@sap/cds 5.8.3 → 5.9.1

package/libx/_runtime/cds-services/util/assert.js

@@ -45,14 +45,16 @@ const assertError = (code, element, value, key, pathSegments = []) => {
     code = code.code
   }
   const { name, type, precision, scale } = element
-  const path = pathSegments.join('/') || name || key
+  pathSegments = pathSegments.slice(0)
+  pathSegments.push({ key: name || key })
+  const path = pathSegments.map(({ key, url }) => url || key).join('/')
 
   const e = new Error()
   const error = Object.assign(e, getEntry({ code, message: code, target: path, args: args || [name || key] }))
   Object.assign(error, {
     entity: element.parent && element.parent.name,
     element: name, // > REVISIT: when is error.element needed?
-    type: element.items ? element.items.type : type,
+    type: element.items ? element.items._type : type,
     value
   })
 
@@ -154,7 +156,7 @@ const checkComplexType = ([key, value], elements, ignoreNonModelledData) => {
   for (const objKey in elements) {
     if (objKey.startsWith(`${key}_`)) {
       const element = elements[objKey]
-      const check = CDS_TYPE_CHECKS[element.type]
+      const check = CDS_TYPE_CHECKS[element._type]
       found = true
 
       const nestedData = value[objKey.substring(key.length + 1)]
@@ -168,7 +170,7 @@ const checkComplexType = ([key, value], elements, ignoreNonModelledData) => {
   return found || ignoreNonModelledData
 }
 
-const _checkStaticElementByKey = (definition, key, value, result, ignoreNonModelledData) => {
+const _checkStaticElementByKey = (definition, key, value, result = [], ignoreNonModelledData = true) => {
   const elementsOrParameters = definition.elements || definition.params
   if (!elementsOrParameters) return result
   const elementOrParameter = elementsOrParameters[key]
@@ -182,16 +184,16 @@ const _checkStaticElementByKey = (definition, key, value, result, ignoreNonModel
   }
 
   let check
-  if (elementOrParameter.type === 'cds.UUID' && definition.name === 'ProvisioningService.tenant') {
+  if (elementOrParameter.isUUID && definition.name === 'ProvisioningService.tenant') {
     // > old SCP accounts don't have UUID ids
     check = CDS_TYPE_CHECKS['cds.String']
   } else {
-    check = CDS_TYPE_CHECKS[elementOrParameter.type]
+    check = CDS_TYPE_CHECKS[elementOrParameter._type]
   }
 
   if (check && !check(value, elementOrParameter)) {
     // code, entity, element, value
-    const args = [typeof value === 'string' ? '"' + value + '"' : value, elementOrParameter.type]
+    const args = [typeof value === 'string' ? '"' + value + '"' : value, elementOrParameter._type]
     result.push(assertError({ code: ASSERT_DATA_TYPE, args }, elementOrParameter, value, key))
   }
 
@@ -274,18 +276,18 @@ const checkIfAssocDeep = (element, value, req) => {
 /**
  * @param {import('../../types/api').InputConstraints} constraints
  */
-const checkInputConstraints = ({ element, value, errors, key, pathSegments, event }) => {
+const checkInputConstraints = ({ element, value, errors, key, path, event }) => {
   if (!element) return errors
 
-  _checkMandatoryElement(element, value, errors, key, pathSegments)
+  _checkMandatoryElement(element, value, errors, key, path)
 
   if (value == null) return errors
 
-  _checkEnumElement(element, value, errors, key, pathSegments)
+  _checkEnumElement(element, value, errors, key, path)
 
-  _checkRangeElement(element, value, errors, key, pathSegments)
+  _checkRangeElement(element, value, errors, key, path)
 
-  _checkFormatElement(element, value, errors, key, pathSegments)
+  _checkFormatElement(element, value, errors, key, path)
 
   return errors
 }
@@ -310,13 +312,15 @@ const checkKeys = (entity, data) => {
   const entityKeys = Object.keys(entity.keys)
   return data.reduce((result, row) => {
     for (const key of entityKeys) {
-      if (row[key] === undefined && entity.elements[key].type !== 'cds.Association')
+      if (row[key] === undefined && !entity.elements[key].isAssociation)
         result.push(assertError(ASSERT_NOT_NULL, entity.elements[key]))
     }
     return result
   }, [])
 }
 
