Page MenuHomePhabricator
Create Task
Maniphest T423656

Add REST endpoint DELETE /worklist/{article_id}
Open, Needs TriagePublic
Actions

Description

NOTE: Remove sections that are not needed. Instead, leave the section and write NOT NEEDED as its content.

Background: REST endpoint to remove an article from an event's worklist. Called by the
delete action column frontend (task-11). Permission enforcement follows
the same rules as the UI: organizers may remove any article; participants may only remove
articles they added.

Type of story
  • Backend
Acceptance criteria
  • The endpoint is available only when the Worklist feature flag is enabled T423606. When disabled, it returns a controlled error response (align with the chosen pattern in task-12).
  • Organizers of the event may remove any article from the worklist.
  • Registered participants may only remove articles they added (added_by_user_id matches their user ID); attempting to remove another participant's article returns 403.
  • If the event registration ID does not exist, the endpoint returns 404.
  • If the article ID does not exist or does not belong to this event, the endpoint returns 404.
  • Non-participants receive 403.
Depends on
  • T423332 (worklist store — removeArticle() which enforces the participant ownership check)
  • T423606 (Worklist feature flag gating must be implemented)
Testing required?
  • Yes
  • Minimum testing to pass QA:
    • With feature flag ON: unit tests cover 204 (organizer/participant allowed), 403 (forbidden cases), and 404 (event/article not found).
    • With feature flag OFF: the endpoint is not accessible.
  • Tested end-to-end in: task-11 (Worklist tab — delete action column)
Split patches suggestion
  • Branch 1: DELETE handler + route registration + unit tests
API documentation
== Remove article from worklist ==

Route: `/campaignevents/v0/event_registration/{id}/worklist/{article_id}`
Content type: `application/json`
Method: DELETE
Returns: 204 No Content on success.

Removes an article from the worklist of a given event registration. Organizers may remove any
article. Participants may only remove articles they added themselves.

=== Parameters ===

`id`
required | path
ID of the event registration.

`article_id`
required | path
ID of the worklist article to remove.

=== Responses ===

204
Success. The article was removed from the worklist.

403
The performer is not allowed to remove this article (non-participant, or participant trying to
remove an article added by another user).

404
The event registration or the worklist article does not exist.
Gherkin scenarios
NOTE: This are all drafts and we will refine them

Feature: Remove article from event worklist via REST API

  • Scenario: Organizer removes any article
    • Given an event registration exists with ID 1
    • And worklist article with ID 42 exists on event 1, added by participant user 99
    • And the current user is an organizer of event 1
    • When the user sends DELETE /campaignevents/v0/event_registration/1/worklist/42
    • Then the response status is 204
    • And the article is no longer in the worklist
  • Scenario: Participant removes their own article
    • Given an event registration exists with ID 1
    • And worklist article with ID 43 exists on event 1, added by the current user
    • And the current user is a registered participant of event 1
    • When the user sends DELETE /campaignevents/v0/event_registration/1/worklist/43
    • Then the response status is 204
  • Scenario: Participant tries to remove another user's article
    • Given an event registration exists with ID 1
    • And worklist article with ID 44 exists on event 1, added by a different participant
    • And the current user is a registered participant of event 1 but did not add article 44
    • When the user sends DELETE /campaignevents/v0/event_registration/1/worklist/44
    • Then the response status is 403
  • Scenario: Non-participant tries to remove an article
    • Given an event registration exists with ID 1
    • And worklist article with ID 42 exists on event 1
    • And the current user is not an organizer or participant of event 1
    • When the user sends DELETE /campaignevents/v0/event_registration/1/worklist/42
    • Then the response status is 403
  • Scenario: Event registration does not exist
    • Given no event registration exists with ID 999
    • When the user sends DELETE /campaignevents/v0/event_registration/999/worklist/42
    • Then the response status is 404
  • Scenario: Worklist article does not exist
    • Given an event registration exists with ID 1
    • And the current user is an organizer of event 1
    • And no worklist article with ID 999 exists
    • When the user sends DELETE /campaignevents/v0/event_registration/1/worklist/999
    • Then the response status is 404

Related Objects
Search...

Event Timeline

cmelo created this task.Thu, Apr 16, 8:51 PM
cmelo mentioned this in T423732: Add delete actions to worklist table.Fri, Apr 17, 5:34 PM
Daimona subscribed.Sat, Apr 18, 12:18 AM

Registered participants may only remove articles they added (added_by_user_id matches their user ID); attempting to remove another participant's article returns 403.

Here too a dependency on the behaviour layer (no task exists yet)

cmelo mentioned this in T424021: behavior layer for worklist.Tue, Apr 21, 1:01 PM
ifried edited projects, added Connection-Team (Connection-Q4-11May-22May-2026); removed Connection-Team.Mon, May 11, 5:00 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits