@sap/cds 5.9.0 → 5.9.3

package/CHANGELOG.md

@@ -4,6 +4,41 @@
 - The format is based on [Keep a Changelog](http://keepachangelog.com/).
 - This project adheres to [Semantic Versioning](http://semver.org/).
 
+## Version 5.9.3 - 2022-04-25
+
+### Fixed
+
+- Since 5.8.2 `req.target` for requests like `srv.put('/MyService.entity')` is defined, but `req.query` undefined (before `req.target` was also undefined). This was leading to accessing undefined, which has been fixed. 
+- Custom actions with names conflicting with methods from service base classes, e.g. `run()`, could lead to hard-to-detect errors. This is now detected and avoided with a warning. 
+- Typed methods for custom actions were erroneously applied to `cds.db` service, which led to server crashes, e.g. when the action was named `deploy()`. 
+- Invalid batch requests were further processed after error response was already sent to client, leading to an InternalServerError
+- Full support of `SELECT` queries with operator expressions (`xpr`)
+
+
+## Version 5.9.2 - 2022-04-07
+
+### Fixed
+
+- i18n translation for errors did not work correctly in some cases
+- Normalization in custom `getRestrictions`
+- Throw exception by `INSERT` into HANA queries if number of provided rows deviates from number of affected rows returned by hdb to prevent data losses
+- Handler detection for extended services
+- Speed-up in localization handling
+- Draft: navigation via an association to many from a non-draft enabled entity to a draft-enabled entity
+- Limited support of `SELECT` queries with operator expressions (`xpr`)
+
+## Version 5.9.1 - 2022-03-31
+
+### Fixed
+
+- Function arguments might be escaped too often
+- URL encoding for remote services for CQN queries
+- `cds serve` during development again redirects URLs with for UI apps in a folder with the same name as a service, so `/foo/webapp` would redirect to `/foo`.  This got broken in 5.8.3.
+- Endless loop in localization handling
+- Ensure service impl while extending entity from the service
+- Post-processing of custom draft queries
+- No minifying of CSN artifacts for Java build
+
 ## Version 5.9.0 - 2022-03-25
 
 ### Added

package/app/fiori/routes.js

@@ -1,4 +1,6 @@
 const cds = require('../../lib')
+const DEBUG = cds.debug('fiori/routes')
+const {dirname, relative, join} = require('path')
 
 // Only for local cds runs w/o approuter:
 // If there is a relative URL in UI5's manifest.json for the datasource,
@@ -11,16 +13,20 @@ cds.on ('bootstrap', app => {
   const v2Prefix = (env.odata.v2proxy && env.odata.v2proxy.urlpath) || '/v2'
   const serviceForUri = {}
 
-  dataSourceURIs (env.folders.app).forEach(uri => {
-    app.use('*/'+uri, ({originalUrl}, res, next)=> {  //  */browse/webapp[/prefix]/browse/
+  dataSourceURIs (env.folders.app).forEach(({appPath, dataSourceUri}) => {
+    const uiRoutes = [
+      join('/', appPath,      dataSourceUri, '*'), //  /uiApp/webapp/browse/*
+      join('/', appPath, '*', dataSourceUri, '*')  //  /uiApp/webapp/*/browse/*
+    ].map(r => r.replace(/\\/g, '/')) // handle Windows \
+    DEBUG && DEBUG ('Register routes', uiRoutes)
+
+    app.use(uiRoutes, ({originalUrl}, res, next)=> {
       // any of our special URLs ($fiori-, $api-docs) ? -> next
       if (originalUrl.startsWith('/$'))  return next()
-      // is there a service starting with the URL? -> next
-      if (cds.service.providers.find (srv => originalUrl.startsWith(srv.path)))  return next()
 
       // is there a service for '[prefix]/browse' ?
-      const srv = serviceForUri[uri] || (serviceForUri[uri] =
-        cds.service.providers.find (srv => ('/'+uri).lastIndexOf(srv.path) >=0))
+      const srv = serviceForUri[dataSourceUri] || (serviceForUri[dataSourceUri] =
+        cds.service.providers.find (srv => ('/'+dataSourceUri).lastIndexOf(srv.path) >=0))
       if (srv) {
         let redirectUrl
         // odata-proxy may be in the line with its /v2 prefix.  Make sure we retain it.
@@ -30,7 +36,7 @@ cds.on ('bootstrap', app => {
         else // --> /browse/webapp[/prefix]/browse/ -> /browse
           redirectUrl = originalUrl.substring(originalUrl.lastIndexOf(srv.path+'/'))
         if (originalUrl !== redirectUrl)  {// safeguard to prevent running in loops
-          // console.log ('>>', req.originalUrl, '->', redirectUrl)
+          DEBUG && DEBUG ('Redirecting', {src: originalUrl}, '~>', {target: redirectUrl})
           return res.redirect (308, redirectUrl)
         }
       }
@@ -41,10 +47,11 @@ cds.on ('bootstrap', app => {
   function dataSourceURIs (dir) {
     const uris = new Set()
     find (dir, ['*/manifest.json', '*/*/manifest.json']).forEach(file => {
+      const appPath = relative(join(cds.root, dir), dirname(file))
       const {dataSources: ds} = JSON.parse(fs.readFileSync(file))['sap.app'] || {}
       Object.keys (ds||[])
         .filter (k => ds[k].uri && !ds[k].uri.startsWith('/')) // only consider relative URLs)
-        .forEach(k => uris.add(ds[k].uri))
+        .forEach(k => uris.add({ appPath, dataSourceUri: ds[k].uri }))
     })
     return uris
   }

