@nextblock-cms/db 0.2.26 → 0.2.28

package/supabase/migrations/20250514171615_create_navigation_table.sql

@@ -1,56 +0,0 @@
--- lowercase sql
-
-do $$
-begin
-  if not exists (select 1 from pg_type where typname = 'menu_location') then
-    create type public.menu_location as enum ('HEADER', 'FOOTER', 'SIDEBAR');
-  end if;
-end
-$$;
-
-create table public.navigation_items (
-  id bigint generated by default as identity primary key,
-  language_id bigint not null references public.languages(id) on delete cascade,
-  menu_key public.menu_location not null,
-  label text not null,
-  url text not null,
-  parent_id bigint references public.navigation_items(id) on delete cascade,
-  "order" integer not null default 0,
-  page_id bigint references public.pages(id) on delete set null,
-  created_at timestamp with time zone not null default now(),
-  updated_at timestamp with time zone not null default now()
-);
-
-comment on table public.navigation_items is 'stores navigation menu items.';
-comment on column public.navigation_items.menu_key is 'identifies the menu this item belongs to.';
-
-create index idx_navigation_items_menu_lang_order on public.navigation_items (menu_key, language_id, "order");
-
-alter table public.navigation_items enable row level security;
-
-create policy "navigation_is_publicly_readable"
-on public.navigation_items for select
-to anon, authenticated
-using (true);
-
-create policy "admins_can_manage_navigation"
-on public.navigation_items for all
-to authenticated
-using (public.get_current_user_role() = 'ADMIN')
-with check (public.get_current_user_role() = 'ADMIN');
-
-create or replace function public.handle_navigation_items_update()
-returns trigger
-language plpgsql
-security definer set search_path = public
-as $$
-begin
-  new.updated_at = now();
-  return new;
-end;
-$$;
-
-create trigger on_navigation_items_update
-  before update on public.navigation_items
-  for each row
-  execute procedure public.handle_navigation_items_update();

package/supabase/migrations/20250514171627_rls_policies_for_content_tables.sql

@@ -1,70 +0,0 @@
--- supabase/migrations/YYYYMMDDHHMMSS_rls_policies_for_content_tables.sql
--- lowercase sql
-
-begin;
-
---
--- Pages Table RLS
---
-alter table public.pages enable row level security;
-
-drop policy if exists "authors_writers_admins_can_read_own_or_all_drafts" on public.pages;
--- allow authenticated users (authors, writers, admins) to read their own or all non-published pages
-create policy "authors_writers_admins_can_read_own_or_all_drafts"
-on public.pages for select
-to authenticated
-using (
-  (status <> 'published' and author_id = auth.uid()) or -- author can read their own non-published
-  (status <> 'published' and public.get_current_user_role() in ('ADMIN', 'WRITER')) -- admins/writers can read all non-published
-);
-
---
--- Posts Table RLS
---
-alter table public.posts enable row level security;
-
-drop policy if exists "authors_writers_admins_can_read_own_or_all_draft_posts" on public.posts;
--- allow authenticated users (authors, writers, admins) to read their own or all non-published posts
-create policy "authors_writers_admins_can_read_own_or_all_draft_posts"
-on public.posts for select
-to authenticated
-using (
-  (status <> 'published' and author_id = auth.uid()) or
-  (status <> 'published'and public.get_current_user_role() in ('ADMIN', 'WRITER'))
-);
-
---
--- Media Table RLS
---
-alter table public.media enable row level security;
-
-
---
--- Blocks Table RLS
---
-alter table public.blocks enable row level security;
-
-drop policy if exists "blocks_are_readable_if_parent_is_published" on public.blocks;
--- allow anonymous and authenticated users to read blocks if their parent page/post is published
-create policy "blocks_are_readable_if_parent_is_published"
-on public.blocks for select
-to anon, authenticated
-using (
-  (page_id is not null and exists(select 1 from public.pages p where p.id = blocks.page_id and p.status = 'published')) or
-  (post_id is not null and exists(select 1 from public.posts pt where pt.id = blocks.post_id and pt.status = 'published' and (pt.published_at is null or pt.published_at <= now())))
-);
-
--- allow admins and writers to insert, update, delete blocks
-drop policy if exists "admins_and_writers_can_manage_blocks" on public.blocks;
-create policy "admins_and_writers_can_manage_blocks"
-on public.blocks for all
-to authenticated
-using (public.get_current_user_role() in ('ADMIN', 'WRITER'))
-with check (public.get_current_user_role() in ('ADMIN', 'WRITER'));
-
---
--- Navigation Items Table RLS
---
-alter table public.navigation_items enable row level security;
-
-commit;

