fix user permissions save button sometimes deleting

when you hit the delete button, it flashes the delete button and takes
you to the `/service/../user/../delete` url. If you then click the save
button, it would make a POST to the delete URL... and delete the user.

now the page stays on the edit url, but adds a `?delete=yes` query
string. The dangerous flash banner now has an action field which
defines where the browser will make the POST to (which remains at
/delete).

tests/app/main/views/test_manage_users.py

@@ -879,63 +879,45 @@ def test_no_permission_manage_users_page(
     assert "Team members" not in resp_text
 
 
-def test_get_remove_user_from_service(
-    logged_in_client,
+def test_remove_user_from_service_redirects(
+    client_request,
     active_user_with_permissions,
-    mock_get_users_by_service,
     service_one,
+    mock_get_users_by_service,
+    mock_get_template_folders,
     mocker,
 ):
-    response = logged_in_client.get(
-        url_for(
-            'main.remove_user_from_service',
-            service_id=service_one['id'],
-            user_id=active_user_with_permissions.id))
-    assert response.status_code == 200
-    assert "Are you sure you want to remove" in response.get_data(as_text=True)
-    assert "Remove user from service" in response.get_data(as_text=True)
+    page = client_request.get(
+        'main.remove_user_from_service',
+        service_id=service_one['id'],
+        user_id=active_user_with_permissions.id,
+        _follow_redirects=True
+    )
+    banner = page.find('div', class_='banner-dangerous')
+    assert banner.contents[0].strip() == "Are you sure you want to remove Test User?"
+    assert banner.form.attrs['action'] == url_for(
+        'main.confirm_remove_user_from_service',
+        service_id=service_one['id'],
+        user_id=active_user_with_permissions.id
+    )
 
 
-def test_remove_user_from_service(
-    logged_in_client,
+def test_confirm_remove_user_from_service(
+    client_request,
     active_user_with_permissions,
     service_one,
-    mocker,
-    mock_get_users_by_service,
-    mock_get_user,
     mock_remove_user_from_service,
 ):
-    response = logged_in_client.post(
-        url_for(
-            'main.remove_user_from_service',
-            service_id=service_one['id'],
-            user_id=active_user_with_permissions.id))
-    assert response.status_code == 302
-    assert response.location == url_for(
-        'main.manage_users', service_id=service_one['id'], _external=True)
-    mock_remove_user_from_service.assert_called_once_with(service_one['id'],
-                                                          str(active_user_with_permissions.id))
-
-
-def test_can_remove_user_from_service_as_platform_admin(
-    logged_in_client,
-    service_one,
-    platform_admin_user,
-    active_user_with_permissions,
-    mock_get_users_by_service,
-    mock_remove_user_from_service,
-    mocker,
-):
-    response = logged_in_client.post(
-        url_for(
-            'main.remove_user_from_service',
-            service_id=service_one['id'],
-            user_id=active_user_with_permissions.id))
-    assert response.status_code == 302
-    assert response.location == url_for(
-        'main.manage_users', service_id=service_one['id'], _external=True)
-    mock_remove_user_from_service.assert_called_once_with(service_one['id'],
-                                                          str(active_user_with_permissions.id))
+    client_request.post(
+        'main.confirm_remove_user_from_service',
+        service_id=service_one['id'],
+        user_id=active_user_with_permissions.id,
+        _expected_redirect=url_for('main.manage_users', service_id=service_one['id'], _external=True)
+    )
+    mock_remove_user_from_service.assert_called_once_with(
+        service_one['id'],
+        str(active_user_with_permissions.id)
+    )
 
 
 def test_can_invite_user_as_platform_admin(