package/lib/compile/cdsc.js

@@ -105,25 +105,7 @@ const _options = {for: Object.assign (_options4, {
  */
 module.exports = exports = {__proto__:compile, _options,
   for: {__proto__: compile.for,
-    odata: (csn,o) => {
-      if (features.ucsn) {
-        const { cloneCsn } = require('@sap/cds-compiler/lib/model/csnUtils') // REVISIT: This should be done by the compiler
-        if (compile.version() >= "2.12.1") {
-          const generateDrafts = require('@sap/cds-compiler/lib/transform/draft/odata')
-          const compiled = generateDrafts(cloneCsn(csn, {}), { messages: [] })
-          compiled.meta._4odata = true
-          return compiled
-        } else {
-            // not yet in compiler branch, can't add drafts
-            const cloned = cloneCsn(csn, {})
-            cloned.meta._4odata = true
-            return cloned
-        }
-      }
-      const compiled = compile.for.odata  (csn, _options.for.odata(o))
-      compiled.meta._4odata = true
-      return compiled
-    },
+    odata: (csn,o) => compile.for.odata  (csn, _options.for.odata(o)),
   },
   to: {__proto__: compile.to,
     edmx: Object.assign ((csn,o) => compile.to.edmx (csn, _options.for.edm(o)), {

package/lib/compile/etc/_localized.js

@@ -96,16 +96,17 @@ function unfold_csn (m) { // NOSONAR
 }
 
 
-const $localized = '$$localized', _is_localized = (d,_path) => {
-	if (d.own($localized)) return true
-	if (!d.elements || d.name.endsWith('.texts')) return false
+const $localized = '$$localized', _is_localized = (d,_path={}) => {
+	if (typeof d.own($localized) === 'boolean') return d.own($localized)
+	if (!d.elements || d.name.endsWith('.texts')) return d.set($localized,false)
 	// if (d.elements.texts && d.elements.texts.target === `${d.name}.texts`) return d.set($localized,true)
 	for (let each in d.elements) {
 		const e = d.elements [each]
-		if (e.localized || e._target && !(_path && e._target.name in _path) && _is_localized(e._target,{..._path, [d.name]:1 })) {
+		if (e.localized || e._target && !(_path && e._target.name in _path) && _is_localized(e._target,Object.assign(_path, { [d.name]:1 }))) {
 			return d.set($localized,true)
 		}
 	}
+  return d.set($localized,false)
 }
 
 

package/lib/compile/for/drafts.js

@@ -4,6 +4,6 @@ module.exports = function cds_compile_for_drafts (csn,o) {
   const unfold = cds_compile_for_drafts.unfold || (
     cds_compile_for_drafts.unfold = require ('@sap/cds-compiler/lib/transform/draft/odata')
   )
-  // csn = JSON.parse (JSON.stringify (csn)) // REVISIT: workaround for bad test setup
+  csn = JSON.parse (JSON.stringify (csn)) // REVISIT: workaround for bad test setup
   return unfold (csn,o||{})
 }

package/lib/compile/for/java.js

@@ -4,7 +4,7 @@ const _cached = Symbol('for Java')
 module.exports = function cds_compile_for_java (csn,o) {
   if (!csn) return
   const cached = csn[_cached]; if (cached) return cached
-  csn = cds.minify (csn)
+  // csn = cds.minify (csn)
   csn = cds.compile.for.drafts (csn,o)
   // Add a parsed _where clause for @restrict.{grant,where} annotations
   if (csn.definitions) for (let {'@restrict':rr} of Object.values(csn.definitions)) if (rr) {

package/lib/compile/for/nodejs.js

@@ -4,7 +4,7 @@ const _cached = Symbol('for Node.js')
 module.exports = function cds_compile_for_nodejs (csn,o) {
   if (!csn) return
   const cached = csn[_cached]; if (cached) return cached
-  csn = cds.minify (csn)
+  // csn = cds.minify (csn)
   csn = cds.compile.for.drafts (csn,o) //> creates a partial copy -> avoid any cds.linked() before
   csn = cds.compile._localized.unfold_csn (csn)
   csn = cds.linked (csn)

package/lib/compile/for/odata.js

@@ -13,4 +13,4 @@ module.exports = function cds_compile_for_odata (csn,_o) {
   return _4odata
 }
 
