From 8300243bb2f4e002272fb177e737117b4431dec8 Mon Sep 17 00:00:00 2001
From: "gpt-engineer-app[bot]"
 <159125892+gpt-engineer-app[bot]@users.noreply.github.com>
Date: Tue, 28 Oct 2025 18:55:23 +0000
Subject: [PATCH] Fix RLS policies for email threads

---
 ...9_1ef98987-5147-4803-83ea-9ae9a598b3cc.sql | 23 +++++++++++++++++++
 1 file changed, 23 insertions(+)
 create mode 100644 supabase/migrations/20251028185509_1ef98987-5147-4803-83ea-9ae9a598b3cc.sql

diff --git a/supabase/migrations/20251028185509_1ef98987-5147-4803-83ea-9ae9a598b3cc.sql b/supabase/migrations/20251028185509_1ef98987-5147-4803-83ea-9ae9a598b3cc.sql
new file mode 100644
index 00000000..1517b862
--- /dev/null
+++ b/supabase/migrations/20251028185509_1ef98987-5147-4803-83ea-9ae9a598b3cc.sql
@@ -0,0 +1,23 @@
+-- Drop existing restrictive policies
+DROP POLICY IF EXISTS "Admins can view all email threads" ON contact_email_threads;
+DROP POLICY IF EXISTS "Admins can insert email threads" ON contact_email_threads;
+
+-- Create new inclusive SELECT policy for all admin staff roles
+CREATE POLICY "Admin staff can view all email threads" ON contact_email_threads
+  FOR SELECT
+  TO authenticated
+  USING (
+    has_role(auth.uid(), 'superuser'::app_role) OR
+    has_role(auth.uid(), 'admin'::app_role) OR
+    has_role(auth.uid(), 'moderator'::app_role)
+  );
+
+-- Create new inclusive INSERT policy for all admin staff roles
+CREATE POLICY "Admin staff can insert email threads" ON contact_email_threads
+  FOR INSERT
+  TO authenticated
+  WITH CHECK (
+    has_role(auth.uid(), 'superuser'::app_role) OR
+    has_role(auth.uid(), 'admin'::app_role) OR
+    has_role(auth.uid(), 'moderator'::app_role)
+  );
\ No newline at end of file