Java and Rest API supports update and delete of task and process instance comments

[ThorbenLindhauer]

This issue was imported from JIRA:

Field	Value
JIRA Link	CAM-12761
Reporter	NYBzR2x What is this name? This pseudonym name was generated based on the user name in JIRA to protect the personal data of our JIRA users. You can use this identifier to search for issues by the same reporter.
Has restricted visibility comments	false

---

User story

When using ACTHICOMMENT to save user comments for tasks and process instances, I want to be able to update and delete comments.

Background

Currently, the rest API supports the creation of comments for tasks - to complete the functionality and user journey around comments, the ability to updated and delete comments via REST API is requested (also for process instances).

Acceptance criteria

• I can use the Rest API to update and delete comments added to tasks 
• All Comment APIs are covered by authorization checks
• cover OpenAPI documentation

Links:

• is caused by https://jira.camunda.com/browse/SUPPORT-9095
• is related to https://jira.camunda.com/browse/CAMPLAN-2

Pull requests

Beta Give feedback

1. feat(core) Add update and delete command Java/Rest APIs #4333
   +0
   
2. feat(core) Add update and delete comment Java/Rest APIs #4565
   ci:default-build ci:e2e ci:rest-api +3
   
3. chore(user-guide): add user op logs for comment camunda-docs-manual#1706
   +0
   
4. chore(openapi): fix process instance comment tag #4838
   ci:rest-api +1

[prajwolbhandari1]

Let me work on it

[prajwolbhandari1]

@ThorbenLindhauer do we need to change UI as well or just the API?

[prajwolbhandari1]

@ThorbenLindhauer @yanavasileva

I am thinking about these APIs:

DELETE - comment by ID, task ID or ProcessId

What do you guys think?

[yanavasileva]

Hi @prajwolbhandari1,

It's great to see you are onto your next contribution.

do we need to change UI as well or just the API?

The scope of the ticket is only REST and Java API, no need for changes in the UI.

DELETE - comment by ID, task ID or ProcessId

That's a good start. My tip is to have a look at delete attachment (Java/REST) API, it might be similar implementation.

I see the ticket scope targets an update comment API as well. If you consider covering that in your PR as well, you will need something like TaskService#saveComment(comment) and then PUT request similar to the updateTask REST API (link).

I hope that helps to get you out of the door.

Best,
Yana

[prajwolbhandari1]

Thanks for your reply Yana.

Let me work on these two endpoints:

1. Delete by commentID endpoint just what you have suggested above that is similar to attachment.
2. Update a comment endpoint as you have stated above.

Do we need to have endpoints that deletes all comments associated to taskId/processInstanceId or implementing above two endpoints will work for now?

Thank you again, Yana.

[prajwolbhandari1]

Looking into further, looks like deleting comments associated by taskId/processInstanceId makes sense. Let me implement those as well.

[prajwolbhandari1]

@yanavasileva story says it needs to do this:

All Comment APIs are covered by authorization checks

Can you point me out an example where it does it checks authorization checks?

[yanavasileva]

Here:
https://github.com/camunda/camunda-bpm-platform/blob/master/engine/src/main/java/org/camunda/bpm/engine/impl/GetDeployedTaskFormCmd.java#L49-L51
More info:
https://docs.camunda.org/manual/7.21/user-guide/process-engine/authorization-service/#permissions-by-resource
I would expect for both delete and update comments

• by task id to check for update permission on task resource
• by process instance id to check for update permission on process instance resource

You might notice that authorization checks are not performed for the existing comment (and attachment) APIs. I think we should still add them for newly introduced APIs. Also I don't think we need to introduce a new resources (similar to what's suggested here: #2090 (comment))

[prajwolbhandari1]

Here: https://github.com/camunda/camunda-bpm-platform/blob/master/engine/src/main/java/org/camunda/bpm/engine/impl/GetDeployedTaskFormCmd.java#L49-L51 More info: https://docs.camunda.org/manual/7.21/user-guide/process-engine/authorization-service/#permissions-by-resource I would expect for both delete and update comments

• by task id to check for update permission on task resource
• by process instance id to check for update permission on process instance resource

You might notice that authorization checks are not performed for the existing comment (and attachment) APIs. I think we should still add them for newly introduced APIs. Also I don't think we need to introduce a new resources (similar to what's suggested here: #2090 (comment))
-- You mean we do or don't need to introduce a new resource? Just wanted to make sure :)

[yanavasileva]

-- You mean we do or don't need to introduce a new resource? Just wanted to make sure :)

We don't need to introduce a new resource. My bad for the wording.

