-- Phase 2: Optimize remaining RLS policies missed in first pass
-- Fixes 49 additional policies across versioning, historical, preference, and granular permission tables
-- Pattern: auth.uid() → (SELECT auth.uid())
-- Pattern: is_moderator(auth.uid()) → is_moderator((SELECT auth.uid()))

-- ============================================================================
-- CORE RELATIONAL TABLES
-- ============================================================================

DROP POLICY IF EXISTS "Moderators can manage ride technical specifications" ON public.ride_technical_specifications;
DROP POLICY IF EXISTS "Moderators can manage ride coaster statistics" ON public.ride_coaster_statistics;
DROP POLICY IF EXISTS "Moderators can manage ride name history" ON public.ride_name_history;
DROP POLICY IF EXISTS "Moderators can manage ride model technical specifications" ON public.ride_model_technical_specifications;

CREATE POLICY "Moderators can manage ride technical specifications"
ON public.ride_technical_specifications FOR ALL
TO authenticated
USING (is_moderator((SELECT auth.uid())));

CREATE POLICY "Moderators can manage ride coaster statistics"
ON public.ride_coaster_statistics FOR ALL
TO authenticated  
USING (is_moderator((SELECT auth.uid())));

CREATE POLICY "Moderators can manage ride name history"
ON public.ride_name_history FOR ALL
TO authenticated
USING (is_moderator((SELECT auth.uid())));

CREATE POLICY "Moderators can manage ride model technical specifications"
ON public.ride_model_technical_specifications FOR ALL
TO authenticated
USING (is_moderator((SELECT auth.uid())));

-- ============================================================================
-- USER/SYSTEM TABLES
-- ============================================================================

DROP POLICY IF EXISTS "Moderators can read all preferences" ON public.user_preferences;
DROP POLICY IF EXISTS "Moderators can read analytics" ON public.entity_page_views;
DROP POLICY IF EXISTS "Service role only access" ON public.request_metadata;
DROP POLICY IF EXISTS "Moderators can view metadata with MFA" ON public.request_metadata;
DROP POLICY IF EXISTS "Superusers can manage settings with MFA" ON public.admin_settings;

CREATE POLICY "Moderators can read all preferences"
ON public.user_preferences FOR SELECT
TO authenticated
USING (is_moderator((SELECT auth.uid())));

CREATE POLICY "Moderators can read analytics"
ON public.entity_page_views FOR SELECT
TO authenticated
USING (is_moderator((SELECT auth.uid())));

CREATE POLICY "Service role only access"
ON public.request_metadata FOR ALL
TO service_role
USING (auth.role() = 'service_role');

CREATE POLICY "Moderators can view metadata with MFA"
ON public.request_metadata FOR SELECT
TO authenticated
USING (is_moderator((SELECT auth.uid())) AND has_aal2());

CREATE POLICY "Superusers can manage settings with MFA"
ON public.admin_settings FOR ALL
TO authenticated
USING (is_superuser((SELECT auth.uid())) AND has_aal2());

-- ============================================================================
-- HISTORICAL/VERSIONING TABLES
-- ============================================================================

DROP POLICY IF EXISTS "Moderators manage historical parks" ON public.historical_parks;
DROP POLICY IF EXISTS "Moderators manage historical rides" ON public.historical_rides;
DROP POLICY IF EXISTS "Moderators manage location history" ON public.park_location_history;
DROP POLICY IF EXISTS "Moderators view location history" ON public.park_location_history;
DROP POLICY IF EXISTS "Moderators can view all archived versions" ON public.entity_versions_archive;
DROP POLICY IF EXISTS "Moderators can view all company versions" ON public.company_versions;
DROP POLICY IF EXISTS "Moderators can view all park versions" ON public.park_versions;
DROP POLICY IF EXISTS "Moderators can view all ride versions" ON public.ride_versions;
DROP POLICY IF EXISTS "Moderators can view all ride model versions" ON public.ride_model_versions;

CREATE POLICY "Moderators manage historical parks"
ON public.historical_parks FOR ALL
TO authenticated
USING (is_moderator((SELECT auth.uid())));

CREATE POLICY "Moderators manage historical rides"
ON public.historical_rides FOR ALL
TO authenticated
USING (is_moderator((SELECT auth.uid())));

CREATE POLICY "Moderators manage location history"
ON public.park_location_history FOR ALL
TO authenticated
USING (is_moderator((SELECT auth.uid())));

CREATE POLICY "Moderators view location history"
ON public.park_location_history FOR SELECT
TO authenticated
USING (is_moderator((SELECT auth.uid())));

