Add delete confirmation page

2 years ago · fe7ad751dd
5 changed files with 108 additions and 0 deletions
--- a/app/controllers/users_controller.rb
+++ b/app/controllers/users_controller.rb
@ -122,6 +122,14 @@ class UsersController < ApplicationController
    end
  end

+  def delete_confirmation
+    authorize @user
+  end
+
+  def delete
+    authorize @user
+  end
+
 private

  def validate_attributes
--- a/app/policies/user_policy.rb
+++ b/app/policies/user_policy.rb
@ -33,4 +33,12 @@ class UserPolicy
      (@current_user == @user || @current_user.data_coordinator? || @current_user.support?) && @user.active?
    end
  end
+
+  def delete_confirmation?
+    current_user.support?
+  end
+
+  def delete?
+    current_user.support?
+  end
 end
--- a/app/views/users/delete_confirmation.html.erb
+++ b/app/views/users/delete_confirmation.html.erb
@ -0,0 +1,24 @@
+<% content_for :before_content do %>
+  <% content_for :title, "Are you sure you want to delete this user?" %>
+  <%= govuk_back_link(href: :back) %>
+<% end %>
+
+<div class="govuk-grid-row">
+  <div class="govuk-grid-column-two-thirds-from-desktop">
+    <span class="govuk-caption-xl">Delete <%= @user.name %></span>
+    <h1 class="govuk-heading-xl">
+      <%= content_for(:title) %>
+    </h1>
+
+    <%= govuk_warning_text(text: "You will not be able to undo this action.") %>
+
+    <div class="govuk-button-group">
+      <%= govuk_button_to(
+        "Delete this user",
+        delete_user_path(@user),
+        method: :delete,
+      ) %>
+      <%= govuk_button_link_to "Cancel", user_path(@user), html: { method: :get }, secondary: true %>
+    </div>
+  </div>
+</div>
--- a/config/routes.rb
+++ b/config/routes.rb
@ -129,6 +129,8 @@ Rails.application.routes.draw do
      get "deactivate", to: "users#deactivate"
      get "reactivate", to: "users#reactivate"
      post "resend-invite", to: "users#resend_invite"
+      get "delete-confirmation", to: "users#delete_confirmation"
+      delete "delete", to: "users#delete"
    end
  end

--- a/spec/requests/users_controller_spec.rb
+++ b/spec/requests/users_controller_spec.rb
@ -103,6 +103,13 @@ RSpec.describe UsersController, type: :request do
        expect(response).to redirect_to(new_user_session_path)
      end
    end
+
+    describe "#delete-confirmation" do
+      it "redirects to the sign in page" do
+        get "/users/#{user.id}/delete-confirmation"
+        expect(response).to redirect_to("/account/sign-in")
+      end
+    end
  end

  context "when user is signed in as a data provider" do
@ -381,6 +388,18 @@ RSpec.describe UsersController, type: :request do
        expect(response).to have_http_status(:unauthorized)
      end
    end
+
+    describe "#delete-confirmation" do
+      before do
+        allow(user).to receive(:need_two_factor_authentication?).and_return(false)
+        sign_in user
+        get "/users/#{user.id}/delete-confirmation"
+      end
+
+      it "returns 401 unauthorized" do
+        expect(response).to have_http_status(:unauthorized)
+      end
+    end
  end

  context "when user is signed in as a data coordinator" do
@ -1162,6 +1181,18 @@ RSpec.describe UsersController, type: :request do
        end
      end
    end
+
+    describe "#delete-confirmation" do
+      before do
+        allow(user).to receive(:need_two_factor_authentication?).and_return(false)
+        sign_in user
+        get "/users/#{user.id}/delete-confirmation"
+      end
+
+      it "returns 401 unauthorized" do
+        expect(response).to have_http_status(:unauthorized)
+      end
+    end
  end

  context "when user is signed in as a support user" do
@ -2018,6 +2049,41 @@ RSpec.describe UsersController, type: :request do
        end
      end
    end
+
+    describe "#delete-confirmation" do
+      before do
+        allow(user).to receive(:need_two_factor_authentication?).and_return(false)
+        sign_in user
+        get "/users/#{other_user.id}/delete-confirmation"
+      end
+
+      it "shows the correct title" do
+        expect(page.find("h1").text).to include "Are you sure you want to delete this user?"
+      end
+
+      it "shows a warning to the user" do
+        expect(page).to have_selector(".govuk-warning-text", text: "You will not be able to undo this action")
+      end
+
+      it "shows a button to delete the selected user" do
+        expect(page).to have_selector("form.button_to button", text: "Delete this user")
+      end
+
+      it "the delete user button submits the correct data to the correct path" do
+        form_containing_button = page.find("form.button_to")
+
+        expect(form_containing_button[:action]).to eq delete_user_path(other_user)
+        expect(form_containing_button).to have_field "_method", type: :hidden, with: "delete"
+      end
+
+      it "shows a cancel link with the correct style" do
+        expect(page).to have_selector("a.govuk-button--secondary", text: "Cancel")
+      end
+
+      it "shows cancel link that links back to the user page" do
+        expect(page).to have_link(text: "Cancel", href: user_path(other_user))
+      end
+    end
  end

  describe "title link" do