DROP POLICY IF EXISTS "Staff can upload check signatures" ON storage.objects;
DROP POLICY IF EXISTS "Staff can update check signatures" ON storage.objects;
DROP POLICY IF EXISTS "Staff can delete check signatures" ON storage.objects;

CREATE POLICY "Staff can upload check signatures"
ON storage.objects FOR INSERT TO authenticated
WITH CHECK (
  bucket_id = 'check-signatures'
  AND (
    public.has_role(auth.uid(), 'admin'::public.app_role)
    OR public.has_role(auth.uid(), 'manager'::public.app_role)
    OR public.has_role(auth.uid(), 'staff'::public.app_role)
    OR public.has_role(auth.uid(), 'employee'::public.app_role)
    OR public.has_role(auth.uid(), 'management'::public.app_role)
    OR public.has_role(auth.uid(), 'association_management'::public.app_role)
  )
);

CREATE POLICY "Staff can update check signatures"
ON storage.objects FOR UPDATE TO authenticated
USING (
  bucket_id = 'check-signatures'
  AND (
    public.has_role(auth.uid(), 'admin'::public.app_role)
    OR public.has_role(auth.uid(), 'manager'::public.app_role)
    OR public.has_role(auth.uid(), 'staff'::public.app_role)
    OR public.has_role(auth.uid(), 'employee'::public.app_role)
    OR public.has_role(auth.uid(), 'management'::public.app_role)
    OR public.has_role(auth.uid(), 'association_management'::public.app_role)
  )
);

CREATE POLICY "Staff can delete check signatures"
ON storage.objects FOR DELETE TO authenticated
USING (
  bucket_id = 'check-signatures'
  AND (
    public.has_role(auth.uid(), 'admin'::public.app_role)
    OR public.has_role(auth.uid(), 'manager'::public.app_role)
    OR public.has_role(auth.uid(), 'staff'::public.app_role)
    OR public.has_role(auth.uid(), 'employee'::public.app_role)
    OR public.has_role(auth.uid(), 'management'::public.app_role)
    OR public.has_role(auth.uid(), 'association_management'::public.app_role)
  )
);