feat: conistent danger zone delete flow

2026-02-25 15:09:37 +01:00 · 2026-02-25 15:09:37 +01:00 · 91cf7cca6a
commit 91cf7cca6a
parent e5a6003ace
19 changed files with 499 additions and 287 deletions
--- a/lib/mv_web/live/user_live/form.ex
+++ b/lib/mv_web/live/user_live/form.ex
@ -39,6 +39,7 @@ defmodule MvWeb.UserLive.Form do

  import MvWeb.LiveHelpers, only: [current_actor: 1, submit_form: 3]
  import MvWeb.Authorization, only: [can?: 3]
+  import MvWeb.ErrorHelpers, only: [format_ash_error: 1]

  @impl true
  def render(assigns) do
@ -281,6 +282,38 @@ defmodule MvWeb.UserLive.Form do
          </div>
        <% end %>

+        <%!-- Danger zone: canonical pattern (same as member form) --%>
+        <%= if @user && can?(@current_user, :destroy, @user) && !Mv.Helpers.SystemActor.system_user?(@user) do %>
+          <section class="mt-8 mb-6" aria-labelledby="danger-zone-heading">
+            <h2 id="danger-zone-heading" class="text-lg font-semibold mb-3 text-error">
+              {gettext("Danger zone")}
+            </h2>
+            <div class="border border-base-300 rounded-lg p-4 bg-base-100">
+              <p class="text-base-content/70 mb-4">
+                {gettext(
+                  "Deleting this user cannot be undone. The user account and any linked member association will be affected."
+                )}
+              </p>
+              <.button
+                type="button"
+                variant="danger"
+                phx-click="delete"
+                phx-value-id={@user.id}
+                data-confirm={
+                  gettext("Are you sure you want to delete the user %{email}? This action cannot be undone.",
+                    email: @user.email
+                  )
+                }
+                data-testid="user-delete"
+                aria-label={gettext("Delete user %{email}", email: @user.email)}
+              >
+                <.icon name="hero-trash" class="size-4" />
+                {gettext("Delete user")}
+              </.button>
+            </div>
+          </section>
+        <% end %>
+
        <div class="mt-4">
          <.button navigate={return_path(@return_to, @user)} variant="neutral">
            {gettext("Cancel")}
@ -404,6 +437,44 @@ defmodule MvWeb.UserLive.Form do
    end
  end

+  @impl true
+  def handle_event("delete", %{"id" => id}, socket) do
+    user = socket.assigns.user
+    actor = current_actor(socket)
+
+    if is_nil(user) do
+      {:noreply, put_flash(socket, :error, gettext("User not found"))}
+    else
+      if to_string(id) != to_string(user.id) do
+        {:noreply, put_flash(socket, :error, gettext("User not found"))}
+      else
+        if Mv.Helpers.SystemActor.system_user?(user) do
+          {:noreply,
+           put_flash(socket, :error, gettext("System user cannot be deleted."))}
+        else
+          case Ash.destroy(user, domain: Mv.Accounts, actor: actor) do
+            :ok ->
+              {:noreply,
+               socket
+               |> put_flash(:success, gettext("User deleted successfully"))
+               |> push_navigate(to: ~p"/users")}
+
+            {:error, %Ash.Error.Forbidden{}} ->
+              {:noreply,
+               put_flash(
+                 socket,
+                 :error,
+                 gettext("You do not have permission to delete this user")
+               )}
+
+            {:error, error} ->
+              {:noreply, put_flash(socket, :error, format_ash_error(error))}
+          end
+        end
+      end
+    end
+  end
+
  @impl true
  def handle_event("show_member_dropdown", _params, socket) do
    {:noreply, assign(socket, show_member_dropdown: true)}