+const assertNotNullError = element => assertError(ASSERT_NOT_NULL, element)
+
 module.exports = {
   CDS_TYPE_CHECKS,
   checkComplexType,
@@ -324,5 +328,7 @@ module.exports = {
   checkInputConstraints,
   checkKeys,
   assertError,
-  checkIfAssocDeep
+  checkIfAssocDeep,
+  checkStaticElementByKey: _checkStaticElementByKey,
+  assertNotNullError
 }

package/libx/_runtime/cds.js

@@ -14,7 +14,14 @@ cds.extend(entity).with(require('./common/aspects/entity'))
  * mtx?
  */
 Object.defineProperty(cds, '_mtxEnabled', {
-  get: () => cds.mtx && typeof cds.mtx.in === 'function',
+  get: () => cds.mtx && typeof cds.mtx.in === 'function' && !cds.env.features.streamlined_mtx,
+  configurable: true
+})
+Object.defineProperty(cds, '_mpsEnabled', {
+  get: () =>
+    cds.requires.extensibility ||
+    cds.requires.toggles ||
+    (cds.requires.multitenancy && cds.env.features.streamlined_mtx),
   configurable: true
 })
 
@@ -23,6 +30,7 @@ Object.defineProperty(cds, '_mtxEnabled', {
  */
 // referential integrity
 // REVISIT: why is _db_foreign_key_constraints necessary?
+// REVISIT: Do not access cds.env too early!
 Object.defineProperty(cds.env.features, '_db_foreign_key_constraints', {
   get: () => {
     const { assert_integrity: ai, assert_integrity_type: ait } = cds.env.features

package/libx/_runtime/common/aspects/any.js

@@ -1,4 +1,5 @@
 const { getRelations, isMandatory, isReadOnly } = require('./utils')
+const { foreignKey4 } = require('../../common/utils/foreignKeyPropagations')
 
 // NOTE: Please only add things which are relevant to _any_ type,
 // use specialized types otherwise (entity, Association, ...).
@@ -19,4 +20,8 @@ module.exports = class {
   get _relations() {
     return this.own('__relations') || this.set('__relations', getRelations(this))
   }
+
+  get _foreignKey4() {
+    return this.own('__foreignKey4') || this.set('__foreignKey4', foreignKey4(this))
+  }
 }

package/libx/_runtime/common/aspects/entity.js

@@ -7,13 +7,23 @@ const { getETag, hasPersonalData, hasSensitiveData } = require('./utils')
 
 let getSearchableColumns
 
+const _flat2struct = (def, prefix = '') => {
+  const map = {}
+  for (const ele in def.elements) {
+    if (def.elements[ele].elements)
+      Object.assign(map, _flat2struct(def.elements[ele], prefix ? prefix + '$$$' + ele : ele))
+    else if (prefix) map[prefix.replace(/\$\$\$/g, '_') + '_' + ele] = [...prefix.split('$$$'), ele]
+  }
+  return map
+}
+
 module.exports = class {
   get _isSingleton() {
     return (
       this.own('__isSingleton') ||
       this.set(
         '__isSingleton',
-        this['@odata.singleton'] || (this['@odata.singleton.nullable'] && this['@odata.singleton'] !== false)
+        !!(this['@odata.singleton'] || (this['@odata.singleton.nullable'] && this['@odata.singleton'] !== false))
       )
     )
   }
@@ -23,7 +33,7 @@ module.exports = class {
       this.own('__hasPersistenceSkip') ||
       this.set(
         '__hasPersistenceSkip',
-        this.own('@cds.persistence.skip') && this.own('@cds.persistence.skip') !== 'if-unused'
+        !!(this.own('@cds.persistence.skip') && this.own('@cds.persistence.skip') !== 'if-unused')
       )
     )
   }
@@ -33,9 +43,11 @@ module.exports = class {
       this.own('__isDraftEnabled') ||
       this.set(
         '__isDraftEnabled',
-        (this.associations && this.associations.DraftAdministrativeData) ||
+        !!(
+          (this.associations && this.associations.DraftAdministrativeData) ||
           this.name.match(/\.DraftAdministrativeData$/) ||
           (this.own('@odata.draft.enabled') && this.own('@Common.DraftRoot.ActivationAction'))
+        )
       )
     )
   }
@@ -66,25 +78,31 @@ module.exports = class {
   get _auditCreate() {
     return (
       this.own('__auditCreate') ||
-      this.set('__auditCreate', this._hasPersonalData && this['@AuditLog.Operation.Insert'])
+      this.set('__auditCreate', !!(this._hasPersonalData && this['@AuditLog.Operation.Insert']))
     )
   }
 
