Fix content_submissions RLS policies

supabase/migrations/20251017201154_2e307a9a-49cf-49f7-bd38-468cb384c742.sql

@@ -0,0 +1,36 @@
+-- Drop broken policies on content_submissions that directly query auth.mfa_factors
+DROP POLICY IF EXISTS "Moderators can view all submissions" ON public.content_submissions;
+DROP POLICY IF EXISTS "Moderators can update submissions" ON public.content_submissions;
+DROP POLICY IF EXISTS "Moderators can update submissions with MFA" ON public.content_submissions;
+DROP POLICY IF EXISTS "Moderators can delete submissions with MFA" ON public.content_submissions;
+
+-- Recreate policies using has_mfa_enabled() function
+CREATE POLICY "Moderators can view all submissions"
+ON public.content_submissions
+FOR SELECT
+TO authenticated
+USING (
+  is_moderator(auth.uid()) AND 
+  (NOT has_mfa_enabled(auth.uid()) OR has_aal2())
+);
+
+CREATE POLICY "Moderators can update submissions"
+ON public.content_submissions
+FOR UPDATE
+TO authenticated
+USING (
+  is_moderator(auth.uid()) AND 
+  (NOT has_mfa_enabled(auth.uid()) OR has_aal2())
+)
+WITH CHECK (
+  is_moderator(auth.uid()) AND 
+  (NOT has_mfa_enabled(auth.uid()) OR has_aal2())
+);
+
+CREATE POLICY "Moderators can delete submissions with MFA"
+ON public.content_submissions
+FOR DELETE
+TO authenticated
+USING (
+  is_moderator(auth.uid()) AND has_aal2()
+);