Merge pull request #2131 from unboxed/deactivate_global_users

Allow to deactivate users at global config
unboxed · Jan 27, 2025 · 8f05155 · 8f05155
2 parents f6b88e2 + 8c5ec77
commit 8f05155
Show file tree

Hide file tree

Showing 7 changed files with 129 additions and 5 deletions.
diff --git a/engines/bops_config/app/controllers/bops_config/users_controller.rb b/engines/bops_config/app/controllers/bops_config/users_controller.rb
@@ -4,7 +4,7 @@ module BopsConfig
   class UsersController < ApplicationController
     before_action :set_users, only: %i[index]
     before_action :build_user, only: %i[new create]
-    before_action :set_user, only: %i[edit update resend_invite]
+    before_action :set_user, only: %i[edit update resend_invite destroy reactivate]
 
     def index
       respond_to do |format|
@@ -48,6 +48,30 @@ def update
       end
     end
 
+    def destroy
+      respond_to do |format|
+        if @user.discard
+          format.html do
+            redirect_to users_path, notice: t(".success")
+          end
+        else
+          format.html { render :edit }
+        end
+      end
+    end
+
+    def reactivate
+      respond_to do |format|
+        if @user.undiscard
+          format.html do
+            redirect_to users_path, notice: t(".success")
+          end
+        else
+          format.html { render :edit }
+        end
+      end
+    end
+
     def resend_invite
       respond_to do |format|
         if @user.send_confirmation_instructions

diff --git a/engines/bops_config/app/views/bops_config/users/_form.html.erb b/engines/bops_config/app/views/bops_config/users/_form.html.erb
@@ -15,5 +15,16 @@
   <div class="govuk-button-group">
     <%= form.govuk_submit(t(".submit")) %>
     <%= back_link %>
+    <% if @user.persisted? && @user != current_user %>
+      <% if @user.discarded? %>
+        <%= govuk_button_link_to("Reactivate user", reactivate_user_path(@user),
+              warning: true,
+              method: :patch, data: {confirm: "Are you sure?"}) %>
+      <% else %>
+        <%= govuk_button_link_to("Deactivate user", user_path(@user),
+              warning: true,
+              method: :delete, data: {confirm: "Are you sure?"}) %>
+      <% end %>
+    <% end %>
   </div>
 <% end %>
diff --git a/engines/bops_config/app/views/bops_config/users/_table.html.erb b/engines/bops_config/app/views/bops_config/users/_table.html.erb
@@ -4,6 +4,9 @@
     <th scope="col" class="govuk-table__header">User details</th>
     <th scope="col" class="govuk-table__header">2FA set up</th>
     <th scope="col" class="govuk-table__header">2FA method</th>
+    <% if local_assigns[:deactivated] %>
+      <th scope="col" class="govuk-table__header">Deactivation date</th>
+    <% end %>
   </tr>
   </thead>
   <tbody class="govuk-table__body">
@@ -25,6 +28,11 @@
       <td class="govuk-table__cell">
         <%= t(".#{user.otp_delivery_method}") %>
       </td>
+      <% if local_assigns[:deactivated] %>
+        <td class="govuk-table__cell">
+          Deactivated at <%= user.deactivated_at.to_fs %>
+        </td>
+      <% end %>
     </tr>
   <% end %>
   </tbody>

diff --git a/engines/bops_config/app/views/bops_config/users/index.html.erb b/engines/bops_config/app/views/bops_config/users/index.html.erb
@@ -7,7 +7,7 @@
 <% content_for :title, t(".users") %>
 
 <% if @users.any?(&:unconfirmed?) %>
-  <%= render("status_prompt", users: @users.select(&:unconfirmed?)) %>
+  <%= render("status_prompt", users: @users.unconfirmed) %>
 <% end %>
 
