class UsersController < ApplicationController
  before_action :ensure_admin, only: [:destroy]

  def index
    @users = User.all
  end

  def new
    @user = User.new
  end

  def create
    @user = User.create(params.require(:user).permit(:email, :password))
    if @user.invalid?
      redirect_to '/welcome', notice: notices_from_errors(@user)
    else
      session[:user_id] = @user.id
      redirect_to '/welcome', notice: 'Account has been created'
    end
  end

  def password_recovery_request
    @user = User.where(email: params['email']).first
    recovery_password = ('a'..'z').to_a.shuffle[0,8].join
    @user.recovery_password = recovery_password
    @user.save
    UserMailer.with(user: @user, recovery_password: recovery_password).password_recovery.deliver_now
    redirect_to '/welcome', notice: "Recovery email sent to #{params['email']}"
  end

  def password_recovery_request_form
  end

  def recover_password_form
    @recovery_password = params[:recovery_password]
    @user_id = params[:id]
  end

  def recover_password
    user = User.find(params[:user_id])
    if user.recovery_password_digest && user.authenticate_recovery_password(params[:recovery_password])
      user.password = params[:password]
      user.password_confirmation = params[:password_confirmation]
      if user.save
        user.update(recovery_password: nil)
        redirect_to '/welcome', notice: 'Password changed'
      else
        redirect_to '/welcome', notice: 'Passwords don\'t match'
      end
    else
      redirect_to '/welcome', notice: 'Recovery link expired or invalid'
    end
  end

  def destroy
    User.destroy(params[:id])
    redirect_to '/users'
  end
end