espoo-dev · mattfeg · May 19, 2025 · May 9, 2025 · May 9, 2025 · May 13, 2025
diff --git a/app/controllers/api/v1/users_controller.rb b/app/controllers/api/v1/users_controller.rb
@@ -11,6 +11,18 @@ def index
         render json: users, status: :ok
       end
 
+      def destroy_self
+        authorize(current_user)
+
+        result = Users::DestroySelf.result(user: current_user, password: confirmation_password)
+
+        if result.success?
+          render json: { message: "Account deleted successfully" }, status: :ok
+        else
+          render json: { error: "Unable to delete account. Error: #{result.error}" }, status: :unprocessable_entity
+        end
+      end
+
       private
 
       def page
@@ -20,6 +32,10 @@ def page
       def per_page
         params[:per_page]
       end
+
+      def confirmation_password
+        params[:password]
+      end
     end
   end
 end
diff --git a/app/models/health_insurance.rb b/app/models/health_insurance.rb
@@ -1,6 +1,8 @@
 # frozen_string_literal: true
 
 class HealthInsurance < ApplicationRecord
+  acts_as_paranoid
+
   belongs_to :user, optional: true
 
   has_many :event_procedures, dependent: :destroy

diff --git a/app/models/hospital.rb b/app/models/hospital.rb
@@ -1,6 +1,8 @@
 # frozen_string_literal: true
 
 class Hospital < ApplicationRecord
+  acts_as_paranoid
+
   has_many :event_procedures, dependent: :destroy
 
   validates :name, presence: true

diff --git a/app/models/medical_shift.rb b/app/models/medical_shift.rb
@@ -1,6 +1,8 @@
 # frozen_string_literal: true
 
 class MedicalShift < ApplicationRecord
+  acts_as_paranoid
+
   has_enumeration_for :workload, with: MedicalShifts::Workloads, create_helpers: true
 
   monetize :amount

diff --git a/app/models/patient.rb b/app/models/patient.rb
@@ -1,7 +1,9 @@
 # frozen_string_literal: true
 
 class Patient < ApplicationRecord
-  has_many :event_procedures, dependent: :restrict_with_exception
+  acts_as_paranoid
+
+  has_many :event_procedures, dependent: :destroy
   belongs_to :user
 
   validates :name, presence: true

diff --git a/app/models/procedure.rb b/app/models/procedure.rb
@@ -1,6 +1,8 @@
 # frozen_string_literal: true
 
 class Procedure < ApplicationRecord
+  acts_as_paranoid
+
   monetize :amount
 
   belongs_to :user, optional: true

diff --git a/app/models/user.rb b/app/models/user.rb
@@ -1,6 +1,8 @@
 # frozen_string_literal: true
 
 class User < ApplicationRecord
+  acts_as_paranoid
+
   # Include default devise modules. Others available are:
   # :lockable, :timeoutable, :trackable and :omniauthable
   devise :database_authenticatable, :registerable,

diff --git a/app/operations/users/destroy_self.rb b/app/operations/users/destroy_self.rb
@@ -0,0 +1,20 @@
+# frozen_string_literal: true
+
+module Users
+  class DestroySelf < Actor
+    input :user, type: User
+    input :password, type: String
+
+    def call
+      fail!(error: "Wrong password") unless valid_password?
+
+      ActiveRecord::Base.transaction { user.destroy_fully! }
+    end
+
+    private
+
+    def valid_password?
+      user.valid_password?(password)
+    end
+  end
+end
diff --git a/app/policies/user_policy.rb b/app/policies/user_policy.rb
@@ -4,4 +4,8 @@ class UserPolicy < ApplicationPolicy
   def index?
     user.admin?
   end
+
+  def destroy_self?
+    user == record
+  end
 end
diff --git a/config/routes.rb b/config/routes.rb
@@ -29,7 +29,11 @@
       end
       resources :patients, only: %i[index create update destroy]
       resources :procedures, only: %i[index create update destroy]
-      resources :users, only: [:index]
+      resources :users, only: [:index] do
+        collection do
+          delete :destroy_self
+        end
+      end
 
       get "/event_procedures_dashboard/amount_by_day", to: "event_procedures_dashboard#amount_by_day"
       get "/pdf_reports/generate", to: "pdf_reports#generate", defaults: { format: :pdf }

diff --git a/db/migrate/20240303152300_add_user_ref_to_patients.rb b/db/migrate/20240303152300_add_user_ref_to_patients.rb
@@ -2,7 +2,6 @@
 
