fix: enforce Admin cancel mode role check and clean up nested DECLARE

- can_cancel_match: gate cancel button on privileged roles for Admin mode
- tbu_matches: raise exception for unprivileged cancel in Admin mode
- tournament_brackets: remove nested DECLARE/BEGIN/END, reuse existing var

Author: Flegma

hasura/functions/match/can_cancel_match.sql

@@ -3,17 +3,28 @@ RETURNS boolean
 LANGUAGE plpgsql STABLE
 AS $$
 DECLARE
+    _auto_cancel_mode text;
+    _user_role text;
 BEGIN
-    IF is_match_organizer(match, hasura_session) AND (
-        match.status != 'Finished' AND
-        match.status != 'Tie' AND
-        match.status != 'Canceled' AND
-        match.status != 'Forfeit' AND
-        match.status != 'Surrendered'
-    ) THEN
-        RETURN true;
+    IF NOT is_match_organizer(match, hasura_session) THEN
+        RETURN false;
     END IF;
 
-    RETURN false;
+    IF match.status IN ('Finished', 'Tie', 'Canceled', 'Forfeit', 'Surrendered') THEN
+        RETURN false;
+    END IF;
+
+    -- Admin-only cancel: restrict to privileged roles
+    SELECT mo.auto_cancel_mode INTO _auto_cancel_mode
+    FROM match_options mo WHERE mo.id = match.match_options_id;
+
+    IF _auto_cancel_mode = 'Admin' THEN
+        _user_role := hasura_session ->> 'x-hasura-role';
+        IF _user_role NOT IN ('admin', 'administrator', 'tournament_organizer', 'match_organizer') THEN
+            RETURN false;
+        END IF;
+    END IF;
+
+    RETURN true;
 END;
 $$;

hasura/triggers/matches.sql

@@ -242,6 +242,8 @@ DECLARE
     _match_map_count int;
     _match_options match_options%ROWTYPE;
     _auto_cancel_mode text;
+    _hasura_session jsonb;
+    _user_role text;
 BEGIN
     auto_cancel_duration := get_setting('auto_cancel_duration', '15') || ' minutes';
     SELECT auto_cancel_mode INTO _auto_cancel_mode FROM match_options WHERE id = NEW.match_options_id;
@@ -340,6 +342,17 @@ BEGIN
     END IF;
 
     IF (NEW.status = 'Canceled' AND OLD.status != 'Canceled')  THEN
+        -- Admin-only cancel: only privileged roles can cancel
+        IF _auto_cancel_mode = 'Admin' THEN
+            _hasura_session := current_setting('hasura.user', true)::jsonb;
+            IF _hasura_session IS NOT NULL THEN
+                _user_role := _hasura_session ->> 'x-hasura-role';
+                IF _user_role NOT IN ('admin', 'administrator', 'tournament_organizer', 'match_organizer') THEN
+                    RAISE EXCEPTION 'Only administrators and organizers can cancel matches in Admin cancel mode' USING ERRCODE = '22000';
+                END IF;
+            END IF;
+            -- NULL session = system/API context, allow through
+        END IF;
         NEW.cancels_at = NOW();
         NEW.ended_at = null;
     END IF;

hasura/triggers/tournament_brackets.sql

@@ -30,18 +30,14 @@ BEGIN
          raise notice 'Scheduling match for bracket %', NEW.id;
          IF NEW.tournament_team_id_1 IS NOT NULL AND NEW.tournament_team_id_2 IS NOT NULL THEN
             -- Skip auto-scheduling if tournament is paused
-            DECLARE
-                _tournament_status text;
-            BEGIN
-                SELECT t.status INTO _tournament_status
-                FROM tournaments t
-                JOIN tournament_stages ts ON ts.tournament_id = t.id
-                WHERE ts.id = NEW.tournament_stage_id;
+            SELECT t.status INTO tournament_status
+            FROM tournaments t
+            JOIN tournament_stages ts ON ts.tournament_id = t.id
+            WHERE ts.id = NEW.tournament_stage_id;
 
-                IF _tournament_status != 'Paused' THEN
-                    PERFORM schedule_tournament_match(NEW);
-                END IF;
-            END;
+            IF tournament_status != 'Paused' THEN
+                PERFORM schedule_tournament_match(NEW);
+            END IF;
          END IF;
      END IF;