Merge pull request #2559 from alphagov/split-out-resending-signup-ema…

…il-from-edit-user-page

 Add separate page for resending signup email for another user

app/controllers/invitations_controller.rb

@@ -1,7 +1,7 @@
 # https://raw.github.com/scambra/devise_invitable/master/app/controllers/devise/invitations_controller.rb
 class InvitationsController < Devise::InvitationsController
-  before_action :authenticate_inviter!, only: %i[new create resend]
-  after_action :verify_authorized, only: %i[new create resend]
+  before_action :authenticate_inviter!, only: %i[new create]
+  after_action :verify_authorized, only: %i[new create]
 
   before_action :redirect_if_invitee_already_exists, only: :create
   before_action :configure_permitted_parameters, only: :create
@@ -49,15 +49,6 @@ def destroy
   end
   # rubocop:enable Lint/UselessMethodDefinition
 
-  def resend
-    user = User.find(params[:id])
-    authorize user
-
-    user.invite!
-    flash[:notice] = "Resent account signup email to #{user.email}"
-    redirect_to users_path
-  end
-
 private
 
   def after_invite_path_for(_)

app/controllers/users/invitation_resends_controller.rb

@@ -0,0 +1,34 @@
+class Users::InvitationResendsController < ApplicationController
+  layout "admin_layout"
+
+  before_action :authenticate_user!
+  before_action :load_user
+  before_action :authorize_user
+  before_action :redirect_if_invitation_already_accepted
+
+  def edit; end
+
+  def update
+    @user.invite!(current_user)
+    EventLog.record_account_invitation(@user, current_user)
+    flash[:notice] = "Resent account signup email to #{@user.email}"
+    redirect_to edit_user_path(@user)
+  end
+
+private
+
+  def load_user
+    @user = User.find(params[:user_id])
+  end
+
+  def authorize_user
+    authorize(@user, :resend_invitation?)
+  end
+
+  def redirect_if_invitation_already_accepted
+    unless @user.invited_but_not_yet_accepted?
+      flash[:notice] = "Invitation for #{@user.email} has already been accepted"
+      redirect_to edit_user_path(@user)
+    end
+  end
+end

app/models/user.rb

@@ -152,10 +152,6 @@ def generate_uid
     self.uid ||= UUID.generate
   end
 
-  def invited_but_not_accepted
-    !invitation_sent_at.nil? && invitation_accepted_at.nil?
-  end
-
   def permissions_for(application)
     application_permissions
       .joins(:supported_permission)

app/policies/user_policy.rb

@@ -31,7 +31,7 @@ def edit?
   alias_method :update?, :edit?
   alias_method :unlock?, :edit?
   alias_method :suspension?, :edit?
-  alias_method :resend?, :edit?
+  alias_method :resend_invitation?, :edit?
   alias_method :event_logs?, :edit?
   alias_method :mandate_2sv?, :edit?
   alias_method :require_2sv?, :edit?

app/views/users/edit.html.erb

@@ -8,15 +8,17 @@
   <%= link_to "#{@user.suspended? ? "Uns" : "S"}uspend user", edit_suspension_path(@user) %>
 </p>
 
-<% if @user.invited_but_not_accepted %>
-  <div class="alert alert-warning">
-    <strong>Invitation not accepted yet</strong>.<br/>
-    This user hasn't clicked on the link in their signup mail yet.
-
-    <%= form_tag resend_user_invitation_path(@user) do %>
-      <%= submit_tag "Resend signup email", class: "btn btn-default add-top-margin" %>
-    <% end %>
-  </div>
+<% if policy(@user).resend_invitation? %>
+  <% if @user.invited_but_not_yet_accepted? %>
+    <div class="alert alert-warning">
+      <strong>Invitation not accepted yet</strong>.<br/>
+      This user hasn't clicked on the link in their signup mail yet.
+
+      <p>
+        <%= link_to "Resend signup email", edit_user_invitation_resend_path(@user) %>
+      </p>
+    </div>
+  <% end %>
 <% end %>
 
