From fe7ad751dd2892b35f09382bbed10ea0e7d576ec Mon Sep 17 00:00:00 2001 From: Kat Date: Tue, 5 Mar 2024 09:10:46 +0000 Subject: [PATCH] Add delete confirmation page --- app/controllers/users_controller.rb | 8 +++ app/policies/user_policy.rb | 8 +++ app/views/users/delete_confirmation.html.erb | 24 +++++++ config/routes.rb | 2 + spec/requests/users_controller_spec.rb | 66 ++++++++++++++++++++ 5 files changed, 108 insertions(+) create mode 100644 app/views/users/delete_confirmation.html.erb diff --git a/app/controllers/users_controller.rb b/app/controllers/users_controller.rb index a9344f0f7..b2c74433e 100644 --- a/app/controllers/users_controller.rb +++ b/app/controllers/users_controller.rb @@ -122,6 +122,14 @@ class UsersController < ApplicationController end end + def delete_confirmation + authorize @user + end + + def delete + authorize @user + end + private def validate_attributes diff --git a/app/policies/user_policy.rb b/app/policies/user_policy.rb index a4b1a3d5c..31637e701 100644 --- a/app/policies/user_policy.rb +++ b/app/policies/user_policy.rb @@ -33,4 +33,12 @@ class UserPolicy (@current_user == @user || @current_user.data_coordinator? || @current_user.support?) && @user.active? end end + + def delete_confirmation? + current_user.support? + end + + def delete? + current_user.support? + end end diff --git a/app/views/users/delete_confirmation.html.erb b/app/views/users/delete_confirmation.html.erb new file mode 100644 index 000000000..46b94d54d --- /dev/null +++ b/app/views/users/delete_confirmation.html.erb @@ -0,0 +1,24 @@ +<% content_for :before_content do %> + <% content_for :title, "Are you sure you want to delete this user?" %> + <%= govuk_back_link(href: :back) %> +<% end %> + +
+
+ Delete <%= @user.name %> +

+ <%= content_for(:title) %> +

+ + <%= govuk_warning_text(text: "You will not be able to undo this action.") %> + +
+ <%= govuk_button_to( + "Delete this user", + delete_user_path(@user), + method: :delete, + ) %> + <%= govuk_button_link_to "Cancel", user_path(@user), html: { method: :get }, secondary: true %> +
+
+
\ No newline at end of file diff --git a/config/routes.rb b/config/routes.rb index f0f497291..79dcf0a04 100644 --- a/config/routes.rb +++ b/config/routes.rb @@ -129,6 +129,8 @@ Rails.application.routes.draw do get "deactivate", to: "users#deactivate" get "reactivate", to: "users#reactivate" post "resend-invite", to: "users#resend_invite" + get "delete-confirmation", to: "users#delete_confirmation" + delete "delete", to: "users#delete" end end diff --git a/spec/requests/users_controller_spec.rb b/spec/requests/users_controller_spec.rb index ddc457f6c..3f8b59d98 100644 --- a/spec/requests/users_controller_spec.rb +++ b/spec/requests/users_controller_spec.rb @@ -103,6 +103,13 @@ RSpec.describe UsersController, type: :request do expect(response).to redirect_to(new_user_session_path) end end + + describe "#delete-confirmation" do + it "redirects to the sign in page" do + get "/users/#{user.id}/delete-confirmation" + expect(response).to redirect_to("/account/sign-in") + end + end end context "when user is signed in as a data provider" do @@ -381,6 +388,18 @@ RSpec.describe UsersController, type: :request do expect(response).to have_http_status(:unauthorized) end end + + describe "#delete-confirmation" do + before do + allow(user).to receive(:need_two_factor_authentication?).and_return(false) + sign_in user + get "/users/#{user.id}/delete-confirmation" + end + + it "returns 401 unauthorized" do + expect(response).to have_http_status(:unauthorized) + end + end end context "when user is signed in as a data coordinator" do @@ -1162,6 +1181,18 @@ RSpec.describe UsersController, type: :request do end end end + + describe "#delete-confirmation" do + before do + allow(user).to receive(:need_two_factor_authentication?).and_return(false) + sign_in user + get "/users/#{user.id}/delete-confirmation" + end + + it "returns 401 unauthorized" do + expect(response).to have_http_status(:unauthorized) + end + end end context "when user is signed in as a support user" do @@ -2018,6 +2049,41 @@ RSpec.describe UsersController, type: :request do end end end + + describe "#delete-confirmation" do + before do + allow(user).to receive(:need_two_factor_authentication?).and_return(false) + sign_in user + get "/users/#{other_user.id}/delete-confirmation" + end + + it "shows the correct title" do + expect(page.find("h1").text).to include "Are you sure you want to delete this user?" + end + + it "shows a warning to the user" do + expect(page).to have_selector(".govuk-warning-text", text: "You will not be able to undo this action") + end + + it "shows a button to delete the selected user" do + expect(page).to have_selector("form.button_to button", text: "Delete this user") + end + + it "the delete user button submits the correct data to the correct path" do + form_containing_button = page.find("form.button_to") + + expect(form_containing_button[:action]).to eq delete_user_path(other_user) + expect(form_containing_button).to have_field "_method", type: :hidden, with: "delete" + end + + it "shows a cancel link with the correct style" do + expect(page).to have_selector("a.govuk-button--secondary", text: "Cancel") + end + + it "shows cancel link that links back to the user page" do + expect(page).to have_link(text: "Cancel", href: user_path(other_user)) + end + end end describe "title link" do