-- Fix search_path security warning for create_submission_with_items function -- Set explicit search_path to prevent search path manipulation attacks CREATE OR REPLACE FUNCTION create_submission_with_items( p_submission_id UUID, p_entity_type TEXT, p_action_type TEXT, p_items JSONB, p_user_id UUID ) RETURNS UUID LANGUAGE plpgsql SECURITY DEFINER SET search_path = public AS $$ DECLARE v_item JSONB; v_item_type TEXT; v_item_data JSONB; v_depends_on INTEGER; v_order_index INTEGER; v_created_ids UUID[] := ARRAY[]::UUID[]; v_submission_item_id UUID; BEGIN -- Loop through items array FOR v_item IN SELECT * FROM jsonb_array_elements(p_items) LOOP v_item_type := v_item->>'item_type'; v_item_data := v_item->'item_data'; v_depends_on := (v_item->>'depends_on')::INTEGER; v_order_index := (v_item->>'order_index')::INTEGER; -- Resolve dependency references IF v_depends_on IS NOT NULL THEN v_item_data := v_item_data || jsonb_build_object( v_item->>'dependency_field', v_created_ids[v_depends_on + 1] ); END IF; -- Create submission based on entity type IF v_item_type = 'park' THEN INSERT INTO park_submissions ( id, user_id, action_type, status, name, slug, description, opening_date, opening_date_precision, closing_date, closing_date_precision, status_park, website, park_type, operator_id, property_owner_id, location_id, temp_location_data, images ) VALUES ( COALESCE((v_item_data->>'id')::UUID, gen_random_uuid()), p_user_id, p_action_type, 'pending', v_item_data->>'name', v_item_data->>'slug', v_item_data->>'description', (v_item_data->>'opening_date')::DATE, v_item_data->>'opening_date_precision', (v_item_data->>'closing_date')::DATE, v_item_data->>'closing_date_precision', v_item_data->>'status_park', v_item_data->>'website', v_item_data->>'park_type', (v_item_data->>'operator_id')::UUID, (v_item_data->>'property_owner_id')::UUID, (v_item_data->>'location_id')::UUID, (v_item_data->'temp_location_data')::JSONB, (v_item_data->'images')::JSONB ) RETURNING id INTO v_submission_item_id; ELSIF v_item_type = 'ride' THEN INSERT INTO ride_submissions ( id, user_id, action_type, status, name, slug, description, opening_date, opening_date_precision, closing_date, closing_date_precision, status_ride, park_id, manufacturer_id, designer_id, model_id, images ) VALUES ( COALESCE((v_item_data->>'id')::UUID, gen_random_uuid()), p_user_id, p_action_type, 'pending', v_item_data->>'name', v_item_data->>'slug', v_item_data->>'description', (v_item_data->>'opening_date')::DATE, v_item_data->>'opening_date_precision', (v_item_data->>'closing_date')::DATE, v_item_data->>'closing_date_precision', v_item_data->>'status_ride', (v_item_data->>'park_id')::UUID, (v_item_data->>'manufacturer_id')::UUID, (v_item_data->>'designer_id')::UUID, (v_item_data->>'model_id')::UUID, (v_item_data->'images')::JSONB ) RETURNING id INTO v_submission_item_id; ELSIF v_item_type = 'operator' THEN INSERT INTO operator_submissions ( id, user_id, action_type, status, name, slug, description, website, images ) VALUES ( COALESCE((v_item_data->>'id')::UUID, gen_random_uuid()), p_user_id, p_action_type, 'pending', v_item_data->>'name', v_item_data->>'slug', v_item_data->>'description', v_item_data->>'website', (v_item_data->'images')::JSONB ) RETURNING id INTO v_submission_item_id; ELSIF v_item_type = 'property_owner' THEN INSERT INTO property_owner_submissions ( id, user_id, action_type, status, name, slug, description, website, images ) VALUES ( COALESCE((v_item_data->>'id')::UUID, gen_random_uuid()), p_user_id, p_action_type, 'pending', v_item_data->>'name', v_item_data->>'slug', v_item_data->>'description', v_item_data->>'website', (v_item_data->'images')::JSONB ) RETURNING id INTO v_submission_item_id; ELSIF v_item_type = 'manufacturer' THEN INSERT INTO manufacturer_submissions ( id, user_id, action_type, status, name, slug, description, website, images ) VALUES ( COALESCE((v_item_data->>'id')::UUID, gen_random_uuid()), p_user_id, p_action_type, 'pending', v_item_data->>'name', v_item_data->>'slug', v_item_data->>'description', v_item_data->>'website', (v_item_data->'images')::JSONB ) RETURNING id INTO v_submission_item_id; ELSIF v_item_type = 'designer' THEN INSERT INTO designer_submissions ( id, user_id, action_type, status, name, slug, description, website, images ) VALUES ( COALESCE((v_item_data->>'id')::UUID, gen_random_uuid()), p_user_id, p_action_type, 'pending', v_item_data->>'name', v_item_data->>'slug', v_item_data->>'description', v_item_data->>'website', (v_item_data->'images')::JSONB ) RETURNING id INTO v_submission_item_id; ELSE RAISE EXCEPTION 'Unsupported item type: %', v_item_type; END IF; -- Track created IDs in order v_created_ids := array_append(v_created_ids, v_submission_item_id); -- Create submission_items record to link everything INSERT INTO submission_items ( submission_id, item_type, item_id, order_index ) VALUES ( p_submission_id, v_item_type, v_submission_item_id, v_order_index ); END LOOP; RETURN p_submission_id; END; $$;