-- ============================================================================
-- PERMISSION FIX & VERIFICATION SCRIPT
-- ============================================================================
-- Purpose:
-- This script first resets the default privileges on the public schema to fix
-- "permission denied" errors. It then runs a series of tests to VERIFY that
-- the permissions have been correctly applied, providing clear feedback.
--
-- Usage:
-- RUN THIS SCRIPT FIRST. If it completes successfully, you can then run
-- the main schema.sql.txt script.

-- ============================================================================
-- STEP 1: APPLY PERMISSION FIXES
-- ============================================================================

-- Grant usage on the schema to the key roles.
GRANT USAGE ON SCHEMA public TO postgres, anon, authenticated, service_role;

-- Grant ALL privileges on EXISTING tables, sequences, and functions to the key roles.
-- This is a "catch-all" for any existing objects that may have wrong permissions.
GRANT ALL PRIVILEGES ON ALL TABLES IN SCHEMA public TO postgres, anon, authenticated, service_role;
GRANT ALL PRIVILEGES ON ALL SEQUENCES IN SCHEMA public TO postgres, anon, authenticated, service_role;
GRANT ALL PRIVILEGES ON ALL FUNCTIONS IN SCHEMA public TO postgres, anon, authenticated, service_role;

-- Grant ALL privileges on FUTURE tables, sequences, and functions to the key roles.
-- This is the most important part: it ensures new objects get the right permissions.
ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT ALL ON TABLES TO postgres, anon, authenticated, service_role;
ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT ALL ON SEQUENCES TO postgres, anon, authenticated, service_role;
ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT ALL ON FUNCTIONS TO postgres, anon, authenticated, service_role;


-- ============================================================================
-- STEP 2: VERIFY PERMISSIONS HAVE BEEN APPLIED
-- ============================================================================
-- This block performs live tests to confirm the fixes worked. If any test
-- fails, it will raise an error and stop the script.

DO $$
BEGIN
    RAISE NOTICE '--- Starting Permission Verification Tests ---';

    -- TEST 1: Check if the 'postgres' user (you) can CREATE in the public schema.
    -- This directly tests the original "permission denied" error.
    IF NOT has_schema_privilege('postgres', 'public', 'CREATE') THEN
        RAISE EXCEPTION 'TEST FAILED: The "postgres" role still does not have CREATE permission on the public schema. The script cannot proceed.';
    END IF;
    RAISE NOTICE '✅ TEST PASSED: "postgres" role has CREATE permission on public schema.';

    -- TEST 2: Create a temporary table to check default privileges.
    -- This confirms that the ALTER DEFAULT PRIVILEGES command worked.
    CREATE TABLE public.permission_test_table (id int);
    RAISE NOTICE '    -> Created temporary table "permission_test_table".';

    -- TEST 3: Check if the 'authenticated' role has full rights on the NEW table.
    -- This is crucial for your application's logged-in users.
    IF NOT has_table_privilege('authenticated', 'public.permission_test_table', 'SELECT, INSERT, UPDATE, DELETE') THEN
        DROP TABLE public.permission_test_table;
        RAISE EXCEPTION 'TEST FAILED: The "authenticated" role did not automatically get full permissions on a newly created table. Default privileges are incorrect.';
    END IF;
    RAISE NOTICE '✅ TEST PASSED: "authenticated" role has full CRUD permissions on the new test table.';

    -- TEST 4: Check if the 'anon' role also has full rights on the NEW table.
    -- This is important for RLS policies that might allow anonymous access for specific queries.
    IF NOT has_table_privilege('anon', 'public.permission_test_table', 'SELECT, INSERT, UPDATE, DELETE') THEN
        DROP TABLE public.permission_test_table;
        RAISE EXCEPTION 'TEST FAILED: The "anon" role did not automatically get full permissions on a newly created table. Default privileges are incorrect.';
    END IF;
    RAISE NOTICE '✅ TEST PASSED: "anon" role has full CRUD permissions on the new test table.';


    -- Cleanup: Drop the temporary table.
    DROP TABLE public.permission_test_table;
    RAISE NOTICE '    -> Cleaned up temporary table.';

    RAISE NOTICE '--- ALL PERMISSION TESTS PASSED SUCCESSFULLY ---';
    RAISE NOTICE 'You should now be able to run the main schema.sql.txt script without permission errors.';
END;
$$;