add deactivate page

app/controllers/users_controller.rb

@@ -80,6 +80,12 @@ class UsersController < ApplicationController
     render "devise/passwords/edit", locals: { resource: @user, resource_name: "user" }
   end
 
+  def deactivate
+    unless current_user != @user && (current_user.support? || current_user.data_coordinator?)
+      redirect_to user_path(@user)
+    end
+  end
+
 private
 
   def format_error_messages

app/views/users/deactivate.html.erb

@@ -0,0 +1,20 @@
+<% content_for :title, current_user == @user ? "Your account" : "#{@user.name.presence || @user.email}’s account" %>
+
+<div class="govuk-grid-row">
+    <%= form_with model: @user, url: user_path(@user), method: "post", local: true do |f| %>
+        <div class="govuk-grid-column-two-thirds-from-desktop"> 
+            <h1 class="govuk-heading-l">
+                <span class="govuk-caption-l"><%= @user.name %></span>
+                Are you sure you want to deactivate this user?
+            </h1>
+            <p>Deactivating this user will mean they can no longer access this service to submit CORE data.</p>
+            <p>Any logs this user has already submitted will not be affected.</p>
+            <input type="hidden" id="<%= @user.id %>" name="active" value=false>
+            <%= f.govuk_submit "I’m sure - deactivate this user" %>
+            <p class="govuk-body">
+                <%= govuk_link_to("No - I’ve changed my mind", user_path(@user)) %>
+            </p>
+        </div>
+    </div>
+    <% end %>
+</div>

config/routes.rb

@@ -60,7 +60,10 @@ Rails.application.routes.draw do
     get "edit/password", to: "users#edit_password"
   end
 
-  resources :users
+  resources :users do
+  end
+
+  get "/users/:id/deactivate", to: "users#deactivate"
 
   resources :organisations do
     member do

spec/requests/users_controller_spec.rb

@@ -111,6 +111,13 @@ RSpec.describe UsersController, type: :request do
         expect(CGI.unescape_html(response.body)).to include(expected_link)
       end
     end
+
+    describe "#deactivate" do
+      it "does not let you see deactivate page" do
+        get "/users/#{user.id}/deactivate", headers: headers, params: {}
+        expect(response).to redirect_to("/account/sign-in")
+      end
+    end
   end
 
   context "when user is signed in as a data provider" do
@@ -832,6 +839,36 @@ RSpec.describe UsersController, type: :request do
         expect(page).not_to have_field("user-role-support-field")
       end
     end
+
+    describe "#deactivate" do
+      before do
+        sign_in user
+      end
+
+      context "when the current user matches the user ID" do
+        before do
+          get "/users/#{user.id}/deactivate", headers: headers, params: {}
+        end
+
+        it "redirects user to user page" do
+          expect(response).to redirect_to("/users/#{user.id}")
+        end
+      end
+
+      context "when the current user does not match the user ID" do
+        before do
+          get "/users/#{other_user.id}/deactivate", headers: headers, params: {}
+        end
+
+        it "shows deactivation page with deactivate and cancel buttons for the user" do
+          expect(path).to include("/users/#{other_user.id}")
+          expect(page).to have_content(other_user.name)
+          expect(page).to have_content("Are you sure you want to deactivate this user?")
+          expect(page).to have_button("I’m sure - deactivate this user")
+          expect(page).to have_link("No - I’ve changed my mind", href: "/users/#{other_user.id}")
+        end
+      end
+    end
   end
 
   context "when user is signed in as a support user" do