acmcc/supabase/migrations/20260317163948_7db012dd-5f9c-4e5b-9a54-d469582a0c07.sql

-- Project comments/discussion table
CREATE TABLE public.project_comments (
  id UUID NOT NULL DEFAULT gen_random_uuid() PRIMARY KEY,
  project_id UUID NOT NULL REFERENCES public.projects(id) ON DELETE CASCADE,
  user_id UUID NOT NULL,
  content TEXT NOT NULL,
  created_at TIMESTAMPTZ NOT NULL DEFAULT now(),
  updated_at TIMESTAMPTZ NOT NULL DEFAULT now()
);

ALTER TABLE public.project_comments ENABLE ROW LEVEL SECURITY;

-- Project files table
CREATE TABLE public.project_files (
  id UUID NOT NULL DEFAULT gen_random_uuid() PRIMARY KEY,
  project_id UUID NOT NULL REFERENCES public.projects(id) ON DELETE CASCADE,
  user_id UUID NOT NULL,
  file_name TEXT NOT NULL,
  file_url TEXT NOT NULL,
  file_size BIGINT,
  mime_type TEXT,
  created_at TIMESTAMPTZ NOT NULL DEFAULT now()
);

ALTER TABLE public.project_files ENABLE ROW LEVEL SECURITY;

-- Storage bucket for project files
INSERT INTO storage.buckets (id, name, public) VALUES ('project-files', 'project-files', true);

-- Enable realtime for comments
ALTER PUBLICATION supabase_realtime ADD TABLE public.project_comments;

-- RLS for project_comments: authenticated users can read all, insert own
CREATE POLICY "Authenticated users can read project comments"
  ON public.project_comments FOR SELECT TO authenticated USING (true);

CREATE POLICY "Authenticated users can insert own comments"
  ON public.project_comments FOR INSERT TO authenticated
  WITH CHECK (auth.uid() = user_id);

CREATE POLICY "Users can update own comments"
  ON public.project_comments FOR UPDATE TO authenticated
  USING (auth.uid() = user_id);

CREATE POLICY "Users can delete own comments"
  ON public.project_comments FOR DELETE TO authenticated
  USING (auth.uid() = user_id);

-- RLS for project_files: authenticated users can read all, insert own
CREATE POLICY "Authenticated users can read project files"
  ON public.project_files FOR SELECT TO authenticated USING (true);

CREATE POLICY "Authenticated users can upload files"
  ON public.project_files FOR INSERT TO authenticated
  WITH CHECK (auth.uid() = user_id);

CREATE POLICY "Users can delete own files"
  ON public.project_files FOR DELETE TO authenticated
  USING (auth.uid() = user_id);

-- Admin/manager can delete any file
CREATE POLICY "Admins can delete any file"
  ON public.project_files FOR DELETE TO authenticated
  USING (public.has_role(auth.uid(), 'admin') OR public.has_role(auth.uid(), 'manager'));

-- Storage policies for project-files bucket
CREATE POLICY "Authenticated users can read project files storage"
  ON storage.objects FOR SELECT TO authenticated
  USING (bucket_id = 'project-files');

CREATE POLICY "Authenticated users can upload project files storage"
  ON storage.objects FOR INSERT TO authenticated
  WITH CHECK (bucket_id = 'project-files');

CREATE POLICY "Users can delete own project files storage"
  ON storage.objects FOR DELETE TO authenticated
  USING (bucket_id = 'project-files');

-- Update projects RLS: drop old policy, add new ones allowing clients to create and view
DROP POLICY IF EXISTS "Staff full access on projects" ON public.projects;

-- Admins/managers full access
CREATE POLICY "Admin manager full access on projects"
  ON public.projects FOR ALL TO authenticated
  USING (public.has_role(auth.uid(), 'admin') OR public.has_role(auth.uid(), 'manager'))
  WITH CHECK (public.has_role(auth.uid(), 'admin') OR public.has_role(auth.uid(), 'manager'));

-- All authenticated can read projects
CREATE POLICY "Authenticated users can view projects"
  ON public.projects FOR SELECT TO authenticated
  USING (true);

-- All authenticated can create projects
CREATE POLICY "Authenticated users can create projects"
  ON public.projects FOR INSERT TO authenticated
  WITH CHECK (auth.uid() = created_by);

-- Users can update own projects (but not status to completed - enforced in app)
CREATE POLICY "Users can update own projects"
  ON public.projects FOR UPDATE TO authenticated
  USING (auth.uid() = created_by);