-- Allow privileged backend contexts (service role / no JWT, e.g. the Buildium import) to update
-- finalized ARC applications, alongside admins. Client writes by non-admins remain blocked by RLS,
-- so this does not weaken the user-facing lock.
CREATE OR REPLACE FUNCTION public.prevent_updates_on_finalized_arc()
RETURNS trigger
LANGUAGE plpgsql
SECURITY DEFINER
SET search_path TO 'public'
AS $function$
BEGIN
  IF lower(COALESCE(OLD.status,'')) IN ('approved','denied') THEN
    -- auth.uid() IS NULL => no end-user JWT (service role / backend job); admins also exempt.
    IF auth.uid() IS NULL OR public.has_role(auth.uid(), 'admin'::public.app_role) THEN
      RETURN NEW;
    END IF;

    RAISE EXCEPTION 'This ARC application has been finalized (approved or denied) and is locked from further changes.'
      USING ERRCODE = 'check_violation';
  END IF;

  RETURN NEW;
END;
$function$;