 class AddUserRefToPatients < ActiveRecord::Migration[7.0]
   def change
-    Patient.destroy_all
     add_reference :patients, :user, foreign_key: true
   end
 end
diff --git a/db/migrate/20240713155011_update_patients_names.rb b/db/migrate/20240713155011_update_patients_names.rb
diff --git a/db/migrate/20250512170444_add_deleted_at_to_patients.rb b/db/migrate/20250512170444_add_deleted_at_to_patients.rb
@@ -0,0 +1,8 @@
+# frozen_string_literal: true
+
+class AddDeletedAtToPatients < ActiveRecord::Migration[7.1]
+  def change
+    add_column :patients, :deleted_at, :datetime
+    add_index :patients, :deleted_at
+  end
+end
diff --git a/db/migrate/20250512170525_add_deleted_at_to_health_insurances.rb b/db/migrate/20250512170525_add_deleted_at_to_health_insurances.rb
@@ -0,0 +1,8 @@
+# frozen_string_literal: true
+
+class AddDeletedAtToHealthInsurances < ActiveRecord::Migration[7.1]
+  def change
+    add_column :health_insurances, :deleted_at, :datetime
+    add_index :health_insurances, :deleted_at
+  end
+end
diff --git a/db/migrate/20250512170622_add_deleted_at_to_medical_shifts.rb b/db/migrate/20250512170622_add_deleted_at_to_medical_shifts.rb
@@ -0,0 +1,8 @@
+# frozen_string_literal: true
+
+class AddDeletedAtToMedicalShifts < ActiveRecord::Migration[7.1]
+  def change
+    add_column :medical_shifts, :deleted_at, :datetime
+    add_index :medical_shifts, :deleted_at
+  end
+end
diff --git a/db/migrate/20250512170640_add_deleted_at_to_procedures.rb b/db/migrate/20250512170640_add_deleted_at_to_procedures.rb
@@ -0,0 +1,8 @@
+# frozen_string_literal: true
+
+class AddDeletedAtToProcedures < ActiveRecord::Migration[7.1]
+  def change
+    add_column :procedures, :deleted_at, :datetime
+    add_index :procedures, :deleted_at
+  end
+end
diff --git a/db/migrate/20250512170820_add_deleted_at_to_hospitals.rb b/db/migrate/20250512170820_add_deleted_at_to_hospitals.rb
@@ -0,0 +1,8 @@
+# frozen_string_literal: true
+
+class AddDeletedAtToHospitals < ActiveRecord::Migration[7.1]
+  def change
+    add_column :hospitals, :deleted_at, :datetime
+    add_index :hospitals, :deleted_at
+  end
+end
diff --git a/db/migrate/20250512172117_add_deleted_at_to_users.rb b/db/migrate/20250512172117_add_deleted_at_to_users.rb
@@ -0,0 +1,8 @@
+# frozen_string_literal: true
+
+class AddDeletedAtToUsers < ActiveRecord::Migration[7.1]
+  def change
+    add_column :users, :deleted_at, :datetime
+    add_index :users, :deleted_at
+  end
+end
diff --git a/db/schema.rb b/db/schema.rb
diff --git a/spec/models/patient_spec.rb b/spec/models/patient_spec.rb
@@ -4,7 +4,7 @@
 
 RSpec.describe Patient do
   describe "associations" do
-    it { is_expected.to have_many(:event_procedures).dependent(:restrict_with_exception) }
+    it { is_expected.to have_many(:event_procedures).dependent(:destroy) }
     it { is_expected.to belong_to(:user) }
   end
 

diff --git a/spec/policies/user_policy_spec.rb b/spec/policies/user_policy_spec.rb
@@ -18,5 +18,17 @@
 
       it { is_expected.to forbid_actions(%i[index]) }
     end
+
+    context "when user tries to destroy themselves" do
+      subject { described_class.new(user, user) }
+
+      it { is_expected.to permit_action(:destroy_self) }
+    end
+
+    context "when user tries to destroy another user" do
+      subject { described_class.new(user, admin) }
+
+      it { is_expected.to forbid_action(:destroy_self) }
+    end
   end
 end
diff --git a/spec/requests/api/v1/medical_shifts_request_spec.rb b/spec/requests/api/v1/medical_shifts_request_spec.rb
@@ -395,7 +395,7 @@
         end
 
         it { expect(response).to have_http_status(:not_found) }
-        it { expect(response.parsed_body[:error]).to eq("Couldn't find MedicalShift with 'id'=#{fake_id}") }
+        it { expect(response.parsed_body[:error]).to include("Couldn't find MedicalShift with 'id'=#{fake_id}") }
       end
 
       context "when medical_shift cannot be destroyed" do

diff --git a/spec/requests/api/v1/patients_request_spec.rb b/spec/requests/api/v1/patients_request_spec.rb
@@ -169,22 +169,29 @@
       include_examples "delete request returns ok", Patient
 
       context "when patient cannot be destroyed" do
-        it "returns unprocessable_content" do
-          create(:event_procedure, patient: patient, user: user)
+        let(:patient) { create(:patient) }
+        let(:errors) do
+          instance_double(
+            ActiveModel::Errors,
+            full_messages: ["Cannot delete record because of dependent event_procedures"]
+          )
+        end
 
-          delete path, headers: headers
+        before do
+          allow(Patient).to receive(:destroy).with(patient.id.to_s).and_return(patient)
+          allow(patient).to receive_messages(destroy: false, errors: errors)
+          allow(patient).to receive(:errors).and_return(errors)
+        end
 
-          expect(response).to have_http_status(:unprocessable_content)
+        it "returns unauthorized" do
+          delete path, headers: headers
+          expect(response).to have_http_status(:unauthorized)
         end
 
         it "returns errors" do
-          create(:event_procedure, patient: patient, user: user)
-
           delete path, headers: headers
 
-          expect(response.parsed_body).to eq(
-            { "error" => "Cannot delete record because of dependent event_procedures" }
-          )
+          expect(response.parsed_body).to include({ "error" => "not allowed to destroy? this Patient" })
         end
       end