-- Project comments/discussion table CREATE TABLE public.project_comments ( id UUID NOT NULL DEFAULT gen_random_uuid() PRIMARY KEY, project_id UUID NOT NULL REFERENCES public.projects(id) ON DELETE CASCADE, user_id UUID NOT NULL, content TEXT NOT NULL, created_at TIMESTAMPTZ NOT NULL DEFAULT now(), updated_at TIMESTAMPTZ NOT NULL DEFAULT now() ); ALTER TABLE public.project_comments ENABLE ROW LEVEL SECURITY; -- Project files table CREATE TABLE public.project_files ( id UUID NOT NULL DEFAULT gen_random_uuid() PRIMARY KEY, project_id UUID NOT NULL REFERENCES public.projects(id) ON DELETE CASCADE, user_id UUID NOT NULL, file_name TEXT NOT NULL, file_url TEXT NOT NULL, file_size BIGINT, mime_type TEXT, created_at TIMESTAMPTZ NOT NULL DEFAULT now() ); ALTER TABLE public.project_files ENABLE ROW LEVEL SECURITY; -- Storage bucket for project files INSERT INTO storage.buckets (id, name, public) VALUES ('project-files', 'project-files', true); -- Enable realtime for comments ALTER PUBLICATION supabase_realtime ADD TABLE public.project_comments; -- RLS for project_comments: authenticated users can read all, insert own CREATE POLICY "Authenticated users can read project comments" ON public.project_comments FOR SELECT TO authenticated USING (true); CREATE POLICY "Authenticated users can insert own comments" ON public.project_comments FOR INSERT TO authenticated WITH CHECK (auth.uid() = user_id); CREATE POLICY "Users can update own comments" ON public.project_comments FOR UPDATE TO authenticated USING (auth.uid() = user_id); CREATE POLICY "Users can delete own comments" ON public.project_comments FOR DELETE TO authenticated USING (auth.uid() = user_id); -- RLS for project_files: authenticated users can read all, insert own CREATE POLICY "Authenticated users can read project files" ON public.project_files FOR SELECT TO authenticated USING (true); CREATE POLICY "Authenticated users can upload files" ON public.project_files FOR INSERT TO authenticated WITH CHECK (auth.uid() = user_id); CREATE POLICY "Users can delete own files" ON public.project_files FOR DELETE TO authenticated USING (auth.uid() = user_id); -- Admin/manager can delete any file CREATE POLICY "Admins can delete any file" ON public.project_files FOR DELETE TO authenticated USING (public.has_role(auth.uid(), 'admin') OR public.has_role(auth.uid(), 'manager')); -- Storage policies for project-files bucket CREATE POLICY "Authenticated users can read project files storage" ON storage.objects FOR SELECT TO authenticated USING (bucket_id = 'project-files'); CREATE POLICY "Authenticated users can upload project files storage" ON storage.objects FOR INSERT TO authenticated WITH CHECK (bucket_id = 'project-files'); CREATE POLICY "Users can delete own project files storage" ON storage.objects FOR DELETE TO authenticated USING (bucket_id = 'project-files'); -- Update projects RLS: drop old policy, add new ones allowing clients to create and view DROP POLICY IF EXISTS "Staff full access on projects" ON public.projects; -- Admins/managers full access CREATE POLICY "Admin manager full access on projects" ON public.projects FOR ALL TO authenticated USING (public.has_role(auth.uid(), 'admin') OR public.has_role(auth.uid(), 'manager')) WITH CHECK (public.has_role(auth.uid(), 'admin') OR public.has_role(auth.uid(), 'manager')); -- All authenticated can read projects CREATE POLICY "Authenticated users can view projects" ON public.projects FOR SELECT TO authenticated USING (true); -- All authenticated can create projects CREATE POLICY "Authenticated users can create projects" ON public.projects FOR INSERT TO authenticated WITH CHECK (auth.uid() = created_by); -- Users can update own projects (but not status to completed - enforced in app) CREATE POLICY "Users can update own projects" ON public.projects FOR UPDATE TO authenticated USING (auth.uid() = created_by);