class UsersController < ApplicationController
  allow_unauthenticated_access only: %i[new create]
  before_action :ensure_first_run, only: %i[new create]

  def new
    @user = User.new
  end

  def create
    @user = User.new(user_params)
    @user.status = "active"
    first_user = User.count.zero?

    if @user.save
      # First user automatically becomes a member of every admin group, so they
      # can reach the admin panel without an existing admin to grant access.
      if first_user
        Group.where(admin: true).each { |g| @user.groups << g }
      end

      start_new_session_for @user
      redirect_to root_path, notice: "Welcome to Clinch! Your account has been created."
    else
      render :new, status: :unprocessable_entity
    end
  end

  private

  def user_params
    params.require(:user).permit(:email_address, :password, :password_confirmation)
  end

  def ensure_first_run
    # Only allow signup if there are no users (first-run scenario)
    if User.exists?
      redirect_to signin_path, alert: "Registration is closed. Please sign in."
    end
  end
end