 <% if @user.access_locked? %>

app/views/users/invitation_resends/edit.html.erb

@@ -0,0 +1,42 @@
+<% content_for :title_caption, "Manage other users" %>
+<% content_for :title, "Resend signup email for #{@user.name}" %>
+
+<% content_for :breadcrumbs,
+   render("govuk_publishing_components/components/breadcrumbs", {
+     collapse_on_mobile: true,
+     breadcrumbs: [
+       {
+         title: "Dashboard",
+         url: root_path,
+       },
+       {
+         title: "Users",
+         url: users_path,
+       },
+       {
+         title: @user.name,
+         url: edit_user_path(@user),
+       },
+       {
+         title: "Resend signup email",
+       }
+     ]
+   })
+%>
+
+<div class="govuk-grid-row">
+  <div class="govuk-grid-column-two-thirds">
+    <%= form_for @user, url: user_invitation_resend_path(@user) do %>
+      <%= render "govuk_publishing_components/components/hint", {
+        text: "Invitation not accepted. This user hasn't clicked on the link in their signup mail yet."
+      } %>
+
+      <div class="govuk-button-group">
+        <%= render "govuk_publishing_components/components/button", {
+          text: "Resend signup email",
+        } %>
+        <%= link_to "Cancel", edit_user_path(@user), class: "govuk-link govuk-link--no-visited-state" %>
+      </div>
+    <% end %>
+  </div>
+</div>

config/routes.rb

@@ -22,7 +22,6 @@
              }
 
   devise_scope :user do
-    post "/users/invitation/resend/:id" => "invitations#resend", :as => "resend_user_invitation"
     put "/users/confirmation" => "confirmations#update"
     resource :two_step_verification_session,
              only: %i[new create],
@@ -51,6 +50,7 @@
     resource :organisation, only: %i[edit update], controller: "users/organisations"
     resource :two_step_verification_reset, only: %i[edit update], controller: "users/two_step_verification_resets"
     resource :two_step_verification_mandation, only: %i[edit update], controller: "users/two_step_verification_mandations"
+    resource :invitation_resend, only: %i[edit update], controller: "users/invitation_resends"
   end
   get "user", to: "oauth_users#show"
 

test/controllers/invitations_controller_test.rb

@@ -489,71 +489,6 @@ class InvitationsControllerTest < ActionController::TestCase
     end
   end
 
-  context "POST resend" do
-    setup do
-      @user_to_resend_for = create(:user)
-    end
-
-    context "when inviter is signed in as a superadmin" do
-      setup do
-        sign_in create(:superadmin_user)
-      end
-
-      should "resend account signup email to invitee" do
-        User.any_instance.expects(:invite!).once
-
-        post :resend, params: { id: @user_to_resend_for }
-
-        assert_redirected_to users_path
-      end
-    end
-
-    context "when inviter is signed in as a normal (non-admin) user" do
-      setup do
-        sign_in create(:user)
-      end
-
-      should "disallow access" do
-        post :resend, params: { id: @user_to_resend_for }
-
-        assert_not_authorised
-      end
-    end
-
-    context "when inviter is signed in as an organisation admin" do
-      setup do
-        sign_in create(:organisation_admin_user)
-      end
-
-      should "disallow access" do
-        post :resend, params: { id: @user_to_resend_for }
-
-        assert_not_authorised
-      end
-    end
-
-    context "when inviter is signed in as a super organisation admin" do
-      setup do
-        sign_in create(:super_organisation_admin_user)
-      end
-
-      should "disallow access" do
-        post :resend, params: { id: @user_to_resend_for }
-
-        assert_not_authorised
-      end
-    end
-
-    context "when inviter is not signed in" do
-      should "require inviter to be signed in" do
-        user_to_resend_for = create(:user)
-        post :resend, params: { id: user_to_resend_for }
-
-        assert_not_authenticated
-      end
-    end
-  end
-
   context "GET edit" do
     setup do
       @invitee = User.invite!(attributes_for(:user))