-- Fix RLS policies to use block_aal1_with_mfa() instead of direct auth.mfa_factors queries
-- This resolves "permission denied for table mfa_factors" errors

-- ==========================================
-- submission_items policies
-- ==========================================

DROP POLICY IF EXISTS "Moderators can delete submission items" ON public.submission_items;
CREATE POLICY "Moderators can delete submission items"
ON public.submission_items FOR DELETE
TO authenticated
USING (is_moderator(auth.uid()) AND block_aal1_with_mfa());

DROP POLICY IF EXISTS "Moderators can insert submission items" ON public.submission_items;
CREATE POLICY "Moderators can insert submission items"
ON public.submission_items FOR INSERT
TO authenticated
WITH CHECK (is_moderator(auth.uid()) AND block_aal1_with_mfa());

-- ==========================================
-- park_submissions policies
-- ==========================================

DROP POLICY IF EXISTS "Moderators can delete park submissions" ON public.park_submissions;
CREATE POLICY "Moderators can delete park submissions"
ON public.park_submissions FOR DELETE
TO authenticated
USING (is_moderator(auth.uid()) AND block_aal1_with_mfa());

DROP POLICY IF EXISTS "Moderators can update park submissions" ON public.park_submissions;
CREATE POLICY "Moderators can update park submissions"
ON public.park_submissions FOR UPDATE
TO authenticated
USING (is_moderator(auth.uid()) AND block_aal1_with_mfa());

DROP POLICY IF EXISTS "Moderators can view all park submissions" ON public.park_submissions;
CREATE POLICY "Moderators can view all park submissions"
ON public.park_submissions FOR SELECT
TO authenticated
USING (is_moderator(auth.uid()) AND block_aal1_with_mfa());

-- ==========================================
-- ride_submissions policies
-- ==========================================

DROP POLICY IF EXISTS "Moderators can delete ride submissions" ON public.ride_submissions;
CREATE POLICY "Moderators can delete ride submissions"
ON public.ride_submissions FOR DELETE
TO authenticated
USING (is_moderator(auth.uid()) AND block_aal1_with_mfa());

DROP POLICY IF EXISTS "Moderators can update ride submissions" ON public.ride_submissions;
CREATE POLICY "Moderators can update ride submissions"
ON public.ride_submissions FOR UPDATE
TO authenticated
USING (is_moderator(auth.uid()) AND block_aal1_with_mfa());

DROP POLICY IF EXISTS "Moderators can view all ride submissions" ON public.ride_submissions;
CREATE POLICY "Moderators can view all ride submissions"
ON public.ride_submissions FOR SELECT
TO authenticated
USING (is_moderator(auth.uid()) AND block_aal1_with_mfa());

-- ==========================================
-- photo_submissions policies
-- ==========================================

DROP POLICY IF EXISTS "Moderators can delete photo submissions" ON public.photo_submissions;
CREATE POLICY "Moderators can delete photo submissions"
ON public.photo_submissions FOR DELETE
TO authenticated
USING (is_moderator(auth.uid()) AND block_aal1_with_mfa());