Add/remove members and invitations (#1744)

* Add/remove members and invitations

* Lint

test/controllers/invitations_controller_test.rb

@@ -2,7 +2,7 @@ require "test_helper"
 
 class InvitationsControllerTest < ActionDispatch::IntegrationTest
   setup do
-    sign_in @user = users(:family_admin)
+    sign_in @admin = users(:family_admin)
     @invitation = invitations(:one)
   end
 
@@ -25,7 +25,7 @@ class InvitationsControllerTest < ActionDispatch::IntegrationTest
 
     invitation = Invitation.order(created_at: :desc).first
     assert_equal "member", invitation.role
-    assert_equal @user, invitation.inviter
+    assert_equal @admin, invitation.inviter
     assert_equal "new@example.com", invitation.email
     assert_redirected_to settings_profile_path
     assert_equal I18n.t("invitations.create.success"), flash[:notice]
@@ -59,8 +59,8 @@ class InvitationsControllerTest < ActionDispatch::IntegrationTest
 
     invitation = Invitation.order(created_at: :desc).first
     assert_equal "admin", invitation.role
-    assert_equal @user.family, invitation.family
-    assert_equal @user, invitation.inviter
+    assert_equal @admin.family, invitation.family
+    assert_equal @admin, invitation.inviter
   end
 
   test "should handle invalid invitation creation" do
@@ -86,4 +86,29 @@ class InvitationsControllerTest < ActionDispatch::IntegrationTest
     get accept_invitation_url("invalid-token")
     assert_response :not_found
   end
+
+  test "admin can remove pending invitation" do
+    assert_difference("Invitation.count", -1) do
+      delete invitation_url(@invitation)
+    end
+
+    assert_redirected_to settings_profile_path
+    assert_equal I18n.t("invitations.destroy.success"), flash[:notice]
+  end
+
+  test "non-admin cannot remove invitations" do
+    sign_in users(:family_member)
+
+    assert_no_difference("Invitation.count") do
+      delete invitation_url(@invitation)
+    end
+
+    assert_redirected_to settings_profile_path
+    assert_equal I18n.t("invitations.destroy.not_authorized"), flash[:alert]
+  end
+
+  test "should handle invalid invitation removal" do
+    delete invitation_url(id: "invalid-id")
+    assert_response :not_found
+  end
 end

test/controllers/settings/profiles_controller_test.rb

@@ -2,11 +2,46 @@ require "test_helper"
 
 class Settings::ProfilesControllerTest < ActionDispatch::IntegrationTest
   setup do
-    sign_in @user = users(:family_admin)
+    @admin = users(:family_admin)
+    @member = users(:family_member)
   end
 
-  test "get" do
-    get settings_profile_url
+  test "should get show" do
+    sign_in @admin
+    get settings_profile_path
     assert_response :success
   end
+
+  test "admin can remove a family member" do
+    sign_in @admin
+    assert_difference("User.count", -1) do
+      delete settings_profile_path(user_id: @member)
+    end
+
+    assert_redirected_to settings_profile_path
+    assert_equal I18n.t("settings.profiles.destroy.member_removed"), flash[:notice]
+    assert_raises(ActiveRecord::RecordNotFound) { User.find(@member.id) }
+  end
+
+  test "admin cannot remove themselves" do
+    sign_in @admin
+    assert_no_difference("User.count") do
+      delete settings_profile_path(user_id: @admin)
+    end
+
+    assert_redirected_to settings_profile_path
+    assert_equal I18n.t("settings.profiles.destroy.cannot_remove_self"), flash[:alert]
+    assert User.find(@admin.id)
+  end
+
+  test "non-admin cannot remove members" do
+    sign_in @member
+    assert_no_difference("User.count") do
+      delete settings_profile_path(user_id: @admin)
+    end
+
+    assert_redirected_to settings_profile_path
+    assert_equal I18n.t("settings.profiles.destroy.not_authorized"), flash[:alert]
+    assert User.find(@admin.id)
+  end
 end