Press n or j to go to the next uncovered block, b, p or k for the previous block.
| 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 | 1x 1x 1x 1x 1x 1x 1x 17x 17x 16x 16x 16x 1x 15x 2x 13x 12x 1x 11x 11x 1x 10x 10x 10x 2x 2x 1x | const { DynamoDBClient } = require('@aws-sdk/client-dynamodb')
const { DynamoDBDocumentClient, PutCommand, GetCommand } = require('@aws-sdk/lib-dynamodb')
const { randomUUID } = require('crypto')
const { requirePermission } = require('../utils/requirePermission')
const client = new DynamoDBClient({})
const docClient = DynamoDBDocumentClient.from(client)
const createItemHandler = async (event) => {
try {
const body = JSON.parse(event.body || '{}')
const tenantId = event.requestContext?.authorizer?.claims?.['custom:tenantId']
const userId = event.requestContext?.authorizer?.claims?.sub
if (!tenantId) {
return {
statusCode: 401,
headers: {
'Content-Type': 'application/json',
'Access-Control-Allow-Origin': '*'
},
body: JSON.stringify({ error: 'Missing tenant context' })
}
}
if (!body.entityId || !body.data) {
return {
statusCode: 400,
headers: {
'Content-Type': 'application/json',
'Access-Control-Allow-Origin': '*'
},
body: JSON.stringify({ error: 'Missing required fields: entityId, data' })
}
}
// Verify entity exists and user has access
const entityResult = await docClient.send(
new GetCommand({
TableName: process.env.ENTITIES_TABLE_NAME,
Key: { id: body.entityId }
})
)
if (!entityResult.Item) {
return {
statusCode: 404,
headers: {
'Content-Type': 'application/json',
'Access-Control-Allow-Origin': '*'
},
body: JSON.stringify({ error: 'Entity not found' })
}
}
const entity = entityResult.Item
// Check if user can use this entity (public or owned by tenant)
if (entity.isPublic !== 'true' && entity.tenantId !== tenantId) {
return {
statusCode: 403,
headers: {
'Content-Type': 'application/json',
'Access-Control-Allow-Origin': '*'
},
body: JSON.stringify({ error: 'Access denied to this entity' })
}
}
const item = {
entityId: body.entityId,
id: randomUUID(),
tenantId: tenantId,
createdBy: userId,
createdAt: new Date().toISOString(),
updatedAt: new Date().toISOString(),
...body.data
}
await docClient.send(
new PutCommand({
TableName: process.env.TABLE_NAME,
Item: item
})
)
return {
statusCode: 201,
headers: {
'Content-Type': 'application/json',
'Access-Control-Allow-Origin': '*'
},
body: JSON.stringify(item)
}
} catch (error) {
console.error('Error:', error)
return {
statusCode: 500,
headers: {
'Content-Type': 'application/json',
'Access-Control-Allow-Origin': '*'
},
body: JSON.stringify({ error: 'Failed to create item' })
}
}
}
// Wrap with permission check: require 'items:form-{formId}:create' or 'entity-{entityId}:items:create'
// For now, we'll check items:create as a general permission
// TODO: Implement form-specific permissions when form metadata is available
exports.handler = requirePermission(createItemHandler, {
permission: (_event) => {
return `items:create`
}
})
|