   get _auditRead() {
-    return this.own('__auditRead') || this.set('__auditRead', this._hasPersonalData && this['@AuditLog.Operation.Read'])
+    return (
+      this.own('__auditRead') || this.set('__auditRead', !!(this._hasPersonalData && this['@AuditLog.Operation.Read']))
+    )
   }
 
   get _auditUpdate() {
     return (
       this.own('__auditUpdate') ||
-      this.set('__auditUpdate', this._hasPersonalData && this['@AuditLog.Operation.Update'])
+      this.set('__auditUpdate', !!(this._hasPersonalData && this['@AuditLog.Operation.Update']))
     )
   }
 
   get _auditDelete() {
     return (
       this.own('__auditDelete') ||
-      this.set('__auditDelete', this._hasPersonalData && this['@AuditLog.Operation.Delete'])
+      this.set('__auditDelete', !!(this._hasPersonalData && this['@AuditLog.Operation.Delete']))
     )
   }
+
+  get _flat2struct() {
+    return this.own('_flat2struct') || this.set('_flat2struct', _flat2struct(this))
+  }
 }

package/libx/_runtime/common/aspects/utils.js

@@ -51,7 +51,7 @@ const hasPersonalData = entity => {
       }
     }
   }
-  return val
+  return !!val
 }
 
 const hasSensitiveData = entity => {
@@ -64,7 +64,7 @@ const hasSensitiveData = entity => {
       }
     }
   }
-  return val
+  return !!val
 }
 
 const _exposeRelation = relation => Object.defineProperty({}, '_', { get: () => relation })

package/libx/_runtime/common/composition/data.js

@@ -236,6 +236,11 @@ const _selectDeepUpdateData = async args => {
   return _mergeResults(result, selectData || [], root, model, compositionTree, entityName)
 }
 
+// if a view has an orderBy with renamed field, we need to resolve it
+const _resolveOrderBy = (orderBy, transitions) => {
+  if (orderBy && transitions.length > 0) orderBy.map(el => (el.ref[0] = transitions[0].mapping.get(el.ref[0]).ref[0]))
+}
+
 /*
  * exports
  */
@@ -255,6 +260,7 @@ const selectDeepUpdateData = (service, model, req, selectAllColumns = false) =>
   const entityName = ensureNoDraftsSuffix(from)
   const draft = entityName !== from
   const orderBy = req && req.target && req.target.query && req.target.query.SELECT && req.target.query.SELECT.orderBy
+  _resolveOrderBy(orderBy, sqlQuery.UPDATE._transitions)
   const data = Object.assign({}, sqlQuery.UPDATE.data || {}, query.UPDATE.with || {})
   const compositionTree = getCompositionTree({
     definitions: model.definitions,

package/libx/_runtime/common/composition/insert.js

@@ -55,7 +55,8 @@ const _addSubDeepInsertCQN = (model, compositionTree, data, cqns, draft) => {
 
 const _entityFromINSERT = (model, INSERT) => {
   if (INSERT && INSERT.into) {
-    const entityName = ensureNoDraftsSuffix(INSERT.into.name || INSERT.into)
+    const into = (INSERT.into.ref && INSERT.into.ref[0]) || INSERT.into.name || INSERT.into
+    const entityName = ensureNoDraftsSuffix(into)
     return model.definitions[entityName]
   }
 }
@@ -75,7 +76,7 @@ const hasDeepInsert = (model, cqn) => {
 }
 
 const getDeepInsertCQNs = (model, cqn) => {
-  const into = cqn.INSERT.into.name || cqn.INSERT.into
+  const into = (cqn.INSERT.into.ref && cqn.INSERT.into.ref[0]) || cqn.INSERT.into.name || cqn.INSERT.into
   const entityName = ensureNoDraftsSuffix(into)
   const draft = entityName !== into
   const dataEntries = cqn.INSERT.entries ? deepCopyArray(cqn.INSERT.entries) : []

package/libx/_runtime/common/composition/tree.js

@@ -5,6 +5,7 @@ const { isRootEntity } = require('../utils/csn')
 const { getTransition, getDBTable } = require('../utils/resolveView')
 
 const getError = require('../../common/error')
+const { prefixForStruct } = require('../../common/utils/csn')
 
