All files / roles delete.js

100% Statements 18/18
100% Branches 9/9
100% Functions 1/1
100% Lines 18/18
Press n or j to go to the next uncovered block, b, p or k for the previous block.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81 1x
1x
1x
 
1x
1x
 
 
8x
8x
8x
 
8x
3x
 
 
 
 
 
 
 
 
 
 
5x
 
 
 
 
 
 
 
 
 
5x
1x
 
 
 
 
 
 
 
 
 
4x
1x
 
 
 
 
 
 
 
 
 
 
3x
 
 
 
 
 
 
 
 
 
3x
 
 
 
 
 
 
 
 
 
1x
 
 
  const { DynamoDBClient } = require('@aws-sdk/client-dynamodb')
const { DynamoDBDocumentClient, DeleteCommand, GetCommand } = require('@aws-sdk/lib-dynamodb')
const { requirePermission } = require('../utils/requirePermission')
 
const client = new DynamoDBClient({})
const docClient = DynamoDBDocumentClient.from(client)
 
async function deleteRoleHandler(event) {
  const tenantId = event.pathParameters?.tenantId
  const roleId = event.pathParameters?.roleId
  const userId = event.requestContext?.authorizer?.claims?.sub
 
  if (!userId || !tenantId || !roleId) {
    return {
      statusCode: 401,
      headers: {
        'Content-Type': 'application/json',
        'Access-Control-Allow-Origin': '*'
      },
      body: JSON.stringify({ error: 'Unauthorized' })
    }
  }
 
  // Check role exists and is not a system role
  const existing = await docClient.send(
    new GetCommand({
      TableName: process.env.ROLES_TABLE_NAME,
      Key: {
        PK: `TENANT#${tenantId}`,
        SK: `ROLE#${roleId}`
      }
    })
  )
 
  if (!existing.Item) {
    return {
      statusCode: 404,
      headers: {
        'Content-Type': 'application/json',
        'Access-Control-Allow-Origin': '*'
      },
      body: JSON.stringify({ error: 'Role not found' })
    }
  }
 
  if (existing.Item.isSystemRole) {
    return {
      statusCode: 403,
      headers: {
        'Content-Type': 'application/json',
        'Access-Control-Allow-Origin': '*'
      },
      body: JSON.stringify({ error: 'Cannot delete system role' })
    }
  }
 
  // Delete the role
  await docClient.send(
    new DeleteCommand({
      TableName: process.env.ROLES_TABLE_NAME,
      Key: {
        PK: `TENANT#${tenantId}`,
        SK: `ROLE#${roleId}`
      }
    })
  )
 
  return {
    statusCode: 204,
    headers: {
      'Content-Type': 'application/json',
      'Access-Control-Allow-Origin': '*'
    },
    body: ''
  }
}
 
exports.handler = requirePermission(deleteRoleHandler, {
  permission: 'roles:delete'
})