 <div class="govuk-grid-row">
@@ -27,12 +27,20 @@
             Unconfirmed
           </a>
         </li>
+        <li class="govuk-tabs__list-item">
+          <a class="govuk-tabs__tab" href="#deactivated">
+            Deactivated
+          </a>
+        </li>
       </ul>
       <div class="govuk-tabs__panel govuk-tabs__panel" id="confirmed">
-        <%= render("table", users: @users.select(&:confirmed?)) %>
+        <%= render("table", users: @users.confirmed) %>
       </div>
       <div class="govuk-tabs__panel govuk-tabs__panel" id="unconfirmed">
-        <%= render("table", users: @users.select(&:unconfirmed?)) %>
+        <%= render("table", users: @users.unconfirmed) %>
+      </div>
+      <div class="govuk-tabs__panel govuk-tabs__panel" id="deactivated">
+        <%= render("table", users: @users.discarded, deactivated: true) %>
       </div>
     </div>
     <div class="govuk-button-group">

diff --git a/engines/bops_config/config/locales/en.yml b/engines/bops_config/config/locales/en.yml
@@ -464,6 +464,8 @@ en:
     users:
       create:
         user_successfully_created: User successfully created
+      destroy:
+        success: User successfully deactivated
       edit:
         edit_user: Edit user
       form:
@@ -475,6 +477,8 @@ en:
         users: Manage global admin users
       new:
         add_user: Add a new user
+      reactivate:
+        success: User successfully reactivated
       resend_invite:
         confirmation_failed_to_resend: Unable to send a reminder email - please contact support
         confirmation_resent: User will receive a reminder email

diff --git a/engines/bops_config/config/routes.rb b/engines/bops_config/config/routes.rb
@@ -42,7 +42,8 @@
     end
   end
 
-  resources :users, except: %i[show destroy] do
+  resources :users, except: %i[show] do
     get :resend_invite, on: :member
+    patch :reactivate, on: :member
   end
 end
diff --git a/engines/bops_config/spec/system/users_spec.rb b/engines/bops_config/spec/system/users_spec.rb
@@ -25,6 +25,17 @@
     expect(page).to have_no_field("Role")
   end
 
+  it "does not allow a user to update own role" do
+    click_link "Users"
+
+    within("#confirmed tbody tr:nth-child(1)") do
+      expect(page).to have_content("Clark Kent")
+      click_link("Edit user")
+    end
+
+    expect(page).to have_no_field("Role")
+  end
+
   it "allows adding a new user" do
     click_link "Users"
     expect(page).to have_selector("h1", text: "Manage global admin users")
@@ -227,4 +238,61 @@
       expect(last_email.body).to include("http://config.bops.services/users/password/edit?reset_password_token=")
     end
   end
+
+  context "when there are deactivated users", :capybara do
+    before do
+      create(:user, :global_administrator, local_authority: nil, name: "Dieter Waldbeck")
+      create(:user, :global_administrator, local_authority: nil, name: "Andrea Khan", deactivated_at: 1.day.ago)
+    end
+
+    it "lists the deactivated users" do
+      click_link "Users"
+
+      click_link "Deactivated"
+
+      within("#deactivated table.govuk-table") do
+        expect(page).to have_selector("tr:nth-child(1)", text: "Andrea Khan")
+        # only testing for the date, not the time, to avoid a race condition if the minute ticks over
+        expect(page).to have_selector("tr:nth-child(1)", text: "Deactivated at #{1.day.ago.to_date.to_fs}")
+      end
+    end
+
+    it "allows reactivating the deactivated users" do
+      click_link "Users"
+
+      click_link "Deactivated"
+
+      within("#deactivated table.govuk-table") do
+        click_on "Edit user"
+      end
+
+      accept_confirm do
+        click_on "Reactivate"
+      end
+
+      expect(page).to have_text("User successfully reactivated")
+      within("#confirmed table.govuk-table") do
+        expect(page).to have_selector("tr:nth-child(1)", text: "Andrea Khan")
+      end
+    end
+  end
+
+  context "when user account is deactivated", :capybara do
+    let(:deactivated_user) { create(:user, :global_administrator, local_authority: nil, deactivated_at: 1.day.ago) }
+
+    before do
+      sign_out(user)
+    end
+
+    it "can't sign in" do
+      click_link "Users"
+
+      fill_in("user[email]", with: deactivated_user.email)
+      fill_in("user[password]", with: deactivated_user.password)
+      click_button("Log in")
+
+      expect(page).to have_text("Invalid Email or password.")
+      expect(page).not_to have_text("Signed in successfully.")
+    end
+  end
 end