 /*
  * own utils
@@ -17,19 +18,12 @@ const _foreignKeysToLinks = (element, inverse) =>
           childElement: e.parentElement,
           parentElement: e.childElement,
           childFieldValue: e.parentFieldValue,
-          parentFieldValue: e.childFieldValue,
-          prefix: e.prefix
+          parentFieldValue: e.childFieldValue
         }
       : e
     const link = {}
-    if (e.parentElement)
-      link.entityKey =
-        e.prefix && !e.parentElement.name.includes(e.prefix)
-          ? `${e.prefix}_${e.parentElement.name}`
-          : e.parentElement.name
-    if (e.childElement)
-      link.targetKey =
-        e.prefix && !e.childElement.name.includes(e.prefix) ? `${e.prefix}_${e.childElement.name}` : e.childElement.name
+    if (e.parentElement) link.entityKey = prefixForStruct(e.parentElement) + e.parentElement.name
+    if (e.childElement) link.targetKey = prefixForStruct(e.childElement) + e.childElement.name
     if (e.parentFieldValue !== undefined) link.entityVal = e.parentFieldValue
     if (e.childFieldValue !== undefined) link.targetVal = e.childFieldValue
     return link

package/libx/_runtime/common/composition/update.js

@@ -58,11 +58,11 @@ const _unwrapVal = obj => {
 
 function _fillLinkFromStructuredData(entity, entry) {
   for (const elementName in entity.elements) {
-    const foreignKey4 = entity.elements[elementName]['@odata.foreignKey4']
-    if (foreignKey4 && entry[foreignKey4]) {
+    const _foreignKey4 = entity.elements._foreignKey4
+    if (_foreignKey4 && entry[_foreignKey4]) {
       const foreignKey = entity.elements[elementName].name
       const childKey = foreignKey.split('_')[1]
-      const val = _unwrapVal(entry[foreignKey4])[childKey]
+      const val = _unwrapVal(entry[_foreignKey4])[childKey]
       if (val !== undefined) entry[foreignKey] = val
     }
   }
@@ -89,7 +89,7 @@ const _diffData = (newData, oldData, entity, newEntry, oldEntry, model) => {
     }
 
     // comp2one removed?
-    const fk = entity.elements[key] && entity.elements[key]['@odata.foreignKey4']
+    const fk = entity.elements[key] && entity.elements[key]._foreignKey4
     if (fk && newVal === undefined && oldVal !== undefined) {
       const nav = entity.elements[fk]
       // REVISIT: why check @cds.persistence.skip needed? bad tests?