package/supabase/migrations/20250515194800_add_translation_group_id.sql

@@ -1,39 +0,0 @@
--- supabase/migrations/YYYYMMDDHHMMSS_add_translation_group_id.sql
-
-ALTER TABLE public.pages
-ADD COLUMN translation_group_id UUID DEFAULT gen_random_uuid() NOT NULL;
-
-COMMENT ON COLUMN public.pages.translation_group_id IS 'Groups different language versions of the same conceptual page.';
-
-CREATE INDEX IF NOT EXISTS idx_pages_translation_group_id ON public.pages(translation_group_id);
-
--- For existing pages, you'll need to manually group them.
--- Example: If page ID 1 (EN) and page ID 10 (FR) are the same conceptual page:
--- UPDATE public.pages SET translation_group_id = (SELECT translation_group_id FROM public.pages WHERE id = 1) WHERE id = 10;
--- Or, for all pages that share a slug currently (from the previous model):
--- WITH slug_groups AS (
---   SELECT slug, MIN(id) as first_id, gen_random_uuid() as new_group_id
---   FROM public.pages
---   GROUP BY slug
---   HAVING COUNT(*) > 1 -- Only for slugs that were shared
--- )
--- UPDATE public.pages p
--- SET translation_group_id = sg.new_group_id
--- FROM slug_groups sg
--- WHERE p.slug = sg.slug;
---
--- UPDATE public.pages p
--- SET translation_group_id = gen_random_uuid()
--- WHERE p.translation_group_id IS NULL AND EXISTS (
---   SELECT 1 FROM (
---     SELECT slug, COUNT(*) as c FROM public.pages GROUP BY slug
---   ) counts WHERE counts.slug = p.slug AND counts.c = 1
--- );
-
-
-ALTER TABLE public.posts
-ADD COLUMN translation_group_id UUID DEFAULT gen_random_uuid() NOT NULL;
-
-COMMENT ON COLUMN public.posts.translation_group_id IS 'Groups different language versions of the same conceptual post.';
-
-CREATE INDEX IF NOT EXISTS idx_posts_translation_group_id ON public.posts(translation_group_id);

package/supabase/migrations/20250520171900_add_translation_group_to_nav_items.sql

@@ -1,21 +0,0 @@
--- supabase/migrations/YYYYMMDDHHMMSS_add_translation_group_to_nav_items.sql
--- Replace YYYYMMDDHHMMSS with the actual timestamp, e.g., 20250520171700
-
-ALTER TABLE public.navigation_items
-ADD COLUMN translation_group_id UUID DEFAULT gen_random_uuid() NOT NULL;
-
-COMMENT ON COLUMN public.navigation_items.translation_group_id IS 'Groups different language versions of the same conceptual navigation item.';
-
-CREATE INDEX IF NOT EXISTS idx_navigation_items_translation_group_id ON public.navigation_items(translation_group_id);
-
--- Note: For existing navigation items, you will need to manually group them if they are translations of each other.
--- For example, if item ID 5 (EN) and item ID 25 (FR) are the same conceptual link:
--- UPDATE public.navigation_items SET translation_group_id = (SELECT translation_group_id FROM public.navigation_items WHERE id = 5 LIMIT 1) WHERE id = 25;
--- Or, assign a new group ID to both if they weren't grouped yet:
--- WITH new_group AS (SELECT gen_random_uuid() as new_id)
--- UPDATE public.navigation_items
--- SET translation_group_id = (SELECT new_id FROM new_group)
--- WHERE id IN (5, 25);
---
--- It's recommended to do this grouping manually based on your existing data logic.
--- New items created through the updated CMS logic will automatically get grouped.

