From cf7c9c433b71388d8b34a6661450d8200d769c89 Mon Sep 17 00:00:00 2001
From: "gpt-engineer-app[bot]"
 <159125892+gpt-engineer-app[bot]@users.noreply.github.com>
Date: Fri, 17 Oct 2025 23:39:54 +0000
Subject: [PATCH] Fix RLS policies

---
 ...2_0ccfc5e3-b785-4b3e-a7a6-cb7c5ed580ce.sql | 79 +++++++++++++++++++
 1 file changed, 79 insertions(+)
 create mode 100644 supabase/migrations/20251017233942_0ccfc5e3-b785-4b3e-a7a6-cb7c5ed580ce.sql

diff --git a/supabase/migrations/20251017233942_0ccfc5e3-b785-4b3e-a7a6-cb7c5ed580ce.sql b/supabase/migrations/20251017233942_0ccfc5e3-b785-4b3e-a7a6-cb7c5ed580ce.sql
new file mode 100644
index 00000000..1e4e3d56
--- /dev/null
+++ b/supabase/migrations/20251017233942_0ccfc5e3-b785-4b3e-a7a6-cb7c5ed580ce.sql
@@ -0,0 +1,79 @@
+-- Fix RLS policies on photo_submissions and photo_submission_items
+-- Replace direct auth.mfa_factors queries with has_mfa_enabled() security definer function
+-- This prevents "permission denied for table mfa_factors" errors
+
+-- ============================================
+-- Photo Submissions Table
+-- ============================================
+
+DROP POLICY IF EXISTS "Moderators can view all photo submissions" ON public.photo_submissions;
+DROP POLICY IF EXISTS "Moderators can update photo submissions" ON public.photo_submissions;
+DROP POLICY IF EXISTS "Moderators can delete photo submissions" ON public.photo_submissions;
+
+CREATE POLICY "Moderators can view all photo submissions"
+ON public.photo_submissions
+FOR SELECT
+TO authenticated
+USING (
+  is_moderator(auth.uid()) AND (
+    (NOT has_mfa_enabled(auth.uid())) OR has_aal2()
+  )
+);
+
+CREATE POLICY "Moderators can update photo submissions"
+ON public.photo_submissions
+FOR UPDATE
+TO authenticated
+USING (
+  is_moderator(auth.uid()) AND (
+    (NOT has_mfa_enabled(auth.uid())) OR has_aal2()
+  )
+);
+
+CREATE POLICY "Moderators can delete photo submissions"
+ON public.photo_submissions
+FOR DELETE
+TO authenticated
+USING (
+  is_moderator(auth.uid()) AND (
+    (NOT has_mfa_enabled(auth.uid())) OR has_aal2()
+  )
+);
+
+-- ============================================
+-- Photo Submission Items Table
+-- ============================================
+
+DROP POLICY IF EXISTS "Moderators can view all photo submission items" ON public.photo_submission_items;
+DROP POLICY IF EXISTS "Moderators can update photo submission items" ON public.photo_submission_items;
+DROP POLICY IF EXISTS "Moderators can delete photo submission items" ON public.photo_submission_items;
+
+CREATE POLICY "Moderators can view all photo submission items"
+ON public.photo_submission_items
+FOR SELECT
+TO authenticated
+USING (
+  is_moderator(auth.uid()) AND (
+    (NOT has_mfa_enabled(auth.uid())) OR has_aal2()
+  )
+);
+
+CREATE POLICY "Moderators can update photo submission items"
+ON public.photo_submission_items
+FOR UPDATE
+TO authenticated
+USING (
+  is_moderator(auth.uid()) AND (
+    (NOT has_mfa_enabled(auth.uid())) OR has_aal2()
+  )
+);
+
+CREATE POLICY "Moderators can delete photo submission items"
+ON public.photo_submission_items
+FOR DELETE
+TO authenticated
+USING (
+  is_moderator(auth.uid()) AND (
+    (NOT has_mfa_enabled(auth.uid())) OR has_aal2()
+  )
+);
\ No newline at end of file