquals(
                 "Username marlin with status PENDING exists in the user-group "
-                        + "dory group",
+                        + "dory-group",
                 node.at("/errors/0/1").asText());
-        assertEquals("[marlin, PENDING, dory group]",
+        assertEquals("[marlin, PENDING, dory-group]",
                 node.at("/errors/0/2").asText());
     }
 
     @Test
     public void testInviteActiveMember () throws UniformInterfaceException,
             ClientHandlerException, KustvaktException {
-        // nemo has status active in dory group
+        // nemo has status active in dory-group
         String[] members = new String[] { "nemo" };
 
         UserGroupJson userGroup = new UserGroupJson();
@@ -575,9 +598,9 @@
                 node.at("/errors/0/0").asInt());
         assertEquals(
                 "Username nemo with status ACTIVE exists in the user-group "
-                        + "dory group",
+                        + "dory-group",
                 node.at("/errors/0/1").asText());
-        assertEquals("[nemo, ACTIVE, dory group]",
+        assertEquals("[nemo, ACTIVE, dory-group]",
                 node.at("/errors/0/2").asText());
     }
 
@@ -604,12 +627,12 @@
         String entity = response.getEntity(String.class);
         JsonNode node = JsonUtils.readTree(entity);
         assertEquals(StatusCodes.GROUP_DELETED, node.at("/errors/0/0").asInt());
-        assertEquals("Group deleted group has been deleted.",
+        assertEquals("Group deleted-group has been deleted.",
                 node.at("/errors/0/1").asText());
-        assertEquals("deleted group", node.at("/errors/0/2").asText());
+        assertEquals("deleted-group", node.at("/errors/0/2").asText());
     }
 
-    // marlin has GroupMemberStatus.PENDING in dory group
+    // marlin has GroupMemberStatus.PENDING in dory-group
     @Test
     public void testSubscribePendingMember () throws KustvaktException {
         MultivaluedMap<String, String> form = new MultivaluedMapImpl();
@@ -631,7 +654,7 @@
 
         JsonNode group = node.get(1);
         assertEquals(2, group.at("/id").asInt());
-        assertEquals("dory group", group.at("/name").asText());
+        assertEquals("dory-group", group.at("/name").asText());
         assertEquals("dory", group.at("/owner").asText());
         // group members are not allowed to see other members
         assertEquals(0, group.at("/members").size());
@@ -642,16 +665,16 @@
         assertEquals(PredefinedRole.VC_ACCESS_MEMBER.name(),
                 group.at("/userRoles/1").asText());
 
-        // unsubscribe marlin from dory group
+        // unsubscribe marlin from dory-group
         testUnsubscribeActiveMember(form);
         checkGroupMemberRole("2", "marlin");
 
-        // invite marlin to dory group to set back the
+        // invite marlin to dory-group to set back the
         // GroupMemberStatus.PENDING
         testInviteDeletedMember();
     }
 
-    // pearl has GroupMemberStatus.DELETED in dory group
+    // pearl has GroupMemberStatus.DELETED in dory-group
     @Test
     public void testSubscribeDeletedMember () throws KustvaktException {
         MultivaluedMap<String, String> form = new MultivaluedMapImpl();
@@ -669,7 +692,7 @@
         assertEquals(Status.BAD_REQUEST.getStatusCode(), response.getStatus());
         assertEquals(StatusCodes.GROUP_MEMBER_DELETED,
                 node.at("/errors/0/0").asInt());
-        assertEquals("pearl has already been deleted from the group dory group",
+        assertEquals("pearl has already been deleted from the group dory-group",
                 node.at("/errors/0/1").asText());
     }
 
@@ -753,7 +776,7 @@
         String entity = response.getEntity(String.class);
         JsonNode node = JsonUtils.readTree(entity);
         assertEquals(StatusCodes.GROUP_DELETED, node.at("/errors/0/0").asInt());
-        assertEquals("Group new user group has been deleted.",
+        assertEquals("Group new-user-group has been deleted.",
                 node.at("/errors/0/1").asText());
     }
 
@@ -801,9 +824,9 @@
     public void testUnsubscribeDeletedMember ()
             throws UniformInterfaceException, ClientHandlerException,
             KustvaktException {
-        // pearl unsubscribes from dory group
+        // pearl unsubscribes from dory-group
         MultivaluedMap<String, String> form = new MultivaluedMapImpl();
-        // dory group
+        // dory-group
         form.add("groupId", "2");
 
         ClientResponse response = resource().path(API_VERSION).path("group")
@@ -819,9 +842,9 @@
         assertEquals(Status.BAD_REQUEST.getStatusCode(), response.getStatus());
         assertEquals(StatusCodes.GROUP_MEMBER_DELETED,
                 node.at("/errors/0/0").asInt());
-        assertEquals("pearl has already been deleted from the group dory group",
+        assertEquals("pearl has already been deleted from the group dory-group",
                 node.at("/errors/0/1").asText());
-        assertEquals("[pearl, dory group]", node.at("/errors/0/2").asText());
+        assertEquals("[pearl, dory-group]", node.at("/errors/0/2").asText());
     }
 
