-- =====================================================
-- RLS POLICIES FOR platform_settings TABLE
-- =====================================================
-- This fixes the empty JSON response when non-admin users
-- try to access branding settings (logo, favicon, colors)
-- =====================================================

-- Step 1: Enable RLS on platform_settings (if not already enabled)
ALTER TABLE platform_settings ENABLE ROW LEVEL SECURITY;

-- Step 2: Drop existing policies (if any)
DROP POLICY IF EXISTS "Anyone can view platform settings" ON platform_settings;
DROP POLICY IF EXISTS "Admins can update platform settings" ON platform_settings;
DROP POLICY IF EXISTS "Admins can insert platform settings" ON platform_settings;

-- Step 3: Create policies

-- Policy 1: Allow ANYONE (including public) to SELECT platform_settings
-- This is needed for branding to work on public pages
CREATE POLICY "Public can view platform settings"
ON platform_settings FOR SELECT
TO public
USING (true);

-- Policy 2: Allow authenticated users to SELECT platform_settings
CREATE POLICY "Authenticated can view platform settings"
ON platform_settings FOR SELECT
TO authenticated
USING (true);

-- Policy 3: Allow admins to UPDATE platform_settings
CREATE POLICY "Admins can update platform settings"
ON platform_settings FOR UPDATE
TO authenticated
USING (
  EXISTS (
    SELECT 1 FROM profiles
    WHERE profiles.id = auth.uid()
    AND profiles.role = 'admin'
  )
);

-- Policy 4: Allow admins to INSERT platform_settings
CREATE POLICY "Admins can insert platform settings"
ON platform_settings FOR INSERT
TO authenticated
WITH CHECK (
  EXISTS (
    SELECT 1 FROM profiles
    WHERE profiles.id = auth.uid()
    AND profiles.role = 'admin'
  )
);

-- Policy 5: Allow admins to DELETE platform_settings
CREATE POLICY "Admins can delete platform settings"
ON platform_settings FOR DELETE
TO authenticated
USING (
  EXISTS (
    SELECT 1 FROM profiles
    WHERE profiles.id = auth.uid()
    AND profiles.role = 'admin'
  )
);

-- =====================================================
-- VERIFICATION
-- =====================================================

-- Test as public (should return data)
-- Run this in a new SQL window without authentication:
SELECT * FROM platform_settings;

-- Check current policies
SELECT
  tablename,
  policyname,
  permissive,
  roles,
  cmd,
  qual,
  with_check
FROM pg_policies
WHERE tablename = 'platform_settings';

-- =====================================================
-- ALTERNATIVE: Simpler policies (if profile check doesn't work)
-- =====================================================

-- If the above policies don't work, use these simpler versions:
-- DROP POLICY IF EXISTS "Admins can update platform settings" ON platform_settings;
-- DROP POLICY IF EXISTS "Admins can insert platform settings" ON platform_settings;
-- DROP POLICY IF EXISTS "Admins can delete platform settings" ON platform_settings;
--
-- -- Allow all authenticated users to modify (less secure, but works)
-- CREATE POLICY "Authenticated can update platform settings"
-- ON platform_settings FOR UPDATE
-- TO authenticated
-- USING (true)
-- WITH CHECK (true);
--
-- CREATE POLICY "Authenticated can insert platform settings"
-- ON platform_settings FOR INSERT
-- TO authenticated
-- WITH CHECK (true);
--
-- CREATE POLICY "Authenticated can delete platform settings"
-- ON platform_settings FOR DELETE
-- TO authenticated
-- USING (true);

-- =====================================================
-- TROUBLESHOOTING
-- =====================================================

-- Check if RLS is enabled
SELECT tablename, rowsecurity
FROM pg_tables
WHERE tablename = 'platform_settings';

-- Check if table has data
SELECT COUNT(*) as row_count FROM platform_settings;

-- Check current user
SELECT auth.uid();
SELECT * FROM profiles WHERE id = auth.uid();