Minor tweak for the perms thing we worked on

Author: palmertab

api/controllers/tab/category/access.js

@@ -34,7 +34,8 @@ export const changeAccess = {
 		});
 
 		if (!currentPerm) {
-			res.status(400).json(`User ${targetPerson.email} does not have access ${targetCategory.abbr} and so it cannot be altered`);
+			res.status(400).json(`User ${targetPerson.email} does not have access ${targetCategory.abbr},
+				and so it cannot be altered`);
 			return;
 		}
 
@@ -82,6 +83,7 @@ export const changeAccess = {
 
 		if (req.session.perms.tourn[targetCategory.tourn] !== 'owner'
 			&& req.session.perms.tourn[targetCategory.tourn] !== 'tabber'
+			&& req.session.perms.category[targetCategory.id] !== 'tabber'
 		) {
 			res.status(401).json(`You do not have access to change permissions in ${targetCategory.abbr}`);
 			return;

api/helpers/auth.js

@@ -321,8 +321,8 @@ export const tabAuth = async (req) => {
 		if (
 			perms.tourn[tournId] === 'owner'
 			|| perms.tourn[tournId] === 'tabber'
-			|| req.session.perms.events?.[output.event].tag === 'tabber'
-			|| req.session.perms.categories?.[output.category].tag === 'tabber'
+			|| req.session.perms.event?.[output.event] === 'tabber'
+			|| req.session.perms.category?.[output.category] === 'tabber'
 		) {
 			req.session[subType] = output;
 			return req.session;
@@ -490,7 +490,9 @@ export const tabAuth = async (req) => {
 	}
 
 	if (subType === 'category') {
+
 		const category = await db.summon(db.category, typeId);
+
 		if (category.tourn !== req.session.tourn.id) {
 			delete req.session.tourn;
 			delete req.session.perms;
@@ -500,7 +502,7 @@ export const tabAuth = async (req) => {
 		if (
 			perms.tourn[tournId] === 'owner'
 			|| perms.tourn[tournId] === 'tabber'
-			|| req.session.perms.categories?.[typeId].tag === 'tabber'
+			|| req.session.perms.category?.[typeId] === 'tabber'
 		) {
 			req.session.category = category;
 			return req.session;

app.js

@@ -263,12 +263,15 @@ app.all(tabRoutes, async (req, res, next) => {
 		}
 
 		req.session = await tabAuth(req, res);
+		const subType = req.params.subType;
 
 		if (
-			typeof req.session?.perms !== 'object'
-			|| (!req.session?.perms?.tourn[req.params.tournId])
+			(req.session?.perms?.tourn[req.params.tournId] !== 'tabber')
+			&& (req.session?.perms?.tourn[req.params.tournId] !== 'owner')
+			&& (subType !== 'category' || req.session?.perms?.category[req.params.typeId] !== 'tabber')
+			&& (subType !== 'event' || req.session?.perms?.event[req.params.typeId] !== 'tabber')
 		) {
-			const subType = req.params.subType;
+
 			return res
 				.status(401)
 				.json(`You do not have access to that tournament${subType ? `'s ${subType} functions` : ''}`);