     @Test
@@ -833,7 +856,7 @@
         assertEquals(2, node.size());
 
         MultivaluedMap<String, String> form = new MultivaluedMapImpl();
-        // dory group
+        // dory-group
         form.add("groupId", "2");
 
         ClientResponse response = resource().path(API_VERSION).path("group")
@@ -848,7 +871,7 @@
         node = retrieveUserGroups("marlin");
         assertEquals(1, node.size());
 
-        // invite marlin to dory group to set back the
+        // invite marlin to dory-group to set back the
         // GroupMemberStatus.PENDING
         testInviteDeletedMember();
     }
@@ -939,7 +962,7 @@
         String entity = response.getEntity(String.class);
         JsonNode node = JsonUtils.readTree(entity);
         assertEquals(StatusCodes.GROUP_DELETED, node.at("/errors/0/0").asInt());
-        assertEquals("Group new user group has been deleted.",
+        assertEquals("Group new-user-group has been deleted.",
                 node.at("/errors/0/1").asText());
     }
 
diff --git a/full/src/test/java/de/ids_mannheim/korap/web/controller/VirtualCorpusControllerAdminTest.java b/full/src/test/java/de/ids_mannheim/korap/web/controller/VirtualCorpusControllerAdminTest.java
index cb868d3..aa0da5d 100644
--- a/full/src/test/java/de/ids_mannheim/korap/web/controller/VirtualCorpusControllerAdminTest.java
+++ b/full/src/test/java/de/ids_mannheim/korap/web/controller/VirtualCorpusControllerAdminTest.java
@@ -258,7 +258,7 @@
             ClientHandlerException, KustvaktException {
         String vcCreator = "marlin";
         String vcName = "marlin-vc";
-        String groupName = "marlin group";
+        String groupName = "marlin-group";
 
         testCreateVCAccess(vcCreator, vcName, groupName);
         JsonNode node = testlistAccessByGroup(groupName);
diff --git a/full/src/test/java/de/ids_mannheim/korap/web/controller/VirtualCorpusControllerTest.java b/full/src/test/java/de/ids_mannheim/korap/web/controller/VirtualCorpusControllerTest.java
index 63ba359..297d3ab 100644
--- a/full/src/test/java/de/ids_mannheim/korap/web/controller/VirtualCorpusControllerTest.java
+++ b/full/src/test/java/de/ids_mannheim/korap/web/controller/VirtualCorpusControllerTest.java
@@ -783,7 +783,7 @@
 
     @Test
     public void testlistAccessByNonVCAAdmin () throws KustvaktException {
-        JsonNode node = testlistAccessByGroup("nemo", "dory group");
+        JsonNode node = testlistAccessByGroup("nemo", "dory-group");
         assertEquals(StatusCodes.AUTHORIZATION_FAILED,
                 node.at("/errors/0/0").asInt());
         assertEquals("Unauthorized operation for user: nemo",
@@ -814,7 +814,7 @@
     @Test
     public void testlistAccessByGroup () throws KustvaktException {
         ClientResponse response = resource().path(API_VERSION).path("vc")
-                .path("access").queryParam("groupName", "dory group")
+                .path("access").queryParam("groupName", "dory-group")
                 .header(Attributes.AUTHORIZATION, HttpAuthorizationHandler
                         .createBasicAuthorizationHeaderValue("dory", "pass"))
                 .header(HttpHeaders.X_FORWARDED_FOR, "149.27.0.32")
@@ -827,7 +827,7 @@
         assertEquals("group-vc", node.at("/0/vcName").asText());
         assertEquals(2, node.at("/0/userGroupId").asInt());
 
-        assertEquals("dory group", node.at("/0/userGroupName").asText());
+        assertEquals("dory-group", node.at("/0/userGroupName").asText());
     }
 
     @Test
@@ -835,7 +835,7 @@
             ClientHandlerException, KustvaktException {
 
         String vcName = "marlin-vc";
-        String groupName = "marlin group";
+        String groupName = "marlin-group";
 
         // check the vc type
         JsonNode node = testSearchVC("marlin", "marlin", vcName);
@@ -954,7 +954,7 @@
 
         // nemo is not VCA in marlin group
         ClientResponse response = resource().path(API_VERSION).path("vc")
-                .path("nemo").path("nemo-vc").path("share").path("marlin group")
+                .path("nemo").path("nemo-vc").path("share").path("marlin-group")
                 .header(Attributes.AUTHORIZATION, HttpAuthorizationHandler
                         .createBasicAuthorizationHeaderValue("nemo", "pass"))
                 .header(HttpHeaders.X_FORWARDED_FOR, "149.27.0.32")