package/supabase/migrations/20250521143933_seed_homepage_and_nav.sql

@@ -1,52 +0,0 @@
--- supabase/migrations/YYYYMMDDHHMMSS_seed_homepage_and_nav.sql
--- Replace YYYYMMDDHHMMSS with the actual timestamp, e.g., 20250521100000
-
-DO $$
-DECLARE
-  en_lang_id BIGINT;
-  fr_lang_id BIGINT;
-  admin_user_id UUID;
-  home_page_translation_group UUID;
-  home_nav_translation_group UUID;
-  en_home_page_id BIGINT;
-  fr_home_page_id BIGINT;
-BEGIN
-  -- Get language IDs
-  SELECT id INTO en_lang_id FROM public.languages WHERE code = 'en' LIMIT 1;
-  SELECT id INTO fr_lang_id FROM public.languages WHERE code = 'fr' LIMIT 1;
-
-  -- Get an admin user ID to set as author (optional, fallback to NULL)
-  SELECT id INTO admin_user_id FROM public.profiles WHERE role = 'ADMIN' LIMIT 1;
-
-  -- Check if languages were found
-  IF en_lang_id IS NULL THEN
-    RAISE EXCEPTION 'English language (en) not found. Please seed languages first.';
-  END IF;
-  IF fr_lang_id IS NULL THEN
-    RAISE EXCEPTION 'French language (fr) not found. Please seed languages first.';
-  END IF;
-
-  -- Generate translation group UUIDs
-  home_page_translation_group := gen_random_uuid();
-  home_nav_translation_group := gen_random_uuid();
-
-  -- Seed English Homepage
-  INSERT INTO public.pages (language_id, author_id, title, slug, status, meta_title, meta_description, translation_group_id)
-  VALUES (en_lang_id, admin_user_id, 'Home', 'home', 'published', 'Homepage', 'This is the homepage.', home_page_translation_group)
-  RETURNING id INTO en_home_page_id;
-
-  -- Seed French Homepage (Accueil)
-  INSERT INTO public.pages (language_id, author_id, title, slug, status, meta_title, meta_description, translation_group_id)
-  VALUES (fr_lang_id, admin_user_id, 'Accueil', 'accueil', 'published', 'Page d''accueil', 'Ceci est la page d''accueil.', home_page_translation_group)
-  RETURNING id INTO fr_home_page_id;
-
-  -- Seed English Navigation Item for Homepage (linked to the English page, but URL is root)
-  INSERT INTO public.navigation_items (language_id, menu_key, label, url, "order", page_id, translation_group_id)
-  VALUES (en_lang_id, 'HEADER', 'Home', '/', 0, en_home_page_id, home_nav_translation_group);
-
-  -- Seed French Navigation Item for Homepage (linked to the French page, but URL is root)
-  INSERT INTO public.navigation_items (language_id, menu_key, label, url, "order", page_id, translation_group_id)
-  VALUES (fr_lang_id, 'HEADER', 'Accueil', '/', 0, fr_home_page_id, home_nav_translation_group);
-
-  RAISE NOTICE 'Homepage and navigation links seeded for EN and FR.';
-END $$;

package/supabase/migrations/20250523145833_add_feature_image_to_posts.sql

@@ -1,8 +0,0 @@
-ALTER TABLE public.posts
-ADD COLUMN feature_image_id UUID,
-ADD CONSTRAINT fk_feature_image
-    FOREIGN KEY (feature_image_id)
-    REFERENCES public.media(id)
-    ON DELETE SET NULL;
-
-COMMENT ON COLUMN public.posts.feature_image_id IS 'ID of the media item to be used as the post''s feature image.';

