-- Fix SELECT: staff see all, others see only their associations
DROP POLICY IF EXISTS "Authenticated users can read active announcements" ON public.announcements;
CREATE POLICY "Authenticated users can read scoped announcements" ON public.announcements
  FOR SELECT TO authenticated
  USING (
    status = 'active' AND (
      public.has_role(auth.uid(), 'admin') OR
      public.has_role(auth.uid(), 'manager') OR
      public.has_role(auth.uid(), 'employee') OR
      association_id IN (SELECT public.get_user_association_ids())
    )
  );

-- Fix UPDATE: restrict to staff
DROP POLICY IF EXISTS "Authors can update their announcements" ON public.announcements;
CREATE POLICY "Staff can update announcements" ON public.announcements
  FOR UPDATE TO authenticated
  USING (public.has_role(auth.uid(), 'admin') OR public.has_role(auth.uid(), 'manager'));

-- Fix DELETE: restrict to staff
DROP POLICY IF EXISTS "Authors can delete their announcements" ON public.announcements;
CREATE POLICY "Staff can delete announcements" ON public.announcements
  FOR DELETE TO authenticated
  USING (public.has_role(auth.uid(), 'admin') OR public.has_role(auth.uid(), 'manager'));