espoo-dev · mattfeg · May 19, 2025 · May 9, 2025 · May 9, 2025 · May 13, 2025
diff --git a/app/controllers/api/v1/users_controller.rb b/app/controllers/api/v1/users_controller.rb
@@ -11,6 +11,20 @@ def index
         render json: users, status: :ok
       end
 
+      def destroy_self
+        authorize current_user, :destroy_self?
+
+        unless current_user.valid_password?(params[:password])
+          return render json: { error: "Wrong password" }, status: :unauthorized
+        end
+
+        if current_user.destroy
+          render json: { message: "Account deleted successfully" }, status: :ok
+        else
+          render json: { error: "Unable to delete account" }, status: :unprocessable_entity
+        end
+      end
+
       private
 
       def page

diff --git a/app/policies/user_policy.rb b/app/policies/user_policy.rb
@@ -4,4 +4,8 @@ class UserPolicy < ApplicationPolicy
   def index?
     user.admin?
   end
+
+  def destroy_self?
+    user == record
+  end
 end
diff --git a/config/routes.rb b/config/routes.rb
@@ -29,7 +29,11 @@
       end
       resources :patients, only: %i[index create update destroy]
       resources :procedures, only: %i[index create update destroy]
-      resources :users, only: [:index]
+      resources :users, only: [:index] do
+        collection do
+          delete :destroy_self
+        end
+      end
 
       get "/event_procedures_dashboard/amount_by_day", to: "event_procedures_dashboard#amount_by_day"
       get "/pdf_reports/generate", to: "pdf_reports#generate", defaults: { format: :pdf }

diff --git a/db/migrate/20250508174727_add_cascade_delete_to_event_procedures.rb b/db/migrate/20250508174727_add_cascade_delete_to_event_procedures.rb
@@ -0,0 +1,9 @@
+# frozen_string_literal: true
+
+class AddCascadeDeleteToEventProcedures < ActiveRecord::Migration[7.1]
+  def change
+    remove_foreign_key :event_procedures, :patients
+
+    add_foreign_key :event_procedures, :patients, on_delete: :cascade
+  end
+end
diff --git a/db/schema.rb b/db/schema.rb
diff --git a/spec/requests/api/v1/users_request_spec.rb b/spec/requests/api/v1/users_request_spec.rb
@@ -100,4 +100,46 @@
       expect { user.reload }.to change(user, :reset_password_token)
     end
   end
+
+  describe "DELETE /api/v1/users/destroy_self" do
+    context "when user unauthenticated" do
+      subject(:request_destroy_self) { delete "/api/v1/users/destroy_self" }
+
+      it "returns unauthorized status code" do
+        request_destroy_self
+        expect(response).to have_http_status(:unauthorized)
+      end
+
+      it "returns invalid_token message error" do
+        request_destroy_self
+        expect(response.parsed_body).to include({ error: "invalid_token" })
+      end
+    end
+
+    context "when user autheticated" do
+      subject(:request_destroy_self) do
+        delete "/api/v1/users/destroy_self",
+          headers: auth_token_for(existing_user),
+          params: { password: existing_user.password }
+      end
+
+      let(:existing_user) { create(:user, password: "qwe123") }
+
+      before do
+        request_destroy_self
+      end
+
+      it "returns ok" do
+        expect(response).to have_http_status(:ok)
+      end
+
+      it "returns deletion message" do
+        expect(response.parsed_body).to include({ message: "Account deleted successfully" })
+      end
+
+      it "deletes user account" do
+        expect { existing_user.reload }.to raise_error(ActiveRecord::RecordNotFound)
+      end
+    end
+  end
 end