-- SECURITY UPDATES
-- This script strengthens the RLS policies by enforcing 'admin' role checks
-- instead of just checking if the user is authenticated.

-- 1. PRODUCTS TABLE
-- Drop existing loose policies
DROP POLICY IF EXISTS "Authenticated users can insert products." ON products;
DROP POLICY IF EXISTS "Authenticated users can update products." ON products;
DROP POLICY IF EXISTS "Authenticated users can delete products." ON products;

-- Create strict admin policies
CREATE POLICY "Admins can insert products"
  ON products FOR INSERT
  WITH CHECK (
    exists (
      select 1 from profiles
      where profiles.id = auth.uid() and profiles.role = 'admin'
    )
  );

CREATE POLICY "Admins can update products"
  ON products FOR UPDATE
  USING (
    exists (
      select 1 from profiles
      where profiles.id = auth.uid() and profiles.role = 'admin'
    )
  );

CREATE POLICY "Admins can delete products"
  ON products FOR DELETE
  USING (
    exists (
      select 1 from profiles
      where profiles.id = auth.uid() and profiles.role = 'admin'
    )
  );


-- 2. CUSTOMERS TABLE
-- Drop existing loose policies (if they match the previous loose pattern)
DROP POLICY IF EXISTS "Admins can insert customers" ON customers;
DROP POLICY IF EXISTS "Admins can update customers" ON customers;
DROP POLICY IF EXISTS "Admins can delete customers" ON customers;

-- Re-create strict policies (just to be sure, ensuring the subquery check is present)
CREATE POLICY "Strict Admin Insert Customers"
  ON customers FOR INSERT
  WITH CHECK (
    exists (
      select 1 from profiles
      where profiles.id = auth.uid() and profiles.role = 'admin'
    )
  );

CREATE POLICY "Strict Admin Update Customers"
  ON customers FOR UPDATE
  USING (
    exists (
      select 1 from profiles
      where profiles.id = auth.uid() and profiles.role = 'admin'
    )
  );

CREATE POLICY "Strict Admin Delete Customers"
  ON customers FOR DELETE
  USING (
    exists (
      select 1 from profiles
      where profiles.id = auth.uid() and profiles.role = 'admin'
    )
  );

-- 3. SITE CONTENTS TABLE
DROP POLICY IF EXISTS "Admin update access" ON site_contents;
DROP POLICY IF EXISTS "Admin insert access" ON site_contents;

CREATE POLICY "Strict Admin Update Site Contents"
  ON site_contents FOR UPDATE
  USING (
    exists (
      select 1 from profiles
      where profiles.id = auth.uid() and profiles.role = 'admin'
    )
  );

CREATE POLICY "Strict Admin Insert Site Contents"
  ON site_contents FOR INSERT
  WITH CHECK (
    exists (
      select 1 from profiles
      where profiles.id = auth.uid() and profiles.role = 'admin'
    )
  );