-- Fix search_path security issue in superuser_release_all_locks function
CREATE OR REPLACE FUNCTION public.superuser_release_all_locks(p_superuser_id uuid)
RETURNS integer
LANGUAGE plpgsql
SECURITY DEFINER
SET search_path = 'public', 'auth'  -- Set immutable search path for security
AS $function$
DECLARE
  v_is_superuser BOOLEAN;
  v_released_count INTEGER;
  v_released_locks JSONB;
BEGIN
  -- Verify caller is actually a superuser
  SELECT EXISTS (
    SELECT 1 FROM public.user_roles 
    WHERE user_id = p_superuser_id 
    AND role = 'superuser'
  ) INTO v_is_superuser;
  
  IF NOT v_is_superuser THEN
    RAISE EXCEPTION 'Unauthorized: Only superusers can release all locks';
  END IF;
  
  -- Capture all locked submissions for audit
  SELECT jsonb_agg(
    jsonb_build_object(
      'submission_id', id,
      'assigned_to', assigned_to,
      'locked_until', locked_until,
      'submission_type', submission_type
    )
  ) INTO v_released_locks
  FROM public.content_submissions
  WHERE assigned_to IS NOT NULL 
    AND locked_until > NOW();
  
  -- Release all active locks
  UPDATE public.content_submissions
  SET 
    assigned_to = NULL,
    assigned_at = NULL,
    locked_until = NULL
  WHERE assigned_to IS NOT NULL 
    AND locked_until > NOW()
    AND status IN ('pending', 'partially_approved');
  
  GET DIAGNOSTICS v_released_count = ROW_COUNT;
  
  -- Log the bulk release
  IF v_released_count > 0 THEN
    PERFORM public.log_admin_action(
      p_superuser_id,
      NULL,
      'submission_locks_bulk_released',
      jsonb_build_object(
        'released_count', v_released_count,
        'released_locks', v_released_locks,
        'bulk_operation', true
      )
    );
  END IF;
  
  RETURN v_released_count;
END;
$function$;