Some view logic

src/registrar/config/urls.py

@@ -138,6 +138,11 @@ urlpatterns = [
         views.DomainInvitationDeleteView.as_view(http_method_names=["post"]),
         name="invitation-delete",
     ),
+    path(
+        "domain/<int:pk>/users/<int:user_pk>/delete",
+        views.DomainDeleteUserView.as_view(http_method_names=["post"]),
+        name="domain-user-delete",
+    ),
 ]
 
 # we normally would guard these with `if settings.DEBUG` but tests run with

src/registrar/templates/domain_users.html

@@ -58,8 +58,10 @@
           aria-describedby="Your DNSSEC records will be deleted from the registry."
           data-force-action
         >
-          <form method="POST" action="{% url "invitation-delete" pk=permission.user.id %}">
-            {% include 'includes/modal.html' with modal_heading="Warning: You are about to remove all DS records on your domain" modal_description="To fully disable DNSSEC: In addition to removing your DS records here you’ll also need to delete the DS records at your DNS host. To avoid causing your domain to appear offline you should wait to delete your DS records at your DNS host until the Time to Live (TTL) expires. This is often less than 24 hours, but confirm with your provider." modal_button=modal_button|safe %}
+          <form method="POST" action="{% url "domain-user-delete" pk=domain.id user_pk=permission.user.id %}">
+            {% with heading="Are you sure you want to remove <"|add:permission.user.email|add:">?" %}
+              {% include 'includes/modal.html' with modal_heading=heading  modal_description="<"|add:permission.user.email|add:"> will no longer be able to manage the domain "|add:domain.name|add:"." modal_button=modal_button|safe %}
+            {% endwith %}
           </form>
         </div>
         </td>

src/registrar/views/__init__.py

@@ -12,6 +12,7 @@ from .domain import (
     DomainUsersView,
     DomainAddUserView,
     DomainInvitationDeleteView,
+    DomainDeleteUserView,
 )
 from .health import *
 from .index import *

src/registrar/views/domain.py

@@ -33,6 +33,7 @@ from registrar.utility.errors import (
     SecurityEmailErrorCodes,
 )
 from registrar.models.utility.contact_error import ContactError
+from registrar.views.utility.permission_views import UserDomainRolePermissionView
 
 from ..forms import (
     ContactForm,
@@ -753,3 +754,15 @@ class DomainInvitationDeleteView(DomainInvitationPermissionDeleteView, SuccessMe
 
     def get_success_message(self, cleaned_data):
         return f"Successfully canceled invitation for {self.object.email}."
+
+
+class DomainDeleteUserView(UserDomainRolePermissionView, SuccessMessageMixin):
+    """Inside of a domain's user management, a form for deleting users.
+    """
+    object: UserDomainRole  # workaround for type mismatch in DeleteView
+
+    def get_success_url(self):
+        return reverse("domain-users", kwargs={"pk": self.object.domain.id})
+
+    def get_success_message(self, cleaned_data):
+        return f"Successfully removed manager for {self.object.email}."

src/registrar/views/utility/mixins.py

@@ -286,6 +286,36 @@ class DomainApplicationPermission(PermissionsLoginMixin):
         return True
 
 
+class UserDomainRolePermission(PermissionsLoginMixin):
+
+    """Permission mixin for UserDomainRole if user
+    has access, otherwise 403"""
+
+    def has_permission(self):
+        """Check if this user has access to this domain application.
+
+        The user is in self.request.user and the domain needs to be looked
+        up from the domain's primary key in self.kwargs["pk"]
+        """
+        domain_pk = self.kwargs["pk"]
+        user_pk = self.kwargs["user_pk"]
+        print(f"here is the user: {self.request.user} and kwargs: {domain_pk}")
+        if not self.request.user.is_authenticated:
+            return False
+        print("User was authenticated!")
+        x = UserDomainRole.objects.filter(
+            id=user_pk
+        ).get()
+        print(x)
+        # TODO - exclude the creator from this
+        if not UserDomainRole.objects.filter(
+            domain__id=domain_pk, domain__permissions__user=self.request.user
+        ).exists():
+            return False
+
+        return True
+
+
 class DomainApplicationPermissionWithdraw(PermissionsLoginMixin):
 
     """Permission mixin that redirects to withdraw action on domain application

src/registrar/views/utility/permission_views.py

@@ -4,6 +4,7 @@ import abc  # abstract base class
 
 from django.views.generic import DetailView, DeleteView, TemplateView
 from registrar.models import Domain, DomainApplication, DomainInvitation
+from registrar.models.user_domain_role import UserDomainRole
 
 from .mixins import (
     DomainPermission,
@@ -11,6 +12,7 @@ from .mixins import (
     DomainApplicationPermissionWithdraw,
     DomainInvitationPermission,
     ApplicationWizardPermission,
+    UserDomainRolePermission,
 )
 import logging
 
@@ -122,3 +124,32 @@ class DomainInvitationPermissionDeleteView(DomainInvitationPermission, DeleteVie
 
     model = DomainInvitation
     object: DomainInvitation  # workaround for type mismatch in DeleteView
+
+
+class UserDomainRolePermissionView(UserDomainRolePermission, DetailView, abc.ABC):
+
+    """Abstract base view for UserDomainRole that enforces permissions.
+
+    This abstract view cannot be instantiated. Actual views must specify
+    `template_name`.
+    """
+
+    # DetailView property for what model this is viewing
+    model = UserDomainRole
+    # variable name in template context for the model object
+    context_object_name = "userdomainrole"
+
+
+class UserDomainRolePermissionDeleteView(UserDomainRolePermissionView, DeleteView, abc.ABC):
+
+    """Abstract base view for domain application withdraw function
+
+    This abstract view cannot be instantiated. Actual views must specify
+    `template_name`.
+    """
+
+    # DetailView property for what model this is viewing
+    model = UserDomainRole
+    # variable name in template context for the model object
+    context_object_name = "userdomainrole"
+