Press n or j to go to the next uncovered block, b, p or k for the previous block.
| 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 | 1x 1x 1x 1x 1x 1x 15x 15x 15x 15x 14x 14x 1x 13x 2x 11x 10x 1x 9x 1x 8x 8x 8x 8x 8x 8x 15x 5x 10x 10x 10x 10x 10x 10x 8x 1x 7x 7x 7x 7x 7x 2x 2x 1x | const { DynamoDBClient } = require('@aws-sdk/client-dynamodb')
const { DynamoDBDocumentClient, GetCommand, UpdateCommand } = require('@aws-sdk/lib-dynamodb')
const { requirePermission } = require('../utils/requirePermission')
const client = new DynamoDBClient({})
const docClient = DynamoDBDocumentClient.from(client)
const updateItemHandler = async (event) => {
try {
const entityId = event.pathParameters?.entityId
const id = event.pathParameters?.itemId
const body = JSON.parse(event.body || '{}')
const tenantId = event.requestContext?.authorizer?.claims?.['custom:tenantId']
if (!tenantId) {
return {
statusCode: 401,
headers: {
'Content-Type': 'application/json',
'Access-Control-Allow-Origin': '*'
},
body: JSON.stringify({ error: 'Missing tenant context' })
}
}
if (!entityId || !id) {
return {
statusCode: 400,
headers: {
'Content-Type': 'application/json',
'Access-Control-Allow-Origin': '*'
},
body: JSON.stringify({ error: 'Missing entityId or id' })
}
}
// Verify item exists and ownership
const result = await docClient.send(
new GetCommand({
TableName: process.env.TABLE_NAME,
Key: { entityId, id }
})
)
if (!result.Item) {
return {
statusCode: 404,
headers: {
'Content-Type': 'application/json',
'Access-Control-Allow-Origin': '*'
},
body: JSON.stringify({ error: 'Item not found' })
}
}
// Only owner tenant can update
if (result.Item.tenantId !== tenantId) {
return {
statusCode: 403,
headers: {
'Content-Type': 'application/json',
'Access-Control-Allow-Origin': '*'
},
body: JSON.stringify({ error: 'Access denied - only owner can update' })
}
}
// Build update expression from body.data
const data = body.data || {}
const updateExpressions = []
const expressionAttributeNames = {}
const expressionAttributeValues = {}
let attrIndex = 0
for (const [key, value] of Object.entries(data)) {
// Skip reserved fields
if (['entityId', 'id', 'tenantId', 'createdBy', 'createdAt'].includes(key)) {
continue
}
const nameKey = `#attr${attrIndex}`
const valueKey = `:val${attrIndex}`
updateExpressions.push(`${nameKey} = ${valueKey}`)
expressionAttributeNames[nameKey] = key
expressionAttributeValues[valueKey] = value
attrIndex++
}
if (updateExpressions.length === 0) {
return {
statusCode: 400,
headers: {
'Content-Type': 'application/json',
'Access-Control-Allow-Origin': '*'
},
body: JSON.stringify({ error: 'No fields to update' })
}
}
updateExpressions.push('#updatedAt = :updatedAt')
expressionAttributeNames['#updatedAt'] = 'updatedAt'
expressionAttributeValues[':updatedAt'] = new Date().toISOString()
const updateResult = await docClient.send(
new UpdateCommand({
TableName: process.env.TABLE_NAME,
Key: { entityId, id },
UpdateExpression: 'SET ' + updateExpressions.join(', '),
ExpressionAttributeNames: expressionAttributeNames,
ExpressionAttributeValues: expressionAttributeValues,
ReturnValues: 'ALL_NEW'
})
)
return {
statusCode: 200,
headers: {
'Content-Type': 'application/json',
'Access-Control-Allow-Origin': '*'
},
body: JSON.stringify(updateResult.Attributes)
}
} catch (error) {
console.error('Error:', error)
return {
statusCode: 500,
headers: {
'Content-Type': 'application/json',
'Access-Control-Allow-Origin': '*'
},
body: JSON.stringify({ error: 'Failed to update item' })
}
}
}
// Wrap with permission check: require 'items:{itemId}:update' permission
exports.handler = requirePermission(updateItemHandler, {
permission: (event) => `items:${event.pathParameters?.itemId}:update`
})
|