## Check authorization
#set ($isAllowed = false)
#set ($userGroups = $util.defaultIfNull($ctx.identity.claims.get("cognito:groups"), []))
#set ($allowedGroups = ["AdminGroup","ManagerGroup","EngineerGroup","AssociateGroup"])

## If the request is to get a site, an area, a station, or a process, only AdminGroup can access the data.
## The other case would be getting a user permission by every group users.
#if ($ctx.args.id)
  ## For 'getEvent' and 'getPermission', do not restrict to only the AdminGroup
  #if ($ctx.info.fieldName != "getEvent" && $ctx.info.fieldName != "getPermission")
    #set ($allowedGroups = ["AdminGroup"])
  #end
#end

#foreach ($userGroup in $userGroups)
  #if ($allowedGroups.contains($userGroup))
    #set ($isAllowed = true)
    #break
  #end
#end

## Throw authorized if the user is not authorized.
#if ($isAllowed == false)
  $util.unauthorized()
#end

## If it needs to get permission, and the user is only in AssociateGroup, get permission.
#if ($ctx.stash.permissionCheck)
  #if ($userGroups.size() == 1 && $userGroups.contains("AssociateGroup"))
{
  "version": "2017-02-28",
  "operation": "GetItem",
  "key": {
    "id": { "S": "$ctx.identity.sub" },
    "type": $util.dynamodb.toDynamoDBJson("PERMISSION")
  }
}
  #else
    #return({})
  #end
#else
{
  "version": "2017-02-28",
  "operation": "GetItem",
  "key": {
  "id": $util.dynamodb.toDynamoDBJson($ctx.args.id),
  "type": $util.dynamodb.toDynamoDBJson($ctx.args.type)
  }
}
#end