feat: delete subscribers from page subscriber list

Adds DELETE route, form request authorization, admin UI with confirm, Dutch strings, and feature tests. Made-with: Cursor
2026-04-04 01:29:32 +02:00
parent 3c9b1d9810
commit ed85e5c537
6 changed files with 205 additions and 2 deletions
--- a/app/Http/Controllers/Admin/SubscriberController.php
+++ b/app/Http/Controllers/Admin/SubscriberController.php
@@ -5,9 +5,11 @@ declare(strict_types=1);
 namespace App\Http\Controllers\Admin;

 use App\Http\Controllers\Controller;
+use App\Http\Requests\Admin\DestroySubscriberRequest;
 use App\Http\Requests\Admin\IndexSubscriberRequest;
 use App\Http\Requests\Admin\QueueMailwizzSyncRequest;
 use App\Models\PreregistrationPage;
+use App\Models\Subscriber;
 use App\Services\DispatchUnsyncedMailwizzSyncJobsService;
 use Illuminate\Http\RedirectResponse;
 use Illuminate\View\View;
@@ -32,6 +34,15 @@ class SubscriberController extends Controller
        return view('admin.subscribers.index', compact('page', 'subscribers', 'unsyncedMailwizzCount'));
    }

+    public function destroy(DestroySubscriberRequest $request, PreregistrationPage $page, Subscriber $subscriber): RedirectResponse
+    {
+        $subscriber->delete();
+
+        return redirect()
+            ->route('admin.pages.subscribers.index', $page)
+            ->with('status', __('Subscriber removed.'));
+    }
+
    public function queueMailwizzSync(
        QueueMailwizzSyncRequest $request,
        PreregistrationPage $page,
--- a/app/Http/Requests/Admin/DestroySubscriberRequest.php
+++ b/app/Http/Requests/Admin/DestroySubscriberRequest.php
@@ -0,0 +1,36 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Http\Requests\Admin;
+
+use App\Models\PreregistrationPage;
+use App\Models\Subscriber;
+use Illuminate\Contracts\Validation\ValidationRule;
+use Illuminate\Foundation\Http\FormRequest;
+
+class DestroySubscriberRequest extends FormRequest
+{
+    public function authorize(): bool
+    {
+        $page = $this->route('page');
+        $subscriber = $this->route('subscriber');
+        if (! $page instanceof PreregistrationPage || ! $subscriber instanceof Subscriber) {
+            return false;
+        }
+
+        if ($subscriber->preregistration_page_id !== $page->id) {
+            return false;
+        }
+
+        return $this->user()?->can('update', $page) ?? false;
+    }
+
+    /**
+     * @return array<string, array<int, ValidationRule|string>>
+     */
+    public function rules(): array
+    {
+        return [];
+    }
+}
--- a/lang/nl.json
+++ b/lang/nl.json
@@ -18,5 +18,9 @@
    "Thank you for registering!": "Bedankt voor je registratie!",
    "You are already registered for this event.": "Je bent al geregistreerd voor dit evenement.",
    "Please enter a valid email address.": "Voer een geldig e-mailadres in.",
-    "Please enter a valid phone number (8–15 digits).": "Voer een geldig telefoonnummer in (8 tot 15 cijfers)."
+    "Please enter a valid phone number (8–15 digits).": "Voer een geldig telefoonnummer in (8 tot 15 cijfers).",
+    "Subscriber removed.": "Abonnee verwijderd.",
+    "Delete this subscriber? This cannot be undone.": "Deze abonnee verwijderen? Dit kan niet ongedaan worden gemaakt.",
+    "Remove": "Verwijderen",
+    "Actions": "Acties"
 }
--- a/resources/views/admin/subscribers/index.blade.php
+++ b/resources/views/admin/subscribers/index.blade.php
@@ -54,6 +54,7 @@
                            @endif
                            <th class="px-4 py-3 font-semibold text-slate-700">{{ __('Registered at') }}</th>
                            <th class="px-4 py-3 font-semibold text-slate-700">{{ __('Mailwizz') }}</th>
+                            <th class="w-px whitespace-nowrap px-4 py-3 font-semibold text-slate-700">{{ __('Actions') }}</th>
                        </tr>
                    </thead>
                    <tbody class="divide-y divide-slate-100">
@@ -77,10 +78,29 @@
                                        </span>
                                    @endif
                                </td>
+                                <td class="whitespace-nowrap px-4 py-3 text-right">
+                                    @can('update', $page)
+                                        <form
+                                            method="post"
+                                            action="{{ route('admin.pages.subscribers.destroy', [$page, $subscriber]) }}"
+                                            class="inline"
+                                            onsubmit="return confirm(@js(__('Delete this subscriber? This cannot be undone.')));"
+                                        >
+                                            @csrf
+                                            @method('DELETE')
+                                            <button
+                                                type="submit"
+                                                class="rounded-lg border border-red-200 bg-white px-2.5 py-1 text-xs font-semibold text-red-700 hover:bg-red-50"
+                                            >
+                                                {{ __('Remove') }}
+                                            </button>
+                                        </form>
+                                    @endcan
+                                </td>
                            </tr>
                        @empty
                            <tr>
-                                <td colspan="{{ $page->isPhoneFieldEnabledForSubscribers() ? 6 : 5 }}" class="px-4 py-12 text-center text-slate-500">
+                                <td colspan="{{ $page->isPhoneFieldEnabledForSubscribers() ? 7 : 6 }}" class="px-4 py-12 text-center text-slate-500">
                                    {{ __('No subscribers match your criteria.') }}
                                </td>
                            </tr>
--- a/routes/web.php
+++ b/routes/web.php
@@ -33,6 +33,7 @@ Route::middleware(['auth', 'verified'])->prefix('admin')->name('admin.')->group(

