obdev/app/controllers/users_controller.rb

class UsersController < ApplicationController
  before_action :authenticate_user!
  before_action :set_user, only: [:edit, :update, :destroy]
  before_action :require_admin
  load_and_authorize_resource

  def index
    @users = User.all
  end

  def new
    @user = User.new
    @user.access_periods.build unless @user.access_periods.any?
  end
  
  

  def edit
    @user = User.find(params[:id])
    @user.access_periods.build if @user.access_periods.empty?
  end
  

  def create
    @user = User.new(user_params)
    # Ensure an access period is built if none exist and no start_date is provided
    if @user.access_periods.empty?
      @user.access_periods.build(start_date: Date.today)  # Set start date automatically
    end
  
    if @user.save
      update_user_roles(@user, params[:user][:roles] || ['user'])
      redirect_to users_path, notice: 'User was successfully created.'
    else
      render :new
    end
  end
  
  def update
    @user = User.find(params[:id])  # If @user is set in a before_action, this line can be removed.
  
    # Handling password change: if password fields are blank, they are removed from user_params to prevent updating the password to nil.
    cleaned_params = user_params
    if cleaned_params[:password].blank?
      cleaned_params.delete(:password)
      cleaned_params.delete(:password_confirmation)
    end
  
    if @user.update(cleaned_params.except(:roles))
      # Update roles
      update_user_roles(@user, params[:user][:roles] || [])
  
      # Check and update the access revoked status and end date
      if params[:user][:access_revoked] == "1"
        current_period = @user.access_periods.order(:created_at).last
        current_period.update(end_date: Date.today) unless current_period.end_date.present?
      end
  
      redirect_to users_path, notice: 'User was successfully updated.'
    else
      render :edit
    end
  end
  

  def show
    @user = User.includes(:access_periods).find(params[:id])
  end
  

  def destroy
    @user.destroy
    redirect_to users_path, notice: 'User was successfully deleted.'
  end

  private

  def set_user
    @user = User.find(params[:id])
  end

  def user_params
    params.require(:user).permit(
      :email, :password, :password_confirmation, :remember_me,
      :first_name, :last_name, :phone, :company, 
      :access_revoked, :access_start_date, :access_end_date,
      access_periods_attributes: [:id, :start_date, :end_date, :_destroy], 
      roles: []
    )
  end
  

  def require_admin
    unless current_user.admin?
      redirect_to root_path, alert: 'Only admins are allowed to access this section.'
    end
  end

  def assign_roles(user)
    user.roles = []
    params[:user][:roles].each do |role_name|
      user.add_role(role_name) unless role_name.blank?
    end if params[:user][:roles].present?
  end
  

  def update_user_roles(user, roles_names)
    return if roles_names.blank?  # Do nothing if no roles provided
    roles_names.each do |role_name|
      user.add_role(role_name) unless role_name.blank?
    end
  end

  def handle_access_revocation
    if params[:user][:access_revoked] == "1"
      current_period = @user.access_periods.find_or_initialize_by(end_date: nil)
      current_period.update(end_date: Date.today) unless current_period.end_date.present?
    elsif params[:user][:access_revoked] == "0" && @user.access_periods.last&.end_date.present?
      @user.access_periods.build(start_date: Date.today)
    end
  end
  
  

end