[prajwolbhandari1]

@yanavasileva opened a PR. Can you please take a look at it when you get a chance?

#4333

[prajwolbhandari1]

@yanavasileva Do you mind taking a look at this change?

[yanavasileva]

Requested changes from the contributor last week.

[yanavasileva]

Dev2QA handover

Prerequisite

• enable basic authentication for REST API
  • https://docs.camunda.org/manual/7.22/reference/rest/overview/authentication/
  • https://docs.camunda.org/manual/7.22/user-guide/camunda-bpm-run/#authentication

Scenarios

We should test manually the following scenarios:

• - Comment to a standalone task
• - Comment to a task part of a process
• - Comment to a process instance

Steps

with the following steps:

1. Create comment
2. Update comment => Observe in Cockpit operation log
3. Delete a comment => Observe in Cockpit operation log
4. Delete all comments => Observe in Cockpit operation log

Env

Server - free of choice
Database - Oracle or PostgreSQL.

Docs:

• Create comment - https://docs.camunda.org/manual/7.22/webapps/tasklist/working-with-tasklist/#comment-a-task
• View comment - https://docs.camunda.org/manual/7.22/webapps/tasklist/dashboard/#comments
• View operation log - https://docs.camunda.org/manual/7.22/webapps/cockpit/auditing/
• REST API
  • Task - https://stage.docs.camunda.org/rest/camunda-bpm-platform/7.23-SNAPSHOT/#tag/Task-Comment
  • Process instance - https://stage.docs.camunda.org/rest/camunda-bpm-platform/7.23-SNAPSHOT/#tag/Process-Instance/operation/getProcessInstanceComments

[yanavasileva]

Create follow up ticket for testing multi-tenancy, migration test, concurrent test, and user operation test. => #4826

[yanavasileva]

@gbetances089, dev to qa note is two comments above.

[gbetances089]

@yanavasileva I was having a look at this, but was not able to see the comment/entry on the cockpit log.

The steps I did were:

• enable the auth on run.
• setup postgres db:
  spring.datasource: url: jdbc:postgresql://localhost:5432/process-engine driver-class-name: org.postgresql.Driver username: camunda password: camunda
• Run a postgres docker image
• Create a diagram with a user task.
• Deploy and create an instance.
• On tasklist, assign and left a comment.

Also I was using the last 7.23 snapshot

Is there's something that I'm missing?

Video:
Screen Recording 2024-12-10 at 09.16.36.mov.zip

[yanavasileva]

@gbetances089, you need those two to enable the authorization and authentication

camunda.bpm:
  authorization.enabled: true
  run:
    auth.enabled: true

Then update or remove a comment.

[gbetances089]

@yanavasileva Im was able to see the entries on the logs have question tho:

• We are using the DeleteComment operation for both delete a single comment and delete all comments, couldn't be better to distinguish between does 2 operations? If this is outside of the scope/user is fine how its, will do a few more tests and close this later.

also something is not loading to me on the API docs is the process instance comments part, went there manually but can't see it, looking more deeper -> found it here at the end of the page 😵

[yanavasileva]

We are using the DeleteComment operation for both delete a single comment and delete all comments

I agree the user experience might be better if you can distinguish them. Let's keep it like this and iterate if we receive user's feedback. Reason here is to deliver fast and make changes if they are requested.

[gbetances089]

@yanavasileva Just one last thing, while testing the comment on the process instance.

• I created a process with 2 user tasks.
• Created an instance of this process.
• Comment on one of the user tasks via tasklist.
• Got the instance id via cockpit.
• Made the GET call to the /process-instance/{id}/comment
• Got a 200 code

But I don't see the body with the comment from the task in the process instance, did I miss something on my steps?

Screen.Recording.2024-12-12.at.11.17.54.mov

[yanavasileva]

As we discussed the created comment in this use case is a task comment. To create a process instance comment can be done via REST API by specifying the piId:

POST task/{taskId}/comment/create
{
  "message": "testSo5",
  "processInstanceId" : "processInstanceId"
}