CREATE POLICY "Moderators can view all archived versions"
ON public.entity_versions_archive FOR SELECT
TO authenticated
USING (is_moderator((SELECT auth.uid())));

CREATE POLICY "Moderators can view all company versions"
ON public.company_versions FOR SELECT
TO authenticated
USING (is_moderator((SELECT auth.uid())));

CREATE POLICY "Moderators can view all park versions"
ON public.park_versions FOR SELECT
TO authenticated
USING (is_moderator((SELECT auth.uid())));

CREATE POLICY "Moderators can view all ride versions"
ON public.ride_versions FOR SELECT
TO authenticated
USING (is_moderator((SELECT auth.uid())));

CREATE POLICY "Moderators can view all ride model versions"
ON public.ride_model_versions FOR SELECT
TO authenticated
USING (is_moderator((SELECT auth.uid())));

-- ============================================================================
-- GRANULAR UPDATE/VIEW POLICIES
-- ============================================================================

DROP POLICY IF EXISTS "Moderators can update photo submission items" ON public.photo_submission_items;
DROP POLICY IF EXISTS "Moderators can view all photo submission items" ON public.photo_submission_items;
DROP POLICY IF EXISTS "Moderators can update photo submissions" ON public.photo_submissions;
DROP POLICY IF EXISTS "Moderators can view all photo submissions" ON public.photo_submissions;
DROP POLICY IF EXISTS "Moderators can update profiles for banning" ON public.profiles;
DROP POLICY IF EXISTS "Moderators can view all profiles" ON public.profiles;
DROP POLICY IF EXISTS "Moderators can update reports" ON public.reports;
DROP POLICY IF EXISTS "Moderators can update reports with MFA" ON public.reports;
DROP POLICY IF EXISTS "Moderators can view all reports" ON public.reports;
DROP POLICY IF EXISTS "Moderators can update review status" ON public.reviews;
DROP POLICY IF EXISTS "Moderators can update ride model submissions" ON public.ride_model_submissions;
DROP POLICY IF EXISTS "Moderators can view all ride model submissions" ON public.ride_model_submissions;
DROP POLICY IF EXISTS "Moderators can update ride submissions" ON public.ride_submissions;
DROP POLICY IF EXISTS "Moderators can view all ride submissions" ON public.ride_submissions;
DROP POLICY IF EXISTS "Moderators can update submission items" ON public.submission_items;
DROP POLICY IF EXISTS "Moderators can update submission items with MFA" ON public.submission_items;
DROP POLICY IF EXISTS "Moderators can update timeline submissions" ON public.timeline_event_submissions;
DROP POLICY IF EXISTS "Moderators can view all timeline submissions" ON public.timeline_event_submissions;

CREATE POLICY "Moderators can update photo submission items"
ON public.photo_submission_items FOR UPDATE
TO authenticated
USING (is_moderator((SELECT auth.uid())));

CREATE POLICY "Moderators can view all photo submission items"
ON public.photo_submission_items FOR SELECT
TO authenticated
USING (is_moderator((SELECT auth.uid())));

CREATE POLICY "Moderators can update photo submissions"
ON public.photo_submissions FOR UPDATE
TO authenticated
USING (is_moderator((SELECT auth.uid())));

CREATE POLICY "Moderators can view all photo submissions"
ON public.photo_submissions FOR SELECT
TO authenticated
USING (is_moderator((SELECT auth.uid())));

CREATE POLICY "Moderators can update profiles for banning"
ON public.profiles FOR UPDATE
TO authenticated
USING (is_moderator((SELECT auth.uid())));

CREATE POLICY "Moderators can view all profiles"
ON public.profiles FOR SELECT
TO authenticated
USING (is_moderator((SELECT auth.uid())));

CREATE POLICY "Moderators can update reports"
ON public.reports FOR UPDATE
TO authenticated
USING (is_moderator((SELECT auth.uid())));

CREATE POLICY "Moderators can update reports with MFA"
ON public.reports FOR UPDATE
TO authenticated
USING (is_moderator((SELECT auth.uid())) AND has_aal2());

CREATE POLICY "Moderators can view all reports"
ON public.reports FOR SELECT
TO authenticated
USING (is_moderator((SELECT auth.uid())));

CREATE POLICY "Moderators can update review status"
ON public.reviews FOR UPDATE
TO authenticated
USING (is_moderator((SELECT auth.uid())));

CREATE POLICY "Moderators can update ride model submissions"
ON public.ride_model_submissions FOR UPDATE
TO authenticated
USING (is_moderator((SELECT auth.uid())));