package/libx/_runtime/common/constants/draft.js

@@ -1,30 +1,33 @@
+const DRAFT_COLUMNS = ['IsActiveEntity', 'HasActiveEntity', 'HasDraftEntity', 'DraftAdministrativeData_DraftUUID']
+const DRAFT_COLUMNS_UNION = [
+  'IsActiveEntity',
+  'HasActiveEntity',
+  'HasDraftEntity',
+  'DraftAdministrativeData_DraftUUID',
+  'SiblingEntity',
+  'DraftAdministrativeData'
+]
+const DRAFT_COLUMNS_ADMIN = [
+  'DraftUUID',
+  'CreatedByUser',
+  'InProcessByUser',
+  'CreationDateTime',
+  'LastChangeDateTime',
+  'LastChangedByUser',
+  'DraftIsProcessedByMe',
+  'DraftIsCreatedByMe'
+]
+
+const objectify = arr =>
+  arr.reduce((acc, cur) => {
+    acc[cur] = 1
+    return acc
+  }, {})
+
 module.exports = {
-  DRAFT_COLUMNS: ['IsActiveEntity', 'HasActiveEntity', 'HasDraftEntity', 'DraftAdministrativeData_DraftUUID'],
-  DRAFT_COLUMNS_MAP: {
-    IsActiveEntity: true,
-    HasActiveEntity: true,
-    HasDraftEntity: true,
-    DraftAdministrativeData_DraftUUID: true,
-    DraftUUID: true
-  },
-  DRAFT_COLUMNS_UNION: [
-    'IsActiveEntity',
-    'HasActiveEntity',
-    'HasDraftEntity',
-    'DraftAdministrativeData_DraftUUID',
-    'SiblingEntity',
-    'DraftAdministrativeData'
-  ],
-  DRAFT_COLUMNS_ADMIN: [
-    'DraftUUID',
-    'CreatedByUser',
-    'InProcessByUser',
-    'CreationDateTime',
-    'LastChangeDateTime',
-    'LastChangedByUser',
-    'DraftIsProcessedByMe',
-    'DraftIsCreatedByMe'
-  ],
+  DRAFT_COLUMNS_MAP: objectify(DRAFT_COLUMNS),
+  DRAFT_COLUMNS_UNION_MAP: objectify(DRAFT_COLUMNS_UNION),
+  DRAFT_COLUMNS_ADMIN_MAP: objectify(DRAFT_COLUMNS_ADMIN),
   DRAFT_COLUMNS_CQN: [
     { ref: ['IsActiveEntity'], cast: { type: 'cds.Boolean' } },
     { ref: ['HasActiveEntity'], cast: { type: 'cds.Boolean' } },

package/libx/_runtime/common/error/constants.js

@@ -1,6 +1,6 @@
 module.exports = {
-  ALLOWED_PROPERTIES: ['code', 'message', 'target', 'details', 'innererror'],
-  ADDITIONAL_MSG_PROPERTIES: ['numericSeverity', 'longtextUrl', 'transition'],
+  ALLOWED_PROPERTIES_MAP: { code: 1, message: 1, target: 1, details: 1, innererror: 1 },
+  ADDITIONAL_MSG_PROPERTIES_MAP: { numericSeverity: 1, longtextUrl: 1, transition: 1 },
   /*
    * severities:
    *   1: success

package/libx/_runtime/common/error/frontend.js

@@ -6,8 +6,6 @@
  *   Error responses MAY contain annotations in any of its JSON objects.
  */
 
-const cds = require('../../cds')
-
 let _i18n
 const i18n = (...args) => {
   if (!_i18n) _i18n = require('../i18n')
@@ -15,12 +13,13 @@ const i18n = (...args) => {
 }
 
 const {
-  ALLOWED_PROPERTIES,
-  ADDITIONAL_MSG_PROPERTIES,
+  ALLOWED_PROPERTIES_MAP,
+  ADDITIONAL_MSG_PROPERTIES_MAP,
   DEFAULT_SEVERITY,
   MIN_SEVERITY,
   MAX_SEVERITY
 } = require('./constants')
+const ADDITIONAL_MSG_PROPERTIES = Object.keys(ADDITIONAL_MSG_PROPERTIES_MAP)
 
 const SKIP_SANITIZATION = '@cds.skip_sanitization'
 
@@ -32,7 +31,7 @@ const _getFiltered = err => {
     .forEach(k => {
       // REVISIT: do not remove innererror with cds^6
       if (k === 'innererror' && process.env.NODE_ENV === 'production' && !err[SKIP_SANITIZATION]) return
-      if (ALLOWED_PROPERTIES.includes(k) || k.startsWith('@')) {
+      if (k in ALLOWED_PROPERTIES_MAP || k.startsWith('@')) {
         error[k] = err[k]
       } else if (k === 'numericSeverity') {
         error['@Common.numericSeverity'] = err[k]
@@ -84,10 +83,7 @@ const _isAllowedError = errorCode => {
   return errorCode >= 300 && errorCode < 505
 }
 
-const _anonymousUser = req => {
-  // if no authentication used, we create a new user object in order to get the correct locale
-  return Object.defineProperty(new cds.User(), '_req', { enumerable: false, value: req })
-}
+const localeFrom = require('../../../../lib/req/locale')
 
