-- Phase 1: Critical Security Fixes for Sacred Pipeline
-- Fix 1.1: Attach ban prevention trigger to content_submissions
CREATE TRIGGER prevent_banned_submissions
  BEFORE INSERT ON content_submissions
  FOR EACH ROW
  EXECUTE FUNCTION prevent_banned_user_submissions();

-- Fix 1.2: Add RLS policy to prevent banned users from submitting
CREATE POLICY "Banned users cannot submit"
ON content_submissions
FOR INSERT
TO authenticated
WITH CHECK (
  NOT EXISTS (
    SELECT 1 FROM profiles
    WHERE user_id = auth.uid() AND banned = true
  )
);