-- Fix all association-scoped policies to include staff bypass

-- billable_expenses
DROP POLICY IF EXISTS "Users can view own association billable expenses" ON public.billable_expenses;
CREATE POLICY "Users can view own association billable expenses"
  ON public.billable_expenses FOR SELECT TO authenticated
  USING (
    has_role(auth.uid(), 'admin'::app_role)
    OR has_role(auth.uid(), 'manager'::app_role)
    OR association_id IN (SELECT get_user_association_ids())
  );

-- annual_meetings
DROP POLICY IF EXISTS "Users can view own association annual meetings" ON public.annual_meetings;
CREATE POLICY "Users can view own association annual meetings"
  ON public.annual_meetings FOR SELECT TO authenticated
  USING (
    has_role(auth.uid(), 'admin'::app_role)
    OR has_role(auth.uid(), 'manager'::app_role)
    OR association_id IN (SELECT get_user_association_ids())
  );

-- journal_entries
DROP POLICY IF EXISTS "Users can view own association journal entries" ON public.journal_entries;
CREATE POLICY "Users can view own association journal entries"
  ON public.journal_entries FOR SELECT TO authenticated
  USING (
    has_role(auth.uid(), 'admin'::app_role)
    OR has_role(auth.uid(), 'manager'::app_role)
    OR association_id IN (SELECT get_user_association_ids())
  );

-- parking_records
DROP POLICY IF EXISTS "Users can view own association parking records" ON public.parking_records;
CREATE POLICY "Users can view own association parking records"
  ON public.parking_records FOR SELECT TO authenticated
  USING (
    has_role(auth.uid(), 'admin'::app_role)
    OR has_role(auth.uid(), 'manager'::app_role)
    OR association_id IN (SELECT get_user_association_ids())
  );

-- projects
DROP POLICY IF EXISTS "Users can view own association projects" ON public.projects;
CREATE POLICY "Users can view own association projects"
  ON public.projects FOR SELECT TO authenticated
  USING (
    has_role(auth.uid(), 'admin'::app_role)
    OR has_role(auth.uid(), 'manager'::app_role)
    OR association_id IN (SELECT get_user_association_ids())
  );

-- unit_timeline_events
DROP POLICY IF EXISTS "Users can view own association timeline events" ON public.unit_timeline_events;
CREATE POLICY "Users can view own association timeline events"
  ON public.unit_timeline_events FOR SELECT TO authenticated
  USING (
    has_role(auth.uid(), 'admin'::app_role)
    OR has_role(auth.uid(), 'manager'::app_role)
    OR association_id IN (SELECT get_user_association_ids())
  );

-- document_validation_proofs
DROP POLICY IF EXISTS "Users can view own association proofs" ON public.document_validation_proofs;
CREATE POLICY "Users can view own association proofs"
  ON public.document_validation_proofs FOR SELECT TO authenticated
  USING (
    has_role(auth.uid(), 'admin'::app_role)
    OR has_role(auth.uid(), 'manager'::app_role)
    OR association_id IN (SELECT get_user_association_ids())
  );

-- board_resources
DROP POLICY IF EXISTS "Users can view own association board resources" ON public.board_resources;
CREATE POLICY "Users can view own association board resources"
  ON public.board_resources FOR SELECT TO authenticated
  USING (
    is_active = true AND (
      has_role(auth.uid(), 'admin'::app_role)
      OR has_role(auth.uid(), 'manager'::app_role)
      OR association_id IN (SELECT get_user_association_ids())
    )
  );

-- arc_application_comments (join-based)
DROP POLICY IF EXISTS "Users can view own association arc comments" ON public.arc_application_comments;
CREATE POLICY "Users can view own association arc comments"
  ON public.arc_application_comments FOR SELECT TO authenticated
  USING (
    has_role(auth.uid(), 'admin'::app_role)
    OR has_role(auth.uid(), 'manager'::app_role)
    OR EXISTS (
      SELECT 1 FROM public.arc_applications a
      WHERE a.id = arc_application_comments.application_id
      AND a.association_id IN (SELECT get_user_association_ids())
    )
  );

