Allow publishers to delete a document preview link

Add a destroy_bypass_id action and DELETE route that removes a draft's
auth bypass token via EditionAuthBypassRevoker. Like update_bypass_id it
loads the edition and requires :update permission on it.

Author: TonyGDS

app/controllers/admin/editions_controller.rb

@@ -6,7 +6,7 @@ class Admin::EditionsController < Admin::BaseController
   before_action :clean_edition_parameters, only: %i[create update]
   before_action :clear_scheduled_publication_if_not_activated, only: %i[create update]
   before_action :clear_response_form_file_cache, only: %i[create update]
-  before_action :find_edition, only: %i[show edit update revise diff confirm_destroy destroy update_bypass_id features]
+  before_action :find_edition, only: %i[show edit update revise diff confirm_destroy destroy update_bypass_id destroy_bypass_id features]
   before_action :prevent_modification_of_unmodifiable_edition, only: %i[update]
   before_action :delete_absent_edition_organisations, only: %i[create update]
   before_action :build_national_exclusion_params, only: %i[create update]
@@ -33,7 +33,7 @@ def enforce_permissions!
       enforce_permission!(:create, edition_class || Edition)
     when "create"
       enforce_permission!(:create, @edition) if @edition.persisted?
-    when "edit", "update", "revise", "diff", "update_bypass_id", "features"
+    when "edit", "update", "revise", "diff", "update_bypass_id", "destroy_bypass_id", "features"
       enforce_permission!(:update, @edition)
     when "destroy", "confirm_destroy"
       enforce_permission!(:delete, @edition)
@@ -196,6 +196,12 @@ def update_bypass_id
     redirect_to admin_edition_path(@edition), notice: "New document preview link generated"
   end
 
+  def destroy_bypass_id
+    EditionAuthBypassRevoker.new(edition: @edition, current_user:, updater:).call
+
+    redirect_to admin_edition_path(@edition), notice: "Document preview link deleted"
+  end
+
 private
 
   def display_filter_error_message

config/routes.rb

@@ -239,6 +239,7 @@ def redirect(path, options = { prefix: Whitehall.router_prefix })
           get :audit_trail, to: "edition_audit_trail#index"
           get :document_history, to: "edition_document_history#index"
           patch :update_bypass_id
+          delete :destroy_bypass_id
           get :confirm_destroy
           get :edit_access_limited, to: "edition_access_limited#edit"
           patch :update_access_limited, to: "edition_access_limited#update"

test/functional/admin/editions_controller_test.rb

@@ -369,6 +369,29 @@ class Admin::EditionsControllerTest < ActionController::TestCase
     assert_not flash["html_safe"]
   end
 
+  test "update_bypass_id generates a new preview token and redirects with a notice" do
+    edition = create(:draft_publication)
+    previous_auth_bypass_id = edition.auth_bypass_id
+
+    patch :update_bypass_id, params: { id: edition }
+
+    assert_not_nil edition.reload.auth_bypass_id
+    assert_not_equal previous_auth_bypass_id, edition.auth_bypass_id
+    assert_redirected_to admin_publication_path(edition)
+    assert_equal "New document preview link generated", flash[:notice]
+  end
+
+  test "destroy_bypass_id deletes the preview token and redirects with a notice" do
+    edition = create(:draft_publication)
+    assert_not_nil edition.auth_bypass_id
+
+    delete :destroy_bypass_id, params: { id: edition }
+
+    assert_nil edition.reload.auth_bypass_id
+    assert_redirected_to admin_publication_path(edition)
+    assert_equal "Document preview link deleted", flash[:notice]
+  end
+
 private
 
   def stub_edition_filter(attributes = {})