From efae7f57fbd737752776496ddce90d52899e4a77 Mon Sep 17 00:00:00 2001
From: rijkvanzanten <rijkvanzanten@me.com>
Date: Fri, 17 Jul 2020 12:02:19 -0400
Subject: [PATCH] Add batch update

---
 src/routes/items.ts         | 44 +++++++++++++++++++++++++++----------
 src/services/permissions.ts |  4 +++-
 2 files changed, 35 insertions(+), 13 deletions(-)

diff --git a/src/routes/items.ts b/src/routes/items.ts
index 3229a44c77..77261f5983 100644
--- a/src/routes/items.ts
+++ b/src/routes/items.ts
@@ -131,20 +131,40 @@ router.patch(
 			throw new RouteNotFoundException(req.path);
 		}
 
-		const primaryKey = await ItemsService.updateItem(req.collection, req.params.pk, req.body, {
-			role: req.role,
-			admin: req.admin,
-			ip: req.ip,
-			userAgent: req.get('user-agent'),
-			user: req.user,
-		});
+		const primaryKey = req.params.pk;
 
-		const item = await ItemsService.readItem(req.collection, primaryKey, req.sanitizedQuery, {
-			role: req.role,
-			admin: req.admin,
-		});
+		const isBatch = primaryKey.includes(',');
 
-		return res.json({ data: item || null });
+		if (isBatch) {
+			const primaryKeys = primaryKey.split(',');
+			const items = await Promise.all(primaryKeys.map(updateItem));
+			return res.json({ data: items || null });
+		} else {
+			const item = await updateItem(primaryKey);
+			return res.json({ data: item || null });
+		}
+
+		async function updateItem(pk: string | number) {
+			const primaryKey = await ItemsService.updateItem(req.collection, pk, req.body, {
+				role: req.role,
+				admin: req.admin,
+				ip: req.ip,
+				userAgent: req.get('user-agent'),
+				user: req.user,
+			});
+
+			const item = await ItemsService.readItem(
+				req.collection,
+				primaryKey,
+				req.sanitizedQuery,
+				{
+					role: req.role,
+					admin: req.admin,
+				}
+			);
+
+			return item;
+		}
 	})
 );
 
diff --git a/src/services/permissions.ts b/src/services/permissions.ts
index 0e96fac0e0..55210a88dd 100644
--- a/src/services/permissions.ts
+++ b/src/services/permissions.ts
@@ -239,6 +239,8 @@ export const checkAccess = async (
 
 		if (!result) throw '';
 	} catch {
-		throw new ForbiddenException(`You're not allowed to ${operation} this item.`);
+		throw new ForbiddenException(
+			`You're not allowed to ${operation} item "${pk}" in collection "${collection}".`
+		);
 	}
 };