Only user can delete his profile

2023-05-03 16:48:47 +02:00 · 2023-05-03 16:48:47 +02:00 · 74965c5c0e
commit 74965c5c0e
parent 23b8c82602
7 changed files with 50 additions and 21 deletions
--- a/app/assets/stylesheets/application.css
+++ b/app/assets/stylesheets/application.css
@ -90,6 +90,9 @@ input:read-only:hover {
 .nav-menu .right .image-button {
  float: right;
 }
 .nav-menu .left .image-button {
  float: left;
 }
 .nav-menu .tab-button {
  border: none;
  border-radius: 0;
@ -131,6 +134,10 @@ input[type=submit]:hover {
  color: white;
  fill: white;
 }
 .image-button.dangerous:hover {
  background-color: #ff1f5b;
  border-color: #ff1f5b;
 }
 .image-button:focus-visible,
 .image-button.active:focus-visible,
 input[type=submit]:focus-visible {
@ -142,6 +149,10 @@ input[type=submit]:hover:focus-visible {
  background-color: #006c9b;
  border-color: #006c9b;
 }
 .image-button.dangerous:hover:focus-visible {
  background-color: #b21237;
  border-color: #b21237;
 }
 .flashes {
  height: 2.1rem;
--- a/app/controllers/users_controller.rb
+++ b/app/controllers/users_controller.rb
@ -1,17 +1,20 @@
 class UsersController < ApplicationController
  before_action :find_user, only: [:destroy]
  before_action do
-    raise AccessForbidden unless (current_user == @user) || current_user.at_least(:admin)
+    raise AccessForbidden unless current_user.at_least(:admin)
  end
  def index
    @users = User.all
  end
-  def destroy
+  # TODO: add #show and #update to change user status
-    @user.destroy
+  # TODO: remove admin dependent fields from registrations#edit and move them to
-    redirect_to action: :index, notice: t(".success")
+  # #show
-  end
+
  # NOTE: limited actions availabe to :admin by design. Users are meant to
  # manage their accounts by themselves through registrations. In future :admin
  # may be allowed to sing-in as user and make changes there.
  private
--- a/app/views/users/index.html.erb
+++ b/app/views/users/index.html.erb
@ -5,21 +5,18 @@
      <th><%= User.human_attribute_name(:status).capitalize %></th>
      <th><%= User.human_attribute_name(:created_at).capitalize %> <sup>UTC</sup></th>
      <th><%= User.human_attribute_name(:confirmed_at).capitalize %></th>
-      <th><%= t :actions %></th>
+      <!-- <th><%#= t :actions %></th> -->
    </tr>
    <% @users.each do |user| %>
      <tr>
-        <%# TODO: add user edit link %>
+        <%# TODO: add user show link %>
        <td><%= user.email %></td>
        <td><%= user.status %></td>
        <td><%= user.created_at.to_fs(:db_without_sec) %></td>
        <td class="svg">
          <%= svg_tag "pictograms/checkbox-marked-outline" if user.confirmed_at.present? %>
        </td>
-        <td class="actions">
+        <!-- <td class="actions"></td> -->
          <%= image_link_to t(:delete), "account-remove-outline", user_path(user),
                data: { turbo: true, turbo_method: :delete } %>
        </td>
      </tr>
    <% end %>
  </table>
--- a/app/views/users/registrations/edit.html.erb
+++ b/app/views/users/registrations/edit.html.erb
@ -1,6 +1,13 @@
 <% content_for :navigation, flush: true do %>
-  <%= image_link_to t(:back), "arrow-left-bold-outline",
+  <div class="left">
-        request.referer.present? ? :back : root_url %>
+    <%= image_link_to t(".back"), "arrow-left-bold-outline",
      request.referer.present? ? :back : root_url %>
  </div>
  <div class="right">
    <%= image_link_to t(".delete"), "account-remove-outline", user_registration_path,
      class: "dangerous",
      data: { turbo: true, turbo_method: :delete, turbo_confirm: t(".confirm_delete") } %>
  </div>
 <% end %>
 <%= tabular_form_for resource, url: registration_path(resource), html: {method: :patch} do |f| %>
--- a/config/locales/en.yml
+++ b/config/locales/en.yml
@ -18,6 +18,10 @@ en:
      new:
        password_confirmation: Retype password
      edit:
        back: Back
        confirm_delete: Are you sure you want to delete profile?
          All data will be irretrievably lost.
        delete: Delete profile
        unconfirmed_email_hint: (since %{timestamp})
        blank_password_hint_html: leave blank to keep unchanged%{subhint}
        minimum_length_hint_html:
@ -27,14 +31,12 @@ en:
    sessions:
      new:
        remember_me: Remember me
    destroy:
      success: User has been successfully deleted.
  layouts:
    application:
      users: Users
  actions: Actions
  delete: Delete
  or: or
  profile: Profile
  register: Register
  sign_in: Sign in
  sign_out: Sign out
--- a/config/routes.rb
+++ b/config/routes.rb
@ -2,7 +2,7 @@ Rails.application.routes.draw do
  devise_for :users, path: '', path_names: {registration: 'profile'},
    controllers: {registrations: :registrations}
-  resources :users, only: [:index, :destroy]
+  resources :users, only: [:index]
  devise_scope :user do
    root to: "devise/sessions#new"
--- a/test/system/users_test.rb
+++ b/test/system/users_test.rb
@ -93,21 +93,30 @@ class UsersTest < ApplicationSystemTestCase
    end
  end
-  test "delete user" do
+  test "show profile" do
    sign_in user: users.select(&:admin?).select(&:confirmed?).sample
    click_link t('layouts.application.users')
    #all('tr').drop(1).sample.click_link t(:view)
  end
  test "destroy profile" do
    sign_in user: users.select(&:confirmed?).sample
    click_link t(:profile)
    assert_difference ->{ User.count }, -1 do
-      all('tr').drop(1).sample.click_link t(:delete)
+      accept_confirm { click_link t('users.registrations.edit.delete') }
    end
  end
-  test "users index forbidden for non admin" do
+  test "index forbidden for non admin" do
    sign_in user: users.reject(&:admin?).select(&:confirmed?).sample
    visit users_path
    assert has_no_link?t('layouts.application.users')
    assert_title "Access is forbidden to this page (403)"
  end
-  test "update e-mail" do
+  test "update profile" do
  end
  test "update status forbidded for non admin" do
  end
 end