package/supabase/migrations/20250523151737_add_rls_to_media_table.sql

@@ -1,18 +0,0 @@
--- Drop existing policies if they exist, then recreate them.
-
--- Policy for public read access
-DROP POLICY IF EXISTS "media_are_publicly_readable" ON public.media;
-
-CREATE POLICY "media_are_publicly_readable"
-ON public.media FOR SELECT
-TO anon, authenticated
-USING (true);
-
--- Policy for admin/writer management
-DROP POLICY IF EXISTS "admins_and_writers_can_manage_media" ON public.media;
-
-CREATE POLICY "admins_and_writers_can_manage_media"
-ON public.media FOR ALL
-TO authenticated
-USING (public.get_current_user_role() IN ('ADMIN', 'WRITER'))
-WITH CHECK (public.get_current_user_role() IN ('ADMIN', 'WRITER'));

package/supabase/migrations/20250526110400_add_image_dimensions_to_media.sql

@@ -1,14 +0,0 @@
-ALTER TABLE public.media
-ADD COLUMN width INTEGER,
-ADD COLUMN height INTEGER;
-
--- Optional: Add a comment to describe the new columns
-COMMENT ON COLUMN public.media.width IS 'Width of the image in pixels.';
-COMMENT ON COLUMN public.media.height IS 'Height of the image in pixels.';
-
--- Backfill existing image media with nulls, or you might want to run a script later to populate them if possible
--- For now, they will be NULL by default.
-
--- Re-apply RLS policies if necessary, though ADD COLUMN usually doesn't require it unless policies are column-specific
--- and these new columns need to be included or excluded.
--- For simplicity, assuming existing policies are fine.

