-- ============================================
-- IMMEDIATE FIX FOR RLS ISSUES
-- Run this SQL directly in Supabase Studio SQL Editor
-- ============================================

-- =====================
-- STEP 1: FIX STORAGE.OBJECTS POLICIES
-- =====================

-- Drop any existing service_role policies with various names
DROP POLICY IF EXISTS "Service role can insert avatars" ON storage.objects;
DROP POLICY IF EXISTS "Service role can update avatars" ON storage.objects;
DROP POLICY IF EXISTS "Service role can delete avatars" ON storage.objects;
DROP POLICY IF EXISTS "Service role can read avatars" ON storage.objects;
DROP POLICY IF EXISTS "service_role_insert_avatars" ON storage.objects;
DROP POLICY IF EXISTS "service_role_update_avatars" ON storage.objects;
DROP POLICY IF EXISTS "service_role_delete_avatars" ON storage.objects;
DROP POLICY IF EXISTS "service_role_select_avatars" ON storage.objects;
DROP POLICY IF EXISTS "service_role_all_select" ON storage.objects;
DROP POLICY IF EXISTS "service_role_all_insert" ON storage.objects;
DROP POLICY IF EXISTS "service_role_all_update" ON storage.objects;
DROP POLICY IF EXISTS "service_role_all_delete" ON storage.objects;

-- Create universal service_role policies for ALL storage operations
CREATE POLICY "service_role_all_select" ON storage.objects
FOR SELECT TO service_role
USING (true);

CREATE POLICY "service_role_all_insert" ON storage.objects
FOR INSERT TO service_role
WITH CHECK (true);

CREATE POLICY "service_role_all_update" ON storage.objects
FOR UPDATE TO service_role
USING (true);

CREATE POLICY "service_role_all_delete" ON storage.objects
FOR DELETE TO service_role
USING (true);

-- Grant permissions
GRANT ALL ON storage.objects TO service_role;
GRANT ALL ON storage.buckets TO service_role;
GRANT USAGE ON SCHEMA storage TO service_role;

-- =====================
-- STEP 2: FIX PUBLIC.MEMBERS POLICIES
-- =====================

-- Drop any existing service_role policies on members
DROP POLICY IF EXISTS "service_role_all_members" ON public.members;
DROP POLICY IF EXISTS "service_role_select_members" ON public.members;
DROP POLICY IF EXISTS "service_role_insert_members" ON public.members;
DROP POLICY IF EXISTS "service_role_update_members" ON public.members;
DROP POLICY IF EXISTS "service_role_delete_members" ON public.members;

-- Create universal service_role policy for members table
CREATE POLICY "service_role_all_members" ON public.members
FOR ALL TO service_role
USING (true)
WITH CHECK (true);

-- Grant permissions
GRANT ALL ON public.members TO service_role;

-- =====================
-- STEP 3: ENSURE STORAGE BUCKETS EXIST
-- =====================

-- Avatars bucket (public)
INSERT INTO storage.buckets (id, name, public, file_size_limit, allowed_mime_types)
VALUES (
  'avatars',
  'avatars',
  true,
  5242880,
  ARRAY['image/jpeg', 'image/png', 'image/webp', 'image/gif']
)
ON CONFLICT (id) DO UPDATE SET
  public = true,
  file_size_limit = EXCLUDED.file_size_limit,
  allowed_mime_types = EXCLUDED.allowed_mime_types;

-- Documents bucket (public for direct URL access - visibility controlled at app level)
INSERT INTO storage.buckets (id, name, public, file_size_limit, allowed_mime_types)
VALUES (
  'documents',
  'documents',
  true,
  52428800,
  ARRAY['application/pdf', 'application/msword', 'application/vnd.openxmlformats-officedocument.wordprocessingml.document', 'application/vnd.ms-excel', 'application/vnd.openxmlformats-officedocument.spreadsheetml.sheet', 'application/vnd.ms-powerpoint', 'application/vnd.openxmlformats-officedocument.presentationml.presentation', 'text/plain', 'text/csv', 'application/json', 'image/jpeg', 'image/png', 'image/webp', 'image/gif']
)
ON CONFLICT (id) DO UPDATE SET
  public = true,
  file_size_limit = EXCLUDED.file_size_limit,
  allowed_mime_types = EXCLUDED.allowed_mime_types;

-- =====================
-- STEP 4: TRY TO GRANT BYPASSRLS (may fail, that's OK)
-- =====================

DO $$
BEGIN
  ALTER ROLE service_role BYPASSRLS;
  RAISE NOTICE 'SUCCESS: Granted BYPASSRLS to service_role';
EXCEPTION
  WHEN insufficient_privilege THEN
    RAISE NOTICE 'INFO: Could not grant BYPASSRLS (using explicit policies instead)';
  WHEN OTHERS THEN
    RAISE NOTICE 'INFO: BYPASSRLS not needed or already set';
END $$;

-- =====================
-- STEP 5: VERIFY SETUP
-- =====================

-- Check service_role policies on storage.objects
SELECT
  policyname,
  permissive,
  roles,
  cmd,
  qual,
  with_check
FROM pg_policies
WHERE schemaname = 'storage'
  AND tablename = 'objects'
  AND 'service_role' = ANY(roles);

-- Check service_role policies on public.members
SELECT
  policyname,
  permissive,
  roles,
  cmd,
  qual,
  with_check
FROM pg_policies
WHERE schemaname = 'public'
  AND tablename = 'members'
  AND 'service_role' = ANY(roles);

-- Check if service_role has BYPASSRLS
SELECT rolname, rolbypassrls
FROM pg_roles
WHERE rolname = 'service_role';