fix user permissions save button sometimes deleting

when you hit the delete button, it flashes the delete button and takes you to the `/service/../user/../delete` url. If you then click the save button, it would make a POST to the delete URL... and delete the user. now the page stays on the edit url, but adds a `?delete=yes` query string. The dangerous flash banner now has an action field which defines where the browser will make the POST to (which remains at /delete).
2026-05-30 02:50:03 -04:00 · 2019-03-14 17:31:51 +00:00
parent 37d12d3aa3
commit f7f9dd8530
5 changed files with 82 additions and 83 deletions
--- a/app/main/views/manage_users.py
+++ b/app/main/views/manage_users.py
@@ -123,41 +123,43 @@ def edit_user_permissions(service_id, user_id):
        user=user,
        form=form,
        service_has_email_auth=service_has_email_auth,
-        mobile_number=mobile_number
+        mobile_number=mobile_number,
+        delete=request.args.get('delete'),
    )


-@main.route("/services/<service_id>/users/<user_id>/delete", methods=['GET', 'POST'])
+@main.route("/services/<service_id>/users/<user_id>/delete", methods=['GET'])
@login_required
@user_has_permissions('manage_service')
 def remove_user_from_service(service_id, user_id):
-    user = current_service.get_team_member(user_id)
-    form = PermissionsForm.from_user(user, service_id)
+    return redirect(url_for(
+        '.edit_user_permissions',
+        service_id=service_id,
+        user_id=user_id,
+        delete='yes'
+    ))

-    if request.method == 'POST':
-        try:
-            service_api_client.remove_user_from_service(service_id, user_id)
-        except HTTPError as e:
-            msg = "You cannot remove the only user for a service"
-            if e.status_code == 400 and msg in e.message:
-                flash(msg, 'info')
-                return redirect(url_for(
-                    '.manage_users',
-                    service_id=service_id))
-            else:
-                abort(500, e)

-        return redirect(url_for(
-            '.manage_users',
-            service_id=service_id
-        ))
+@main.route("/services/<service_id>/users/<user_id>/delete", methods=['POST'])
+@login_required
+@user_has_permissions('manage_service')
+def confirm_remove_user_from_service(service_id, user_id):
+    try:
+        service_api_client.remove_user_from_service(service_id, user_id)
+    except HTTPError as e:
+        msg = "You cannot remove the only user for a service"
+        if e.status_code == 400 and msg in e.message:
+            flash(msg, 'info')
+            return redirect(url_for(
+                '.manage_users',
+                service_id=service_id))
+        else:
+            abort(500, e)

-    flash('Are you sure you want to remove {}?'.format(user.name), 'remove')
-    return render_template(
-        'views/edit-user-permissions.html',
-        user=user,
-        form=form
-    )
+    return redirect(url_for(
+        '.manage_users',
+        service_id=service_id
+    ))


@main.route("/services/<service_id>/users/<uuid:user_id>/edit-email", methods=['GET', 'POST'])