package/supabase/migrations/20250526153321_optimize_rls_policies.sql

@@ -1,188 +0,0 @@
--- supabase/migrations/YYYYMMDDHHMMSS_optimize_rls_policies_v2.sql
--- Replace YYYYMMDDHHMMSS with the actual timestamp of this migration file.
-
-BEGIN;
-
--- == PROFILES ==
-DROP POLICY IF EXISTS "users_can_select_own_profile" ON public.profiles;
-DROP POLICY IF EXISTS "users_can_update_own_profile" ON public.profiles;
-DROP POLICY IF EXISTS "admins_can_select_any_profile" ON public.profiles;
-DROP POLICY IF EXISTS "admins_can_update_any_profile" ON public.profiles;
-
-CREATE POLICY "authenticated_can_read_profiles" ON public.profiles
-  FOR SELECT
-  TO authenticated
-  USING (
-    (id = (SELECT auth.uid())) OR
-    (public.get_current_user_role() = 'ADMIN')
-  );
-COMMENT ON POLICY "authenticated_can_read_profiles" ON public.profiles IS 'Authenticated users can read their own profile, and admins can read any profile.';
-
-CREATE POLICY "authenticated_can_update_profiles" ON public.profiles
-  FOR UPDATE
-  TO authenticated
-  USING (
-    (id = (SELECT auth.uid())) OR
-    (public.get_current_user_role() = 'ADMIN')
-  )
-  WITH CHECK (
-    (id = (SELECT auth.uid())) OR
-    (public.get_current_user_role() = 'ADMIN')
-  );
-COMMENT ON POLICY "authenticated_can_update_profiles" ON public.profiles IS 'Authenticated users can update their own profile, and admins can update any profile.';
-
--- Ensure admin insert policy is present and correct (it typically uses WITH CHECK on the role, not USING for insert)
-DROP POLICY IF EXISTS "admins_can_insert_profiles" ON public.profiles;
-CREATE POLICY "admins_can_insert_profiles" ON public.profiles
-    FOR INSERT TO authenticated
-    WITH CHECK (public.get_current_user_role() = 'ADMIN');
-COMMENT ON POLICY "admins_can_insert_profiles" ON public.profiles IS 'Admin users can insert new profiles.';
-
-
--- == PAGES ==
-DROP POLICY IF EXISTS "pages_are_publicly_readable_when_published" ON public.pages;
-DROP POLICY IF EXISTS "authors_writers_admins_can_read_own_drafts" ON public.pages;
-DROP POLICY IF EXISTS "authors_writers_admins_can_read_own_or_all_drafts" ON public.pages;
-DROP POLICY IF EXISTS "admins_and_writers_can_manage_pages" ON public.pages;
-
-CREATE POLICY "pages_anon_can_read_published" ON public.pages
-  FOR SELECT
-  TO anon
-  USING (status = 'published');
-COMMENT ON POLICY "pages_anon_can_read_published" ON public.pages IS 'Anonymous users can read published pages.';
-
-CREATE POLICY "pages_authenticated_access" ON public.pages
-  FOR SELECT
-  TO authenticated
-  USING (
-    (status = 'published') OR
-    (author_id = (SELECT auth.uid()) AND status <> 'published') OR
-    (public.get_current_user_role() IN ('ADMIN', 'WRITER'))
-  );
-COMMENT ON POLICY "pages_authenticated_access" ON public.pages IS 'Authenticated users can read published pages, their own drafts, or all pages if admin/writer.';
-
-CREATE POLICY "pages_admin_writer_management" ON public.pages
-  FOR ALL -- Changed from INSERT, UPDATE, DELETE
-  TO authenticated
