root-org/supabase/migrations/047_fix_map_rls.sql

-- ============================================================
-- Fix Map Layers & Pins RLS: replace FOR ALL with explicit
-- INSERT/UPDATE/DELETE policies that include WITH CHECK clauses
-- ============================================================

-- Drop the broken FOR ALL policies
DROP POLICY IF EXISTS "Dept members and editors can manage map layers" ON map_layers;
DROP POLICY IF EXISTS "Dept members and editors can manage map pins" ON map_pins;

-- ── Map Layers ──

CREATE POLICY "Dept members and editors can insert map layers" ON map_layers FOR INSERT
  WITH CHECK (EXISTS (
    SELECT 1 FROM event_departments ed
    JOIN events e ON ed.event_id = e.id
    JOIN org_members om ON e.org_id = om.org_id
    WHERE ed.id = map_layers.department_id
      AND om.user_id = auth.uid()
      AND (
        om.role IN ('owner', 'admin', 'editor')
        OR EXISTS (
          SELECT 1 FROM event_member_departments emd
          JOIN event_members em ON emd.event_member_id = em.id
          WHERE emd.department_id = ed.id AND em.user_id = auth.uid()
        )
      )
  ));

CREATE POLICY "Dept members and editors can update map layers" ON map_layers FOR UPDATE
  USING (EXISTS (
    SELECT 1 FROM event_departments ed
    JOIN events e ON ed.event_id = e.id
    JOIN org_members om ON e.org_id = om.org_id
    WHERE ed.id = map_layers.department_id
      AND om.user_id = auth.uid()
      AND (
        om.role IN ('owner', 'admin', 'editor')
        OR EXISTS (
          SELECT 1 FROM event_member_departments emd
          JOIN event_members em ON emd.event_member_id = em.id
          WHERE emd.department_id = ed.id AND em.user_id = auth.uid()
        )
      )
  ))
  WITH CHECK (EXISTS (
    SELECT 1 FROM event_departments ed
    JOIN events e ON ed.event_id = e.id
    JOIN org_members om ON e.org_id = om.org_id
    WHERE ed.id = map_layers.department_id
      AND om.user_id = auth.uid()
      AND (
        om.role IN ('owner', 'admin', 'editor')
        OR EXISTS (
          SELECT 1 FROM event_member_departments emd
          JOIN event_members em ON emd.event_member_id = em.id
          WHERE emd.department_id = ed.id AND em.user_id = auth.uid()
        )
      )
  ));

CREATE POLICY "Dept members and editors can delete map layers" ON map_layers FOR DELETE
  USING (EXISTS (
    SELECT 1 FROM event_departments ed
    JOIN events e ON ed.event_id = e.id
    JOIN org_members om ON e.org_id = om.org_id
    WHERE ed.id = map_layers.department_id
      AND om.user_id = auth.uid()
      AND (
        om.role IN ('owner', 'admin', 'editor')
        OR EXISTS (
          SELECT 1 FROM event_member_departments emd
          JOIN event_members em ON emd.event_member_id = em.id
          WHERE emd.department_id = ed.id AND em.user_id = auth.uid()
        )
      )
  ));

-- ── Map Pins ──

CREATE POLICY "Dept members and editors can insert map pins" ON map_pins FOR INSERT
  WITH CHECK (EXISTS (
    SELECT 1 FROM map_layers ml
    JOIN event_departments ed ON ml.department_id = ed.id
    JOIN events e ON ed.event_id = e.id
    JOIN org_members om ON e.org_id = om.org_id
    WHERE ml.id = map_pins.layer_id
      AND om.user_id = auth.uid()
      AND (
        om.role IN ('owner', 'admin', 'editor')
        OR EXISTS (
          SELECT 1 FROM event_member_departments emd
          JOIN event_members em ON emd.event_member_id = em.id
          WHERE emd.department_id = ed.id AND em.user_id = auth.uid()
        )
      )
  ));

CREATE POLICY "Dept members and editors can update map pins" ON map_pins FOR UPDATE
  USING (EXISTS (
    SELECT 1 FROM map_layers ml
    JOIN event_departments ed ON ml.department_id = ed.id
    JOIN events e ON ed.event_id = e.id
    JOIN org_members om ON e.org_id = om.org_id
    WHERE ml.id = map_pins.layer_id
      AND om.user_id = auth.uid()
      AND (
        om.role IN ('owner', 'admin', 'editor')
        OR EXISTS (
          SELECT 1 FROM event_member_departments emd
          JOIN event_members em ON emd.event_member_id = em.id
          WHERE emd.department_id = ed.id AND em.user_id = auth.uid()
        )
      )
  ))
  WITH CHECK (EXISTS (
    SELECT 1 FROM map_layers ml
    JOIN event_departments ed ON ml.department_id = ed.id
    JOIN events e ON ed.event_id = e.id
    JOIN org_members om ON e.org_id = om.org_id
    WHERE ml.id = map_pins.layer_id
      AND om.user_id = auth.uid()
      AND (
        om.role IN ('owner', 'admin', 'editor')
        OR EXISTS (
          SELECT 1 FROM event_member_departments emd
          JOIN event_members em ON emd.event_member_id = em.id
          WHERE emd.department_id = ed.id AND em.user_id = auth.uid()
        )
      )
  ));

CREATE POLICY "Dept members and editors can delete map pins" ON map_pins FOR DELETE
  USING (EXISTS (
    SELECT 1 FROM map_layers ml
    JOIN event_departments ed ON ml.department_id = ed.id
    JOIN events e ON ed.event_id = e.id
    JOIN org_members om ON e.org_id = om.org_id
    WHERE ml.id = map_pins.layer_id
      AND om.user_id = auth.uid()
      AND (
        om.role IN ('owner', 'admin', 'editor')
        OR EXISTS (
          SELECT 1 FROM event_member_departments emd
          JOIN event_members em ON emd.event_member_id = em.id
          WHERE emd.department_id = ed.id AND em.user_id = auth.uid()
        )
      )
  ));