From ba11773eb6f5a5b282880eae599380aa61b130cf Mon Sep 17 00:00:00 2001
From: "gpt-engineer-app[bot]"
 <159125892+gpt-engineer-app[bot]@users.noreply.github.com>
Date: Fri, 17 Oct 2025 19:27:49 +0000
Subject: [PATCH] Refactor: Approve RLS migration

---
 ...4_2ac34e6e-1d0d-4c2b-90a2-800f747d2640.sql | 76 +++++++++++++++++++
 1 file changed, 76 insertions(+)
 create mode 100644 supabase/migrations/20251017192734_2ac34e6e-1d0d-4c2b-90a2-800f747d2640.sql

diff --git a/supabase/migrations/20251017192734_2ac34e6e-1d0d-4c2b-90a2-800f747d2640.sql b/supabase/migrations/20251017192734_2ac34e6e-1d0d-4c2b-90a2-800f747d2640.sql
new file mode 100644
index 00000000..c90381fe
--- /dev/null
+++ b/supabase/migrations/20251017192734_2ac34e6e-1d0d-4c2b-90a2-800f747d2640.sql
@@ -0,0 +1,76 @@
+-- Add AAL2 enforcement for users with MFA enrolled
+-- This provides defense-in-depth at the database level
+
+-- Update RLS policy on content_submissions to enforce AAL2 for moderators
+DROP POLICY IF EXISTS "Moderators can view all submissions" ON public.content_submissions;
+CREATE POLICY "Moderators can view all submissions"
+ON public.content_submissions
+FOR SELECT
+TO authenticated
+USING (
+  is_moderator(auth.uid()) AND (
+    -- Allow if user doesn't have MFA OR has AAL2
+    NOT EXISTS (
+      SELECT 1 FROM auth.mfa_factors
+      WHERE user_id = auth.uid() AND status = 'verified'
+    ) OR has_aal2()
+  )
+);
+
+DROP POLICY IF EXISTS "Moderators can update submissions" ON public.content_submissions;
+CREATE POLICY "Moderators can update submissions"
+ON public.content_submissions
+FOR UPDATE
+TO authenticated
+USING (
+  is_moderator(auth.uid()) AND (
+    NOT EXISTS (
+      SELECT 1 FROM auth.mfa_factors
+      WHERE user_id = auth.uid() AND status = 'verified'
+    ) OR has_aal2()
+  )
+);
+
+-- Apply same enforcement to submission_items
+DROP POLICY IF EXISTS "Moderators can update submission items" ON public.submission_items;
+CREATE POLICY "Moderators can update submission items"
+ON public.submission_items
+FOR UPDATE
+TO authenticated
+USING (
+  is_moderator(auth.uid()) AND (
+    NOT EXISTS (
+      SELECT 1 FROM auth.mfa_factors
+      WHERE user_id = auth.uid() AND status = 'verified'
+    ) OR has_aal2()
+  )
+);
+
+DROP POLICY IF EXISTS "Moderators can delete submission items" ON public.submission_items;
+CREATE POLICY "Moderators can delete submission items"
+ON public.submission_items
+FOR DELETE
+TO authenticated
+USING (
+  is_moderator(auth.uid()) AND (
+    NOT EXISTS (
+      SELECT 1 FROM auth.mfa_factors
+      WHERE user_id = auth.uid() AND status = 'verified'
+    ) OR has_aal2()
+  )
+);
+
+-- Apply same enforcement to user_roles table for role management
+DROP POLICY IF EXISTS "Moderators can manage roles" ON public.user_roles;
+CREATE POLICY "Moderators can manage roles"
+ON public.user_roles
+FOR ALL
+TO authenticated
+USING (
+  is_moderator(auth.uid()) AND (
+    NOT EXISTS (
+      SELECT 1 FROM auth.mfa_factors
+      WHERE user_id = auth.uid() AND status = 'verified'
+    ) OR has_aal2()
+  )
+);
\ No newline at end of file