-  USING (public.get_current_user_role() IN ('ADMIN', 'WRITER'))
-  WITH CHECK (public.get_current_user_role() IN ('ADMIN', 'WRITER'));
-COMMENT ON POLICY "pages_admin_writer_management" ON public.pages IS 'Admins and Writers can manage pages.';
-
-
--- == POSTS ==
-DROP POLICY IF EXISTS "posts_are_publicly_readable_when_published" ON public.posts;
-DROP POLICY IF EXISTS "authors_writers_admins_can_read_own_draft_posts" ON public.posts;
-DROP POLICY IF EXISTS "authors_writers_admins_can_read_own_or_all_draft_posts" ON public.posts;
-DROP POLICY IF EXISTS "admins_and_writers_can_manage_posts" ON public.posts;
-
-CREATE POLICY "posts_anon_can_read_published" ON public.posts
-  FOR SELECT
-  TO anon
-  USING (status = 'published' AND (published_at IS NULL OR published_at <= now()));
-COMMENT ON POLICY "posts_anon_can_read_published" ON public.posts IS 'Anonymous users can read published posts.';
-
-CREATE POLICY "posts_authenticated_access" ON public.posts
-  FOR SELECT
-  TO authenticated
-  USING (
-    (status = 'published' AND (published_at IS NULL OR published_at <= now())) OR
-    (author_id = (SELECT auth.uid()) AND status <> 'published') OR
-    (public.get_current_user_role() IN ('ADMIN', 'WRITER'))
-  );
-COMMENT ON POLICY "posts_authenticated_access" ON public.posts IS 'Authenticated users can read published posts, their own drafts, or all posts if admin/writer.';
-
-CREATE POLICY "posts_admin_writer_management" ON public.posts
-  FOR ALL -- Changed from INSERT, UPDATE, DELETE
-  TO authenticated
-  USING (public.get_current_user_role() IN ('ADMIN', 'WRITER'))
-  WITH CHECK (public.get_current_user_role() IN ('ADMIN', 'WRITER'));
-COMMENT ON POLICY "posts_admin_writer_management" ON public.posts IS 'Admins and Writers can manage posts.';
-
-
--- == BLOCKS ==
-DROP POLICY IF EXISTS "blocks_are_readable_if_parent_is_published" ON public.blocks;
-DROP POLICY IF EXISTS "admins_and_writers_can_manage_blocks" ON public.blocks;
-
-CREATE POLICY "blocks_anon_can_read_published" ON public.blocks
-  FOR SELECT
-  TO anon
-  USING (
-    (page_id IS NOT NULL AND EXISTS(SELECT 1 FROM public.pages p WHERE p.id = blocks.page_id AND p.status = 'published')) OR
-    (post_id IS NOT NULL AND EXISTS(SELECT 1 FROM public.posts pt WHERE pt.id = blocks.post_id AND pt.status = 'published' AND (pt.published_at IS NULL OR pt.published_at <= now())))
-  );
-COMMENT ON POLICY "blocks_anon_can_read_published" ON public.blocks IS 'Anonymous users can read blocks of published parent pages/posts.';
-
-CREATE POLICY "blocks_authenticated_access" ON public.blocks
-  FOR SELECT
-  TO authenticated
-  USING (
-    (public.get_current_user_role() IN ('ADMIN', 'WRITER')) OR
-    (
-      (public.get_current_user_role() = 'USER') AND (
-        (page_id IS NOT NULL AND EXISTS(SELECT 1 FROM public.pages p WHERE p.id = blocks.page_id AND p.status = 'published')) OR
-        (post_id IS NOT NULL AND EXISTS(SELECT 1 FROM public.posts pt WHERE pt.id = blocks.post_id AND pt.status = 'published' AND (pt.published_at IS NULL OR pt.published_at <= now())))