CREATE POLICY "Moderators can view all ride model submissions"
ON public.ride_model_submissions FOR SELECT
TO authenticated
USING (is_moderator((SELECT auth.uid())));

CREATE POLICY "Moderators can update ride submissions"
ON public.ride_submissions FOR UPDATE
TO authenticated
USING (is_moderator((SELECT auth.uid())));

CREATE POLICY "Moderators can view all ride submissions"
ON public.ride_submissions FOR SELECT
TO authenticated
USING (is_moderator((SELECT auth.uid())));

CREATE POLICY "Moderators can update submission items"
ON public.submission_items FOR UPDATE
TO authenticated
USING (is_moderator((SELECT auth.uid())));

CREATE POLICY "Moderators can update submission items with MFA"
ON public.submission_items FOR UPDATE
TO authenticated
USING (is_moderator((SELECT auth.uid())) AND has_aal2());

CREATE POLICY "Moderators can update timeline submissions"
ON public.timeline_event_submissions FOR UPDATE
TO authenticated
USING (is_moderator((SELECT auth.uid())));

CREATE POLICY "Moderators can view all timeline submissions"
ON public.timeline_event_submissions FOR SELECT
TO authenticated
USING (is_moderator((SELECT auth.uid())));

-- ============================================================================
-- AUDIT & NOTIFICATION TABLES
-- ============================================================================

DROP POLICY IF EXISTS "Moderators can view all audit logs" ON public.profile_audit_log;
DROP POLICY IF EXISTS "System can insert audit logs" ON public.profile_audit_log;
DROP POLICY IF EXISTS "Moderators can view all notification logs" ON public.notification_logs;
DROP POLICY IF EXISTS "Moderators can view all notification preferences" ON public.user_notification_preferences;
DROP POLICY IF EXISTS "Moderators can view all review deletions" ON public.review_deletions;
DROP POLICY IF EXISTS "Moderators can view all submission dependencies" ON public.submission_dependencies;
DROP POLICY IF EXISTS "Moderators can view test data registry" ON public.test_data_registry;

CREATE POLICY "Moderators can view all audit logs"
ON public.profile_audit_log FOR SELECT
TO authenticated
USING (is_moderator((SELECT auth.uid())));

CREATE POLICY "System can insert audit logs"
ON public.profile_audit_log FOR INSERT
TO service_role
WITH CHECK (auth.role() = 'service_role');

CREATE POLICY "Moderators can view all notification logs"
ON public.notification_logs FOR SELECT
TO authenticated
USING (is_moderator((SELECT auth.uid())));

CREATE POLICY "Moderators can view all notification preferences"
ON public.user_notification_preferences FOR SELECT
TO authenticated
USING (is_moderator((SELECT auth.uid())));

CREATE POLICY "Moderators can view all review deletions"
ON public.review_deletions FOR SELECT
TO authenticated
USING (is_moderator((SELECT auth.uid())));

CREATE POLICY "Moderators can view all submission dependencies"
ON public.submission_dependencies FOR SELECT
TO authenticated
USING (is_moderator((SELECT auth.uid())));

CREATE POLICY "Moderators can view test data registry"
ON public.test_data_registry FOR SELECT
TO authenticated
USING (is_moderator((SELECT auth.uid())));

-- ============================================================================
-- LEGACY SUBMISSION TABLES
-- ============================================================================

DROP POLICY IF EXISTS "Moderators manage coaster stats" ON public.ride_coaster_stats;
DROP POLICY IF EXISTS "Moderators manage model tech specs" ON public.ride_model_technical_specifications;
DROP POLICY IF EXISTS "Moderators manage name history" ON public.ride_name_history;
DROP POLICY IF EXISTS "Moderators manage ride tech specs" ON public.ride_technical_specifications;

CREATE POLICY "Moderators manage coaster stats"
ON public.ride_coaster_stats FOR ALL
TO authenticated
USING (is_moderator((SELECT auth.uid())));

CREATE POLICY "Moderators manage model tech specs"
ON public.ride_model_technical_specifications FOR ALL
TO authenticated
USING (is_moderator((SELECT auth.uid())));

CREATE POLICY "Moderators manage name history"
ON public.ride_name_history FOR ALL
TO authenticated
USING (is_moderator((SELECT auth.uid())));

CREATE POLICY "Moderators manage ride tech specs"
ON public.ride_technical_specifications FOR ALL
TO authenticated
USING (is_moderator((SELECT auth.uid())));