From 09090c29f8577706860f4216254f609752f358ea Mon Sep 17 00:00:00 2001
From: "gpt-engineer-app[bot]"
 <159125892+gpt-engineer-app[bot]@users.noreply.github.com>
Date: Fri, 17 Oct 2025 20:12:10 +0000
Subject: [PATCH] Fix content_submissions RLS policies

---
 ...4_2e307a9a-49cf-49f7-bd38-468cb384c742.sql | 36 +++++++++++++++++++
 1 file changed, 36 insertions(+)
 create mode 100644 supabase/migrations/20251017201154_2e307a9a-49cf-49f7-bd38-468cb384c742.sql

diff --git a/supabase/migrations/20251017201154_2e307a9a-49cf-49f7-bd38-468cb384c742.sql b/supabase/migrations/20251017201154_2e307a9a-49cf-49f7-bd38-468cb384c742.sql
new file mode 100644
index 00000000..cf3673c4
--- /dev/null
+++ b/supabase/migrations/20251017201154_2e307a9a-49cf-49f7-bd38-468cb384c742.sql
@@ -0,0 +1,36 @@
+-- Drop broken policies on content_submissions that directly query auth.mfa_factors
+DROP POLICY IF EXISTS "Moderators can view all submissions" ON public.content_submissions;
+DROP POLICY IF EXISTS "Moderators can update submissions" ON public.content_submissions;
+DROP POLICY IF EXISTS "Moderators can update submissions with MFA" ON public.content_submissions;
+DROP POLICY IF EXISTS "Moderators can delete submissions with MFA" ON public.content_submissions;
+
+-- Recreate policies using has_mfa_enabled() function
+CREATE POLICY "Moderators can view all submissions"
+ON public.content_submissions
+FOR SELECT
+TO authenticated
+USING (
+  is_moderator(auth.uid()) AND 
+  (NOT has_mfa_enabled(auth.uid()) OR has_aal2())
+);
+
+CREATE POLICY "Moderators can update submissions"
+ON public.content_submissions
+FOR UPDATE
+TO authenticated
+USING (
+  is_moderator(auth.uid()) AND 
+  (NOT has_mfa_enabled(auth.uid()) OR has_aal2())
+)
+WITH CHECK (
+  is_moderator(auth.uid()) AND 
+  (NOT has_mfa_enabled(auth.uid()) OR has_aal2())
+);
+
+CREATE POLICY "Moderators can delete submissions with MFA"
+ON public.content_submissions
+FOR DELETE
+TO authenticated
+USING (
+  is_moderator(auth.uid()) AND has_aal2()
+);
\ No newline at end of file