 // - for one unique value, we use it
 // - if at least one 5xx exists, we use 500
@@ -104,9 +100,7 @@ const _statusCodeFromDetails = details => {
 }
 
 const normalizeError = (err, req) => {
-  const user = (req && req.user) || _anonymousUser(req)
-  const locale = user.locale
-
+  const locale = req.locale || (req.locale = localeFrom(req))
   const error = _normalize(err, locale)
 
   // derive status code from err status OR root code OR matching detail codes
@@ -160,9 +154,7 @@ const _normalizeMessage = (message, locale) => {
 }
 
 const getSapMessages = (messages, req) => {
-  const user = (req && req.user) || _anonymousUser(req)
-  const locale = user.locale
-
+  const locale = req.locale || (req.locale = localeFrom(req))
   const s = JSON.stringify(messages.map(message => _normalizeMessage(message, locale)))
   // convert non ascii to unicode
   return s.replace(/[\u007F-\uFFFF]/g, chr => {

package/libx/_runtime/common/generic/auth/capabilities.js

@@ -0,0 +1,59 @@
+const { cqnFrom } = require('./utils')
+const { RESTRICTIONS } = require('./constants')
+
+const _isRestricted = (req, capability, capabilityReadByKey) => {
+  if (capabilityReadByKey !== undefined && req.query.SELECT.one) {
+    return capabilityReadByKey === false
+  }
+  return capability === false
+}
+
+const _isNavigationRestricted = (target, path, annotation, req) => {
+  if (!target) return
+  const parts = annotation.split('.')
+  if (target && Array.isArray(target['@Capabilities.NavigationRestrictions.RestrictedProperties'])) {
+    for (const r of target['@Capabilities.NavigationRestrictions.RestrictedProperties']) {
+      if (r.NavigationProperty['='] === path && r[parts[0]]) {
+        return _isRestricted(
+          req,
+          r[parts[0]][parts[1]],
+          r.ReadRestrictions && r.ReadRestrictions['ReadByKeyRestrictions.Readable']
+        )
+      }
+    }
+  }
+}
+
+const _localName = entity => entity.name.replace(entity._service.name + '.', '')
+
+function handler(req) {
+  // TODO: Determine auth-relevant entity
+  const annotation = RESTRICTIONS[req.event]
+  if (!req.target || !annotation) return
+
+  const action = annotation.split('.').pop().toUpperCase()
+  const from = cqnFrom(req)
+  const nav = (from && from.ref && from.ref.map(el => el.id || el)) || []
+
+  if (nav.length > 1) {
+    const path = nav.slice(1).join('.')
+    const target = this.model.definitions[nav[0]]
+    if (_isNavigationRestricted(target, path, annotation, req)) {
+      // REVISIT: rework exception with using target
+      const trgt = `${_localName(target)}.${path}`
+      req.reject(405, 'ENTITY_IS_NOT_CRUD_VIA_NAVIGATION', [_localName(req.target), action, trgt])
+    }
+  } else if (
+    _isRestricted(
+      req,
+      req.target['@Capabilities.' + annotation],
+      req.target['@Capabilities.' + RESTRICTIONS.READABLE_BY_KEY]
+    )
+  ) {
+    req.reject(405, 'ENTITY_IS_NOT_CRUD', [_localName(req.target), action])
+  }
+}
+
+handler._initial = true
+
+module.exports = handler

package/libx/_runtime/common/generic/auth/constants.js

@@ -0,0 +1,20 @@
+const MOD_EVENTS = { UPDATE: 1, DELETE: 1, EDIT: 1 }
+const WRITE_EVENTS = Object.assign({ CREATE: 1, NEW: 1, PATCH: 1, CANCEL: 1 }, MOD_EVENTS)
+const CRUD_EVENTS = Object.assign({ READ: 1 }, WRITE_EVENTS)
+const DRAFT_EVENTS = { PATCH: 1, CANCEL: 1, draftActivate: 1, draftPrepare: 1 }
+
+const RESTRICTIONS = {
+  CREATE: 'InsertRestrictions.Insertable',
+  READ: 'ReadRestrictions.Readable',
+  READABLE_BY_KEY: 'ReadRestrictions.ReadByKeyRestrictions.Readable',
+  UPDATE: 'UpdateRestrictions.Updatable',
+  DELETE: 'DeleteRestrictions.Deletable'
+}
+
+module.exports = {
+  MOD_EVENTS,
+  WRITE_EVENTS,
+  CRUD_EVENTS,
+  DRAFT_EVENTS,
+  RESTRICTIONS
+}

