Currently, the UIDocumentServiceImpl#loadEntityToPersonDoc method pulls group memberships from GroupService#getGroupsForPrincipal. While wildly useful in other contexts (such as finding out which responsiblities a principal has through a group), in this context it's deadly: getGroupsForPrincipal returns all memberships in groups and all memberships implied by groups being members in other groups.

Basically, if principal kmoutlaw is a member of group A, and group A is a member of group B, then when you do an IM Person doc on kmoutlaw, the memberships for both group A and group B are shown as editable. Editors might miss this and simply save the doc, thereby making kmoutlaw a direct member of group A and group B. The second time we open an IM person doc on kmoutlaw, both the direct membership to group B and the indirect membership (through group A) to group B are editable...which leads to optimistic lock exceptions.

On the IM Person doc, only direct group memberships should be editable.

Note from James on how to fix this issue (listed on KFSMI-5987):
James Smith added a comment - 13/Sep/10 05:20 PM
To fix said issue, I changed this line in UIDocumentServiceImpl#loadEntityToPersonDoc:

List<? extends Group> groups = getGroupService().getGroupsForPrincipal(identityManagementPersonDocument.getPrincipalId());

to this:

List<? extends Group> groups = getGroupsByIds(getGroupService().getDirectGroupIdsForPrincipal(identityManagementPersonDocument.getPrincipalId()));

and added this method (all of this is in UA's override of that service):

/**

• Looks up GroupInfo objects for each group id passed in
• @param groupIds the List of group ids to look up GroupInfo records on
• @return a List of GroupInfo records
  */
  protected List<? extends Group> getGroupsByIds(List<String> groupIds) {
  List<GroupInfo> groups = new ArrayList<GroupInfo>();
  for (String groupId : groupIds) { final GroupInfo groupInfo = getGroupService().getGroupInfo(groupId); groups.add(groupInfo); }

  return groups;
  }