graph2: Fixed inverse permission checks in story mutations.

graph2/queries/story.go

@@ -68,7 +68,7 @@ func (r *mutationResolver) AddStoryTag(ctx context.Context, input input.StoryTag
 		return models.Story{}, errors.New("Story not found")
 	}
 
-	if token.PermittedUser(story.Author, "member", "story.edit") {
+	if !token.PermittedUser(story.Author, "member", "story.edit") {
 		return models.Story{}, errors.New("You are not permitted to edit this story")
 	}
 
@@ -83,7 +83,7 @@ func (r *mutationResolver) RemoveStoryTag(ctx context.Context, input input.Story
 		return models.Story{}, errors.New("Story not found")
 	}
 
-	if token.PermittedUser(story.Author, "member", "story.edit") {
+	if !token.PermittedUser(story.Author, "member", "story.edit") {
 		return models.Story{}, errors.New("You are not permitted to edit this story")
 	}
 
@@ -98,7 +98,7 @@ func (r *mutationResolver) EditStory(ctx context.Context, input input.StoryEditI
 		return models.Story{}, errors.New("Story not found")
 	}
 
-	if token.PermittedUser(story.Author, "member", "story.edit") {
+	if !token.PermittedUser(story.Author, "member", "story.edit") {
 		return models.Story{}, errors.New("You are not permitted to remove this story")
 	}
 
@@ -117,7 +117,7 @@ func (r *mutationResolver) RemoveStory(ctx context.Context, input input.StoryRem
 		return models.Story{}, errors.New("Story not found")
 	}
 
-	if token.PermittedUser(story.Author, "member", "story.remove") {
+	if !token.PermittedUser(story.Author, "member", "story.remove") {
 		return models.Story{}, errors.New("You are not permitted to remove this story")
 	}