package/libx/_runtime/common/generic/auth/expand.js

@@ -0,0 +1,54 @@
+const cds = require('../../../cds')
+
+const { rewriteExpandAsterisk } = require('../../utils/rewriteAsterisks')
+
+const { ensureNoDraftsSuffix } = require('../../../fiori/utils/handler')
+
+const _getTarget = (ref, target, definitions) => {
+  if (cds.env.effective.odata.proxies) {
+    const target_ = target.elements[ref[0]]
+    if (ref.length === 1) return definitions[ensureNoDraftsSuffix(target_.target)]
+    return _getTarget(ref.slice(1), target_, definitions)
+  }
+  const target_ = target.elements[ref.join('_')]
+  return definitions[ensureNoDraftsSuffix(target_.target)]
+}
+
+const _getRestrictedExpand = (columns, target, definitions) => {
+  if (!columns || !target || columns === '*') return
+
+  const annotation = target['@Capabilities.ExpandRestrictions.NonExpandableProperties']
+  const restrictions = annotation && annotation.map(element => element['='])
+
+  rewriteExpandAsterisk(columns, target)
+
+  for (const col of columns) {
+    if (col.expand) {
+      if (restrictions && restrictions.length !== 0) {
+        const ref = col.ref.join('_')
+        const ref_ = restrictions.find(element => element.replace(/\./g, '_') === ref)
+        if (ref_) return ref_
+      }
+      // expand: '**' or '*3' is only possible within custom handler, no check needed
+      if (typeof col.expand === 'string' && /^\*{1}[\d|*]+/.test(col.expand)) {
+        continue
+      } else {
+        const restricted = _getRestrictedExpand(col.expand, _getTarget(col.ref, target, definitions), definitions)
+        if (restricted) return restricted
+      }
+    }
+  }
+}
+
+function handler(req) {
+  const restricted = _getRestrictedExpand(
+    req.query.SELECT && req.query.SELECT.columns,
+    req.target,
+    this.model.definitions
+  )
+  if (restricted) req.reject(400, 'EXPAND_IS_RESTRICTED', [restricted])
+}
+
+handler._initial = true
+
+module.exports = handler

package/libx/_runtime/common/generic/auth/index.js

@@ -0,0 +1,32 @@
+const cds = require('../../../cds')
+
+const requiresHandler = require('./requires')
+const readOnlyHandler = require('./readOnly')
+const insertOnlyHandler = require('./insertOnly')
+const capabilitiesHandler = require('./capabilities')
+const restrictHandler = require('./restrict')
+const restrictExpandHandler = require('./expand')
+
+module.exports = cds.service.impl(function authorization() {
+  /*
+   * @requires
+   */
+  this.before('*', requiresHandler)
+
+  /*
+   * access control (cheaper than @restrict -> do first)
+   */
+  this.before('*', readOnlyHandler)
+  this.before('*', insertOnlyHandler)
+  this.before('*', capabilitiesHandler)
+
+  /*
+   * @restrict
+   */
+  this.before('*', restrictHandler)
+
+  /*
+   * expand restrictions
+   */
+  this.before('READ', '*', restrictExpandHandler)
+})

package/libx/_runtime/common/generic/auth/insertOnly.js

@@ -0,0 +1,15 @@
+const { getAuthRelevantEntity } = require('./utils')
+
+function handler(req) {
+  const entity = getAuthRelevantEntity(req, this.model, ['@insertonly'])
+  if (!entity || !entity['@insertonly']) return
+
+  const allowed = entity._isDraftEnabled ? { NEW: 1, PATCH: 1 } : { CREATE: 1 }
+  if (!(req.event in allowed)) {
+    req.reject(405, 'ENTITY_IS_INSERT_ONLY', [entity.name])
+  }
+}
+
+handler._initial = true
+
+module.exports = handler