    // Subscribers (nested under pages) — export before index so the path is unambiguous
    Route::get('pages/{page}/subscribers/export', [SubscriberController::class, 'export'])->name('pages.subscribers.export');
+    Route::delete('pages/{page}/subscribers/{subscriber}', [SubscriberController::class, 'destroy'])->name('pages.subscribers.destroy');
    Route::post('pages/{page}/subscribers/queue-mailwizz-sync', [SubscriberController::class, 'queueMailwizzSync'])->name('pages.subscribers.queue-mailwizz-sync');
    Route::get('pages/{page}/subscribers', [SubscriberController::class, 'index'])->name('pages.subscribers.index');

--- a/tests/Feature/DestroySubscriberTest.php
+++ b/tests/Feature/DestroySubscriberTest.php
@@ -0,0 +1,131 @@
+<?php
+
+declare(strict_types=1);
+
+namespace Tests\Feature;
+
+use App\Models\PreregistrationPage;
+use App\Models\Subscriber;
+use App\Models\User;
+use Illuminate\Foundation\Testing\RefreshDatabase;
+use Illuminate\Support\Str;
+use Tests\TestCase;
+
+class DestroySubscriberTest extends TestCase
+{
+    use RefreshDatabase;
+
+    public function test_page_owner_can_delete_subscriber_on_that_page(): void
+    {
+        $user = User::factory()->create(['role' => 'user']);
+        $page = PreregistrationPage::query()->create([
+            'slug' => (string) Str::uuid(),
+            'user_id' => $user->id,
+            'title' => 'Fest',
+            'heading' => 'Fest',
+            'intro_text' => null,
+            'thank_you_message' => null,
+            'expired_message' => null,
+            'ticketshop_url' => null,
+            'start_date' => now()->subDay(),
+            'end_date' => now()->addMonth(),
+            'phone_enabled' => false,
+            'background_image' => null,
+            'logo_image' => null,
+            'is_active' => true,
+        ]);
+        $subscriber = Subscriber::query()->create([
+            'preregistration_page_id' => $page->id,
+            'first_name' => 'Ada',
+            'last_name' => 'Lovelace',
+            'email' => 'ada@example.com',
+        ]);
+
+        $response = $this->actingAs($user)->delete(route('admin.pages.subscribers.destroy', [$page, $subscriber]));
+
+        $response->assertRedirect(route('admin.pages.subscribers.index', $page));
+        $response->assertSessionHas('status');
+        $this->assertDatabaseMissing('subscribers', ['id' => $subscriber->id]);
+    }
+
+    public function test_other_user_cannot_delete_subscriber(): void
+    {
+        $owner = User::factory()->create(['role' => 'user']);
+        $intruder = User::factory()->create(['role' => 'user']);
+        $page = PreregistrationPage::query()->create([
+            'slug' => (string) Str::uuid(),
+            'user_id' => $owner->id,
+            'title' => 'Fest',
+            'heading' => 'Fest',
+            'intro_text' => null,
+            'thank_you_message' => null,
+            'expired_message' => null,
+            'ticketshop_url' => null,
+            'start_date' => now()->subDay(),
+            'end_date' => now()->addMonth(),
+            'phone_enabled' => false,
+            'background_image' => null,
+            'logo_image' => null,
+            'is_active' => true,
+        ]);
+        $subscriber = Subscriber::query()->create([
+            'preregistration_page_id' => $page->id,
+            'first_name' => 'A',
+            'last_name' => 'B',
+            'email' => 'x@example.com',
+        ]);
+
+        $response = $this->actingAs($intruder)->delete(route('admin.pages.subscribers.destroy', [$page, $subscriber]));
+
+        $response->assertForbidden();
+        $this->assertDatabaseHas('subscribers', ['id' => $subscriber->id]);
+    }
+
+    public function test_cannot_delete_subscriber_using_wrong_page_in_url(): void
+    {
+        $user = User::factory()->create(['role' => 'user']);
+        $pageA = PreregistrationPage::query()->create([
+            'slug' => (string) Str::uuid(),
+            'user_id' => $user->id,
+            'title' => 'A',
+            'heading' => 'A',
+            'intro_text' => null,
+            'thank_you_message' => null,
+            'expired_message' => null,
+            'ticketshop_url' => null,
+            'start_date' => now()->subDay(),
+            'end_date' => now()->addMonth(),
+            'phone_enabled' => false,
+            'background_image' => null,
+            'logo_image' => null,
+            'is_active' => true,
+        ]);
+        $pageB = PreregistrationPage::query()->create([
+            'slug' => (string) Str::uuid(),
+            'user_id' => $user->id,
+            'title' => 'B',
+            'heading' => 'B',
+            'intro_text' => null,
+            'thank_you_message' => null,
+            'expired_message' => null,
+            'ticketshop_url' => null,
+            'start_date' => now()->subDay(),
+            'end_date' => now()->addMonth(),
+            'phone_enabled' => false,
+            'background_image' => null,
+            'logo_image' => null,
+            'is_active' => true,
+        ]);
+        $subscriber = Subscriber::query()->create([
+            'preregistration_page_id' => $pageB->id,
+            'first_name' => 'A',
+            'last_name' => 'B',
+            'email' => 'y@example.com',
+        ]);
+
+        $response = $this->actingAs($user)->delete(route('admin.pages.subscribers.destroy', [$pageA, $subscriber]));
+
+        $response->assertForbidden();
+        $this->assertDatabaseHas('subscribers', ['id' => $subscriber->id]);
+    }
+}