-      )
-    )
-  );
-COMMENT ON POLICY "blocks_authenticated_access" ON public.blocks IS 'Admins/Writers can read all blocks; Users can read blocks of published parents.';
-
-CREATE POLICY "blocks_admin_writer_management" ON public.blocks
-  FOR ALL -- Changed from INSERT, UPDATE, DELETE
-  TO authenticated
-  USING (public.get_current_user_role() IN ('ADMIN', 'WRITER'))
-  WITH CHECK (public.get_current_user_role() IN ('ADMIN', 'WRITER'));
-COMMENT ON POLICY "blocks_admin_writer_management" ON public.blocks IS 'Admins and Writers can manage blocks.';
-
-
--- == LANGUAGES ==
-DROP POLICY IF EXISTS "languages_are_publicly_readable" ON public.languages;
-DROP POLICY IF EXISTS "admins_can_manage_languages" ON public.languages;
-
-CREATE POLICY "languages_are_publicly_readable_by_all" ON public.languages
-  FOR SELECT
-  USING (true);
-COMMENT ON POLICY "languages_are_publicly_readable_by_all" ON public.languages IS 'All users (anon and authenticated) can read languages.';
-
-CREATE POLICY "languages_admin_management" ON public.languages
-  FOR ALL -- Changed from INSERT, UPDATE, DELETE
-  TO authenticated
-  USING (public.get_current_user_role() = 'ADMIN')
-  WITH CHECK (public.get_current_user_role() = 'ADMIN');
-COMMENT ON POLICY "languages_admin_management" ON public.languages IS 'Admins can manage languages.';
-
-
--- == MEDIA ==
-DROP POLICY IF EXISTS "media_is_readable_by_all" ON public.media;
-DROP POLICY IF EXISTS "media_are_publicly_readable" ON public.media;
-DROP POLICY IF EXISTS "admins_and_writers_can_manage_media" ON public.media;
-
-CREATE POLICY "media_is_publicly_readable_by_all" ON public.media
-  FOR SELECT
-  USING (true);
-COMMENT ON POLICY "media_is_publicly_readable_by_all" ON public.media IS 'All users (anon and authenticated) can read media records.';
-
-CREATE POLICY "media_admin_writer_management" ON public.media
-  FOR ALL -- Changed from INSERT, UPDATE, DELETE
-  TO authenticated
-  USING (public.get_current_user_role() IN ('ADMIN', 'WRITER'))
-  WITH CHECK (public.get_current_user_role() IN ('ADMIN', 'WRITER'));
-COMMENT ON POLICY "media_admin_writer_management" ON public.media IS 'Admins and Writers can manage media records.';
-
-
--- == NAVIGATION ITEMS ==
-DROP POLICY IF EXISTS "navigation_is_publicly_readable" ON public.navigation_items;
-DROP POLICY IF EXISTS "admins_can_manage_navigation" ON public.navigation_items;
-
-CREATE POLICY "nav_items_are_publicly_readable_by_all" ON public.navigation_items
-  FOR SELECT
-  USING (true);
-COMMENT ON POLICY "nav_items_are_publicly_readable_by_all" ON public.navigation_items IS 'All users (anon and authenticated) can read navigation items.';
-
-CREATE POLICY "nav_items_admin_management" ON public.navigation_items
-  FOR ALL -- Changed from INSERT, UPDATE, DELETE
-  TO authenticated
-  USING (public.get_current_user_role() = 'ADMIN')
-  WITH CHECK (public.get_current_user_role() = 'ADMIN');
-COMMENT ON POLICY "nav_items_admin_management" ON public.navigation_items IS 'Admins can manage navigation items.';
-
-COMMIT;

