diff --git a/app/controllers/users_controller.rb b/app/controllers/users_controller.rb index b0f279cdb..fdb5a3434 100644 --- a/app/controllers/users_controller.rb +++ b/app/controllers/users_controller.rb @@ -80,6 +80,12 @@ class UsersController < ApplicationController render "devise/passwords/edit", locals: { resource: @user, resource_name: "user" } end + def deactivate + unless current_user != @user && (current_user.support? || current_user.data_coordinator?) + redirect_to user_path(@user) + end + end + private def format_error_messages diff --git a/app/views/users/deactivate.html.erb b/app/views/users/deactivate.html.erb new file mode 100644 index 000000000..57a0dbcb0 --- /dev/null +++ b/app/views/users/deactivate.html.erb @@ -0,0 +1,20 @@ +<% content_for :title, current_user == @user ? "Your account" : "#{@user.name.presence || @user.email}’s account" %> + +
+ <%= form_with model: @user, url: user_path(@user), method: "post", local: true do |f| %> +
+

+ <%= @user.name %> + Are you sure you want to deactivate this user? +

+

Deactivating this user will mean they can no longer access this service to submit CORE data.

+

Any logs this user has already submitted will not be affected.

+ + <%= f.govuk_submit "I’m sure - deactivate this user" %> +

+ <%= govuk_link_to("No - I’ve changed my mind", user_path(@user)) %> +

+
+
+ <% end %> + diff --git a/config/routes.rb b/config/routes.rb index 33c9f0a9a..587621749 100644 --- a/config/routes.rb +++ b/config/routes.rb @@ -60,7 +60,10 @@ Rails.application.routes.draw do get "edit/password", to: "users#edit_password" end - resources :users + resources :users do + end + + get "/users/:id/deactivate", to: "users#deactivate" resources :organisations do member do diff --git a/spec/requests/users_controller_spec.rb b/spec/requests/users_controller_spec.rb index ca82fb7b6..6637b5040 100644 --- a/spec/requests/users_controller_spec.rb +++ b/spec/requests/users_controller_spec.rb @@ -111,6 +111,13 @@ RSpec.describe UsersController, type: :request do expect(CGI.unescape_html(response.body)).to include(expected_link) end end + + describe "#deactivate" do + it "does not let you see deactivate page" do + get "/users/#{user.id}/deactivate", headers: headers, params: {} + expect(response).to redirect_to("/account/sign-in") + end + end end context "when user is signed in as a data provider" do @@ -832,6 +839,36 @@ RSpec.describe UsersController, type: :request do expect(page).not_to have_field("user-role-support-field") end end + + describe "#deactivate" do + before do + sign_in user + end + + context "when the current user matches the user ID" do + before do + get "/users/#{user.id}/deactivate", headers: headers, params: {} + end + + it "redirects user to user page" do + expect(response).to redirect_to("/users/#{user.id}") + end + end + + context "when the current user does not match the user ID" do + before do + get "/users/#{other_user.id}/deactivate", headers: headers, params: {} + end + + it "shows deactivation page with deactivate and cancel buttons for the user" do + expect(path).to include("/users/#{other_user.id}") + expect(page).to have_content(other_user.name) + expect(page).to have_content("Are you sure you want to deactivate this user?") + expect(page).to have_button("I’m sure - deactivate this user") + expect(page).to have_link("No - I’ve changed my mind", href: "/users/#{other_user.id}") + end + end + end end context "when user is signed in as a support user" do