-- Migración 009: Políticas RLS de producción
--
-- ⚠️  PREREQUISITO OBLIGATORIO antes de ejecutar:
-- Insertar perfil admin para TU usuario actual. Si no lo haces,
-- quedarás bloqueado y no podrás acceder a los datos.
--
-- Ejecuta PRIMERO (reemplaza el email):
--   INSERT INTO public.user_profiles (id, email, role)
--   SELECT id, email, 'admin' FROM auth.users
--   WHERE email = 'tu-email@ejemplo.com'
--   ON CONFLICT (id) DO NOTHING;
--
-- Verifica que tienes acceso ANTES de continuar.

-- ────────────────────────────────────────────────────────────
-- TABLA: reservations
-- ────────────────────────────────────────────────────────────

-- Eliminar políticas dev-mode abiertas
DROP POLICY IF EXISTS "Enable read access for all users" ON public.reservations;
DROP POLICY IF EXISTS "Enable insert for all users" ON public.reservations;
DROP POLICY IF EXISTS "Enable update for all users" ON public.reservations;
DROP POLICY IF EXISTS "Enable delete for all users" ON public.reservations;

-- Admin e internal_staff: acceso completo a la tabla
CREATE POLICY "Staff: full read"
  ON public.reservations FOR SELECT TO authenticated
  USING (public.get_user_role() IN ('admin', 'internal_staff'));

CREATE POLICY "Staff: insert"
  ON public.reservations FOR INSERT TO authenticated
  WITH CHECK (public.get_user_role() IN ('admin', 'internal_staff'));

CREATE POLICY "Staff: update"
  ON public.reservations FOR UPDATE TO authenticated
  USING (public.get_user_role() IN ('admin', 'internal_staff'))
  WITH CHECK (public.get_user_role() IN ('admin', 'internal_staff'));

CREATE POLICY "Staff: delete"
  ON public.reservations FOR DELETE TO authenticated
  USING (public.get_user_role() IN ('admin', 'internal_staff'));

-- external_availability_viewer: SIN acceso directo a la tabla reservations.
-- Solo accede a la vista reservations_availability (migración 008).

-- ────────────────────────────────────────────────────────────
-- TABLA: reservation_contracts
-- ────────────────────────────────────────────────────────────

DROP POLICY IF EXISTS "Temp: authenticated can manage contracts" ON public.reservation_contracts;

CREATE POLICY "Staff: manage contracts"
  ON public.reservation_contracts FOR ALL TO authenticated
  USING (public.get_user_role() IN ('admin', 'internal_staff'))
  WITH CHECK (public.get_user_role() IN ('admin', 'internal_staff'));

-- ────────────────────────────────────────────────────────────
-- TABLA: notification_events
-- ────────────────────────────────────────────────────────────

DROP POLICY IF EXISTS "Temp: authenticated can read notifications" ON public.notification_events;

CREATE POLICY "Admin: read notifications"
  ON public.notification_events FOR SELECT TO authenticated
  USING (public.get_user_role() = 'admin');

-- El API usa service_role para INSERT/UPDATE en notification_events (bypasea RLS).

-- ────────────────────────────────────────────────────────────
-- TABLA: user_profiles
-- ────────────────────────────────────────────────────────────

-- La policy existente "Users can read own profile" se mantiene.
-- El API usa service_role para gestionar perfiles.

-- ────────────────────────────────────────────────────────────
-- REVOCAR acceso anónimo a todas las tablas
-- ────────────────────────────────────────────────────────────
REVOKE ALL ON public.reservations FROM anon;
REVOKE ALL ON public.reservation_contracts FROM anon;
REVOKE ALL ON public.notification_events FROM anon;
REVOKE ALL ON public.user_profiles FROM anon;