-- Drop broken policies on content_submissions that directly query auth.mfa_factors
DROP POLICY IF EXISTS "Moderators can view all submissions" ON public.content_submissions;
DROP POLICY IF EXISTS "Moderators can update submissions" ON public.content_submissions;
DROP POLICY IF EXISTS "Moderators can update submissions with MFA" ON public.content_submissions;
DROP POLICY IF EXISTS "Moderators can delete submissions with MFA" ON public.content_submissions;

-- Recreate policies using has_mfa_enabled() function
CREATE POLICY "Moderators can view all submissions"
ON public.content_submissions
FOR SELECT
TO authenticated
USING (
  is_moderator(auth.uid()) AND 
  (NOT has_mfa_enabled(auth.uid()) OR has_aal2())
);

CREATE POLICY "Moderators can update submissions"
ON public.content_submissions
FOR UPDATE
TO authenticated
USING (
  is_moderator(auth.uid()) AND 
  (NOT has_mfa_enabled(auth.uid()) OR has_aal2())
)
WITH CHECK (
  is_moderator(auth.uid()) AND 
  (NOT has_mfa_enabled(auth.uid()) OR has_aal2())
);

CREATE POLICY "Moderators can delete submissions with MFA"
ON public.content_submissions
FOR DELETE
TO authenticated
USING (
  is_moderator(auth.uid()) AND has_aal2()
);