From 74965c5c0e1361970128ceaee99c7f0a34df914e Mon Sep 17 00:00:00 2001
From: cryptogopher <cryptogopher@noreply.me>
Date: Wed, 3 May 2023 16:48:47 +0200
Subject: [PATCH] Only user can delete his profile

---
 app/assets/stylesheets/application.css      | 11 +++++++++++
 app/controllers/users_controller.rb         | 13 ++++++++-----
 app/views/users/index.html.erb              |  9 +++------
 app/views/users/registrations/edit.html.erb | 11 +++++++++--
 config/locales/en.yml                       |  8 +++++---
 config/routes.rb                            |  2 +-
 test/system/users_test.rb                   | 17 +++++++++++++----
 7 files changed, 50 insertions(+), 21 deletions(-)

diff --git a/app/assets/stylesheets/application.css b/app/assets/stylesheets/application.css
index 28d662b..775b941 100644
--- a/app/assets/stylesheets/application.css
+++ b/app/assets/stylesheets/application.css
@@ -90,6 +90,9 @@ input:read-only:hover {
 .nav-menu .right .image-button {
   float: right;
 }
+.nav-menu .left .image-button {
+  float: left;
+}
 .nav-menu .tab-button {
   border: none;
   border-radius: 0;
@@ -131,6 +134,10 @@ input[type=submit]:hover {
   color: white;
   fill: white;
 }
+.image-button.dangerous:hover {
+  background-color: #ff1f5b;
+  border-color: #ff1f5b;
+}
 .image-button:focus-visible,
 .image-button.active:focus-visible,
 input[type=submit]:focus-visible {
@@ -142,6 +149,10 @@ input[type=submit]:hover:focus-visible {
   background-color: #006c9b;
   border-color: #006c9b;
 }
+.image-button.dangerous:hover:focus-visible {
+  background-color: #b21237;
+  border-color: #b21237;
+}
 
 .flashes {
   height: 2.1rem;
diff --git a/app/controllers/users_controller.rb b/app/controllers/users_controller.rb
index 6938c94..54fd79c 100644
--- a/app/controllers/users_controller.rb
+++ b/app/controllers/users_controller.rb
@@ -1,17 +1,20 @@
 class UsersController < ApplicationController
   before_action :find_user, only: [:destroy]
   before_action do
-    raise AccessForbidden unless (current_user == @user) || current_user.at_least(:admin)
+    raise AccessForbidden unless current_user.at_least(:admin)
   end
 
   def index
     @users = User.all
   end
 
-  def destroy
-    @user.destroy
-    redirect_to action: :index, notice: t(".success")
-  end
+  # TODO: add #show and #update to change user status
+  # TODO: remove admin dependent fields from registrations#edit and move them to
+  # #show
+
+  # NOTE: limited actions availabe to :admin by design. Users are meant to
+  # manage their accounts by themselves through registrations. In future :admin
+  # may be allowed to sing-in as user and make changes there.
 