package/supabase/migrations/20250526172513_resolve_select_policy_overlaps.sql

@@ -1,96 +0,0 @@
--- supabase/migrations/YYYYMMDDHHMMSS_resolve_select_policy_overlaps.sql
--- (Ensure YYYYMMDDHHMMSS is the current timestamp)
-
-BEGIN;
-
--- == BLOCKS ==
--- Assuming "blocks_admin_writer_management" is FOR ALL and covers SELECT for ADMIN/WRITER.
--- Make "blocks_authenticated_access" specific to non-ADMIN/WRITER authenticated users.
-DROP POLICY IF EXISTS "blocks_authenticated_access" ON public.blocks;
-CREATE POLICY "blocks_authenticated_user_access" ON public.blocks -- Renamed for clarity
-  FOR SELECT
-  TO authenticated
-  USING (
-    (public.get_current_user_role() NOT IN ('ADMIN', 'WRITER')) AND -- This is the key change
-    (
-      (page_id IS NOT NULL AND EXISTS(SELECT 1 FROM public.pages p WHERE p.id = blocks.page_id AND p.status = 'published')) OR
-      (post_id IS NOT NULL AND EXISTS(SELECT 1 FROM public.posts pt WHERE pt.id = blocks.post_id AND pt.status = 'published' AND (pt.published_at IS NULL OR pt.published_at <= now())))
-    )
-  );
-COMMENT ON POLICY "blocks_authenticated_user_access" ON public.blocks IS 'Authenticated USERS (non-admin/writer) can read blocks of published parents. Admin/Writer SELECT via their management policy.';
--- Note: "blocks_anon_can_read_published" (FOR SELECT TO anon) should remain unchanged.
--- Note: "blocks_admin_writer_management" (FOR ALL TO authenticated USING role IN (ADMIN,WRITER)) should remain unchanged.
-
--- == LANGUAGES ==
--- Assuming "languages_admin_management" is FOR ALL and covers SELECT for ADMIN.
--- Make "languages_are_publicly_readable_by_all" not apply to authenticated ADMINs.
-DROP POLICY IF EXISTS "languages_are_publicly_readable_by_all" ON public.languages;
-CREATE POLICY "languages_readable_by_anon_and_non_admins" ON public.languages -- Renamed
-  FOR SELECT
-  USING (
-    NOT (auth.role() = 'authenticated' AND public.get_current_user_role() = 'ADMIN')
-  );
-COMMENT ON POLICY "languages_readable_by_anon_and_non_admins" ON public.languages IS 'Anonymous users and authenticated non-admins can read languages. Admin SELECT via management policy.';
--- Note: "languages_admin_management" (FOR ALL TO authenticated USING role = ADMIN) should remain unchanged.
-
--- == MEDIA ==
--- Assuming "media_admin_writer_management" is FOR ALL and covers SELECT for ADMIN/WRITER.
--- Make "media_is_publicly_readable_by_all" not apply to authenticated ADMIN/WRITERs.
-DROP POLICY IF EXISTS "media_is_publicly_readable_by_all" ON public.media;
-CREATE POLICY "media_readable_by_anon_and_non_privileged_users" ON public.media -- Renamed
-  FOR SELECT
-  USING (
-    NOT (auth.role() = 'authenticated' AND public.get_current_user_role() IN ('ADMIN', 'WRITER'))
-  );
-COMMENT ON POLICY "media_readable_by_anon_and_non_privileged_users" ON public.media IS 'Anonymous users and authenticated non-admin/writer users can read media. Admin/Writer SELECT via management policy.';
--- Note: "media_admin_writer_management" (FOR ALL TO authenticated USING role IN (ADMIN,WRITER)) should remain unchanged.
-
--- == NAVIGATION ITEMS ==
--- Assuming "nav_items_admin_management" is FOR ALL and covers SELECT for ADMIN.
--- Make "nav_items_are_publicly_readable_by_all" not apply to authenticated ADMINs.
-DROP POLICY IF EXISTS "nav_items_are_publicly_readable_by_all" ON public.navigation_items;
-CREATE POLICY "nav_items_readable_by_anon_and_non_admins" ON public.navigation_items -- Renamed
-  FOR SELECT
-  USING (
-    NOT (auth.role() = 'authenticated' AND public.get_current_user_role() = 'ADMIN')
-  );
-COMMENT ON POLICY "nav_items_readable_by_anon_and_non_admins" ON public.navigation_items IS 'Anonymous users and authenticated non-admins can read nav items. Admin SELECT via management policy.';
--- Note: "nav_items_admin_management" (FOR ALL TO authenticated USING role = ADMIN) should remain unchanged.
-
--- == PAGES ==
--- Assuming "pages_admin_writer_management" is FOR ALL and covers SELECT for ADMIN/WRITER.
--- Make "pages_authenticated_access" specific to non-ADMIN/WRITER authenticated users.
-DROP POLICY IF EXISTS "pages_authenticated_access" ON public.pages;
-CREATE POLICY "pages_user_authenticated_access" ON public.pages -- Renamed
-  FOR SELECT
-  TO authenticated
-  USING (
-    (public.get_current_user_role() NOT IN ('ADMIN', 'WRITER')) AND -- This is the key change
-    (
-      (status = 'published') OR
-      (author_id = (SELECT auth.uid()) AND status <> 'published')
-    )
-  );
-COMMENT ON POLICY "pages_user_authenticated_access" ON public.pages IS 'Authenticated USERS (non-admin/writer) can read published pages or their own drafts. Admin/Writer SELECT via their management policy.';
--- Note: "pages_anon_can_read_published" (FOR SELECT TO anon) should remain unchanged.
--- Note: "pages_admin_writer_management" (FOR ALL TO authenticated USING role IN (ADMIN,WRITER)) should remain unchanged.
-
--- == POSTS ==
--- Assuming "posts_admin_writer_management" is FOR ALL and covers SELECT for ADMIN/WRITER.
--- Make "posts_authenticated_access" specific to non-ADMIN/WRITER authenticated users.
-DROP POLICY IF EXISTS "posts_authenticated_access" ON public.posts;
-CREATE POLICY "posts_user_authenticated_access" ON public.posts -- Renamed
-  FOR SELECT
-  TO authenticated
-  USING (
-    (public.get_current_user_role() NOT IN ('ADMIN', 'WRITER')) AND -- This is the key change
-    (
-      (status = 'published' AND (published_at IS NULL OR published_at <= now())) OR
-      (author_id = (SELECT auth.uid()) AND status <> 'published')
-    )
-  );
-COMMENT ON POLICY "posts_user_authenticated_access" ON public.posts IS 'Authenticated USERS (non-admin/writer) can read published posts or their own drafts. Admin/Writer SELECT via their management policy.';
--- Note: "posts_anon_can_read_published" (FOR SELECT TO anon) should remain unchanged.
--- Note: "posts_admin_writer_management" (FOR ALL TO authenticated USING role IN (ADMIN,WRITER)) should remain unchanged.
-
-COMMIT;