-- BUCKET avatars: RLS por pasta do usuário "<uid>/..."
-- Requer que seu path seja: `${auth.uid()}/...` (no seu código já é)

drop policy if exists "avatars_select_own" on storage.objects;
create policy "avatars_select_own"
on storage.objects for select
to authenticated
using (
  bucket_id = 'avatars'
  and name like auth.uid()::text || '/%'
);

drop policy if exists "avatars_insert_own" on storage.objects;
create policy "avatars_insert_own"
on storage.objects for insert
to authenticated
with check (
  bucket_id = 'avatars'
  and name like auth.uid()::text || '/%'
);

drop policy if exists "avatars_update_own" on storage.objects;
create policy "avatars_update_own"
on storage.objects for update
to authenticated
using (
  bucket_id = 'avatars'
  and name like auth.uid()::text || '/%'
)
with check (
  bucket_id = 'avatars'
  and name like auth.uid()::text || '/%'
);

drop policy if exists "avatars_delete_own" on storage.objects;
create policy "avatars_delete_own"
on storage.objects for delete
to authenticated
using (
  bucket_id = 'avatars'
  and name like auth.uid()::text || '/%'
);