   private
 
diff --git a/app/views/users/index.html.erb b/app/views/users/index.html.erb
index 58bd82e..b597ae1 100644
--- a/app/views/users/index.html.erb
+++ b/app/views/users/index.html.erb
@@ -5,21 +5,18 @@
       <th><%= User.human_attribute_name(:status).capitalize %></th>
       <th><%= User.human_attribute_name(:created_at).capitalize %> <sup>UTC</sup></th>
       <th><%= User.human_attribute_name(:confirmed_at).capitalize %></th>
-      <th><%= t :actions %></th>
+      <!-- <th><%#= t :actions %></th> -->
     </tr>
     <% @users.each do |user| %>
       <tr>
-        <%# TODO: add user edit link %>
+        <%# TODO: add user show link %>
         <td><%= user.email %></td>
         <td><%= user.status %></td>
         <td><%= user.created_at.to_fs(:db_without_sec) %></td>
         <td class="svg">
           <%= svg_tag "pictograms/checkbox-marked-outline" if user.confirmed_at.present? %>
         </td>
-        <td class="actions">
-          <%= image_link_to t(:delete), "account-remove-outline", user_path(user),
-                data: { turbo: true, turbo_method: :delete } %>
-        </td>
+        <!-- <td class="actions"></td> -->
       </tr>
     <% end %>
   </table>
diff --git a/app/views/users/registrations/edit.html.erb b/app/views/users/registrations/edit.html.erb
index 6707cea..6ce52eb 100644
--- a/app/views/users/registrations/edit.html.erb
+++ b/app/views/users/registrations/edit.html.erb
@@ -1,6 +1,13 @@
 <% content_for :navigation, flush: true do %>
-  <%= image_link_to t(:back), "arrow-left-bold-outline",
-        request.referer.present? ? :back : root_url %>
+  <div class="left">
+    <%= image_link_to t(".back"), "arrow-left-bold-outline",
+      request.referer.present? ? :back : root_url %>
+  </div>
+  <div class="right">
+    <%= image_link_to t(".delete"), "account-remove-outline", user_registration_path,
+      class: "dangerous",
+      data: { turbo: true, turbo_method: :delete, turbo_confirm: t(".confirm_delete") } %>
+  </div>
 <% end %>
 
 <%= tabular_form_for resource, url: registration_path(resource), html: {method: :patch} do |f| %>
diff --git a/config/locales/en.yml b/config/locales/en.yml
index 2feca1a..21d0987 100644
--- a/config/locales/en.yml
+++ b/config/locales/en.yml
@@ -18,6 +18,10 @@ en:
       new:
         password_confirmation: Retype password
       edit:
+        back: Back
+        confirm_delete: Are you sure you want to delete profile?
+          All data will be irretrievably lost.
+        delete: Delete profile
         unconfirmed_email_hint: (since %{timestamp})
         blank_password_hint_html: leave blank to keep unchanged%{subhint}
         minimum_length_hint_html:
@@ -27,14 +31,12 @@ en:
     sessions:
       new:
         remember_me: Remember me
-    destroy:
-      success: User has been successfully deleted.
   layouts:
     application:
       users: Users
   actions: Actions
-  delete: Delete
   or: or
+  profile: Profile
   register: Register
   sign_in: Sign in
   sign_out: Sign out
diff --git a/config/routes.rb b/config/routes.rb
index dd5f718..5522cdd 100644
--- a/config/routes.rb
+++ b/config/routes.rb
@@ -2,7 +2,7 @@ Rails.application.routes.draw do
   devise_for :users, path: '', path_names: {registration: 'profile'},
     controllers: {registrations: :registrations}
 
-  resources :users, only: [:index, :destroy]
+  resources :users, only: [:index]
 
   devise_scope :user do
     root to: "devise/sessions#new"
diff --git a/test/system/users_test.rb b/test/system/users_test.rb
index 9510237..3f86f5e 100644
--- a/test/system/users_test.rb
+++ b/test/system/users_test.rb
@@ -93,21 +93,30 @@ class UsersTest < ApplicationSystemTestCase
     end
   end
 
-  test "delete user" do
+  test "show profile" do
     sign_in user: users.select(&:admin?).select(&:confirmed?).sample
     click_link t('layouts.application.users')
+    #all('tr').drop(1).sample.click_link t(:view)
+  end
+
+  test "destroy profile" do
+    sign_in user: users.select(&:confirmed?).sample
+    click_link t(:profile)
     assert_difference ->{ User.count }, -1 do
-      all('tr').drop(1).sample.click_link t(:delete)
+      accept_confirm { click_link t('users.registrations.edit.delete') }
     end
   end
 
-  test "users index forbidden for non admin" do
+  test "index forbidden for non admin" do
     sign_in user: users.reject(&:admin?).select(&:confirmed?).sample
     visit users_path
     assert has_no_link?t('layouts.application.users')
     assert_title "Access is forbidden to this page (403)"
   end
 
-  test "update e-mail" do
+  test "update profile" do
+  end
+
+  test "update status forbidded for non admin" do
   end
 end