-- arc_application_votes (join-based)
DROP POLICY IF EXISTS "Users can view own association arc votes" ON public.arc_application_votes;
CREATE POLICY "Users can view own association arc votes"
  ON public.arc_application_votes FOR SELECT TO authenticated
  USING (
    has_role(auth.uid(), 'admin'::app_role)
    OR has_role(auth.uid(), 'manager'::app_role)
    OR EXISTS (
      SELECT 1 FROM public.arc_applications a
      WHERE a.id = arc_application_votes.application_id
      AND a.association_id IN (SELECT get_user_association_ids())
    )
  );

-- bill_comments (join-based)
DROP POLICY IF EXISTS "Users can view own association bill comments" ON public.bill_comments;
CREATE POLICY "Users can view own association bill comments"
  ON public.bill_comments FOR SELECT TO authenticated
  USING (
    has_role(auth.uid(), 'admin'::app_role)
    OR has_role(auth.uid(), 'manager'::app_role)
    OR EXISTS (
      SELECT 1 FROM public.bills b
      WHERE b.id = bill_comments.bill_id
      AND b.association_id IN (SELECT get_user_association_ids())
    )
  );

-- board_vote_responses (join-based)
DROP POLICY IF EXISTS "Users can view own association vote responses" ON public.board_vote_responses;
CREATE POLICY "Users can view own association vote responses"
  ON public.board_vote_responses FOR SELECT TO authenticated
  USING (
    has_role(auth.uid(), 'admin'::app_role)
    OR has_role(auth.uid(), 'manager'::app_role)
    OR EXISTS (
      SELECT 1 FROM public.board_votes bv
      WHERE bv.id = board_vote_responses.board_vote_id
      AND bv.association_id IN (SELECT get_user_association_ids())
    )
  );

-- project_comments (join-based)
DROP POLICY IF EXISTS "Users can view own association project comments" ON public.project_comments;
CREATE POLICY "Users can view own association project comments"
  ON public.project_comments FOR SELECT TO authenticated
  USING (
    has_role(auth.uid(), 'admin'::app_role)
    OR has_role(auth.uid(), 'manager'::app_role)
    OR EXISTS (
      SELECT 1 FROM public.projects p
      WHERE p.id = project_comments.project_id
      AND p.association_id IN (SELECT get_user_association_ids())
    )
  );

-- project_files (join-based)
DROP POLICY IF EXISTS "Users can view own association project files" ON public.project_files;
CREATE POLICY "Users can view own association project files"
  ON public.project_files FOR SELECT TO authenticated
  USING (
    has_role(auth.uid(), 'admin'::app_role)
    OR has_role(auth.uid(), 'manager'::app_role)
    OR EXISTS (
      SELECT 1 FROM public.projects p
      WHERE p.id = project_files.project_id
      AND p.association_id IN (SELECT get_user_association_ids())
    )
  );

-- bank_accounts - also needs staff bypass (was overly restricted)
DROP POLICY IF EXISTS "Staff full access on own association bank_accounts" ON public.bank_accounts;
CREATE POLICY "Staff full access on bank_accounts"
  ON public.bank_accounts FOR ALL TO authenticated
  USING (
    has_role(auth.uid(), 'admin'::app_role)
    OR has_role(auth.uid(), 'manager'::app_role)
  )
  WITH CHECK (
    has_role(auth.uid(), 'admin'::app_role)
    OR has_role(auth.uid(), 'manager'::app_role)
  );

-- chart_of_accounts - was already USING(true), check if it needs fixing
DROP POLICY IF EXISTS "Authenticated users can view chart_of_accounts" ON public.chart_of_accounts;
CREATE POLICY "Users can view chart of accounts"
  ON public.chart_of_accounts FOR SELECT TO authenticated
  USING (
    has_role(auth.uid(), 'admin'::app_role)
    OR has_role(auth.uid(), 'manager'::app_role)
    OR association_id IN (SELECT get_user_association_ids())
    OR association_id IS NULL
  );