Let users on email auth delete their mobile numbers

Sometimes users ask us to delete their mobile numbers for them. If those users are on email auth, they should be able to delete their number themselves. This will save them writing a support ticket and save us going into the database.
2026-02-06 03:13:42 -05:00 · 2022-02-23 18:31:00 +00:00
parent 9f45e4c5be
commit e1d1c5c3f5
3 changed files with 88 additions and 3 deletions
--- a/app/main/views/user_profile.py
+++ b/app/main/views/user_profile.py
@@ -118,22 +118,43 @@ def user_profile_email_confirm(token):


@main.route("/user-profile/mobile-number", methods=['GET', 'POST'])
+@main.route(
+    "/user-profile/mobile-number/delete",
+    methods=['GET'],
+    endpoint="user_profile_confirm_delete_mobile_number"
+)
@user_is_logged_in
 def user_profile_mobile_number():

+    user = User.from_id(current_user.id)
    form = ChangeMobileNumberForm(mobile_number=current_user.mobile_number)

    if form.validate_on_submit():
        session[NEW_MOBILE] = form.mobile_number.data
        return redirect(url_for('.user_profile_mobile_number_authenticate'))

+    if (request.endpoint == "main.user_profile_confirm_delete_mobile_number"):
+        flash("Are you sure you want to delete your mobile number from Notify?", 'delete')
+
    return render_template(
        'views/user-profile/change.html',
        thing='mobile number',
-        form_field=form.mobile_number
+        form_field=form.mobile_number,
+        user_auth=user.auth_type
    )


+@main.route("/user-profile/mobile-number/delete", methods=['POST'])
+@user_is_logged_in
+def user_profile_mobile_number_delete():
+    if current_user.auth_type == 'sms_auth':
+        abort(403)
+
+    current_user.update(mobile_number=None)
+
+    return redirect(url_for('.user_profile'))
+
+
@main.route("/user-profile/mobile-number/authenticate", methods=['GET', 'POST'])
@user_is_logged_in
 def user_profile_mobile_number_authenticate():
--- a/app/templates/views/user-profile/change.html
+++ b/app/templates/views/user-profile/change.html
@@ -20,9 +20,20 @@
    <div class="govuk-grid-column-three-quarters">
      {% call form_wrapper() %}
        {{ form_field(error_message_with_html=True) }}
-        {{ page_footer('Save') }}
+        {% if current_user.auth_type == 'email_auth' %}
+          {{ page_footer(
+            'Save',
+            delete_link=url_for(
+              'main.user_profile_mobile_number_delete',
+              user_id=current_user.id
+            ),
+            delete_link_text='Delete your number'
+            )
+          }}
+        {% else %}
+          {{ page_footer('Save')}}
+        {% endif %}
      {% endcall %}
    </div>
  </div>
-
 {% endblock %}
--- a/tests/app/main/views/test_user_profile.py
+++ b/tests/app/main/views/test_user_profile.py
@@ -183,6 +183,59 @@ def test_should_show_mobile_number_page(
 ):
    page = client_request.get(('main.user_profile_mobile_number'))
    assert 'Change your mobile number' in page.text
+    assert 'Delete your number' not in page.text
+
+
+def test_change_your_mobile_number_page_shows_delete_link_if_user_on_email_auth(
+    client_request,
+    api_user_active_email_auth,
+    mocker
+):
+    mocker.patch('app.user_api_client.get_user', return_value=api_user_active_email_auth)
+    page = client_request.get(('main.user_profile_mobile_number'))
+    assert 'Change your mobile number' in page.text
+    assert 'Delete your number' in page.text
+
+
+def test_confirm_delete_mobile_number(
+    client_request,
+    api_user_active_email_auth,
+    mocker
+):
+    mocker.patch('app.user_api_client.get_user', return_value=api_user_active_email_auth)
+
+    page = client_request.get(
+        '.user_profile_confirm_delete_mobile_number',
+        _test_page_title=False,
+    )
+
+    assert normalize_spaces(page.select_one('.banner-dangerous').text) == (
+        'Are you sure you want to delete your mobile number from Notify? '
+        'Yes, delete'
+    )
+    assert 'action' not in page.select_one('.banner-dangerous form')
+    assert page.select_one('.banner-dangerous form')['method'] == 'post'
+
+
+def test_delete_mobile_number(
+    client_request,
+    api_user_active_email_auth,
+    mocker
+):
+    mocker.patch('app.user_api_client.get_user', return_value=api_user_active_email_auth)
+    mock_delete = mocker.patch('app.user_api_client.update_user_attribute')
+
+    client_request.post(
+        '.user_profile_mobile_number_delete',
+        _expected_redirect=url_for(
+            '.user_profile',
+            _external=True,
+        )
+    )
+    mock_delete.assert_called_once_with(
+        api_user_active_email_auth["id"],
+        mobile_number=None
+    )


@pytest.mark.parametrize('phone_number_to_register_with', [