-const _is_odata = csn => csn.meta && csn.meta._4odata
+const _is_odata = csn => csn.meta && csn.meta.transformation === 'odata'

package/lib/connect/bindings.js

@@ -1,4 +1,4 @@
-const DEBUG = /\b(y|all|serve)\b/.test (process.env.DEBUG) && console.warn
+const DEBUG = /\b(y|all|serve|bindings)\b/.test (process.env.DEBUG) && console.warn
 // || console.debug
 
 const cds = require ('..')

package/lib/connect/index.js

@@ -1,5 +1,4 @@
 const cds = require('..'), {one_model} = cds.env.features, LOG = cds.log('cds.connect')
-const factory = require('../serve/factory')
 const _pending = cds.services._pending || {} // used below to chain parallel connect.to(<same>)
 
 /**
@@ -22,7 +21,7 @@ const connect = module.exports = async function cds_connect (options) {
  * @returns { Promise<import('../serve/Service-api')> }
  */
 connect.to = async (datasource, options) => {
-  let Service = factory, _done = x=>x
+  let Service = cds.service.factory, _done = x=>x
   if (typeof datasource === 'object') [options,datasource] = [datasource]
   else if (datasource) {
     if (datasource._is_service_class) [ Service, datasource ] = [ datasource, datasource.name ]
@@ -33,7 +32,7 @@ connect.to = async (datasource, options) => {
     // queue parallel requests to a single promise, to avoid creating multiple services
     _pending[datasource] = new Promise (r=>_done=r).finally(()=>{ delete _pending[datasource] })
   }
-  const o = Service === factory ? options4 (datasource, options) : {}
+  const o = Service === cds.service.factory ? options4 (datasource, options) : {}
   const m = await model4 (o)
   // check if required service definition exists
   const required = cds.requires[datasource]

package/lib/env/requires.js

@@ -1,4 +1,4 @@
-const _runtime = '../../libx/_runtime'
+const _runtime = '@sap/cds/libx/_runtime'
 
 exports = module.exports = {
 

package/lib/index.js

@@ -12,6 +12,7 @@ if (global.cds) Object.assign(module,{exports:global.cds}) ; else {
       /** @type {{ [path:string] : Service }} */ paths: {},
       /** @type Service[] */ providers: [],
       factory: require ('./serve/factory'),
+      adapters: require ('./serve/adapters'),
       bindings: require ('./connect/bindings'),
     })}
     /** @type {import './req/context'} */
@@ -80,7 +81,7 @@ if (global.cds) Object.assign(module,{exports:global.cds}) ; else {
     ApplicationService: lazy => require('../libx/_runtime/cds-services/services/Service.js'),
     MessagingService: lazy => require('../libx/_runtime/messaging/service.js'),
     DatabaseService: lazy => require('../libx/_runtime/db/Service.js'),
-    RemoteService: lazy => require('../libx/_runtime/rest/service.js'),
+    RemoteService: lazy => require('../libx/_runtime/remote/Service.js'),
     AuditLogService: lazy => require('../libx/_runtime/audit/Service.js'),
     odata: require('../libx/odata'),
 

package/lib/serve/Service-methods.js

@@ -1,5 +1,12 @@
+const cds = require('..')
+const LOG = cds.log('cds-app-service-methods')
+
 
 module.exports = (srv) => {
+  if (!( //> we only support that for app services
+    srv instanceof cds.ApplicationService ||
+    srv instanceof cds.RemoteService
+  )) return
   for (const each of srv.operations) {
     add_handler_for (srv, each)
   }
@@ -16,7 +23,23 @@ const add_handler_for = (srv, def) => {
   // Use existing methods as handler implementations
   const method = srv[event]
   if (method) {
-    if (method._is_stub || method.name in srv.__proto__.__proto__) return
+    if (method._is_stub) return
+    const baseclass = (
+      srv.__proto__ === cds.ApplicationService.prototype ? srv.__proto__ :
+      srv.__proto__ === cds.RemoteService.prototype ? srv.__proto__ :
+      srv.__proto__.__proto__ // in case of class-based impls
+    )
+    if (method.name in baseclass) return LOG.warn(`WARNING: custom ${def.kind} '${event}()' conflicts with method in base class.
+
+      Cannot add typed method for custom ${def.kind} '${event}' to service impl of '${srv.name}',
+      as this would shadow equally named method in service base class '${baseclass.constructor.name}'.
+      Consider choosing a different name for your custom ${def.kind}.
+      Learn more at https://cap.cloud.sap/docs/guides/providing-services#actions-and-functions.
+    `)
+    LOG.debug (`
+      Using method ${event} from service class '${baseclass.constructor.name}'
+      as handler for ${def.kind} '${event}' in service '${srv.name}'
+    `)
     srv.on (event, function ({params,data}) {
       const args = []; if (def.parent) args.push (def.parent)
       for (let p in params) args.push(params[p])
@@ -26,6 +49,10 @@ const add_handler_for = (srv, def) => {
   }
 
   // Add stub methods to send request via typed API
+  LOG.debug (`
+    Adding typed method stub for calling custom ${def.kind} '${event}'
+    to service impl '${srv.name}'
+  `)
   const stub = srv[event] = function (...args) {
     const req = { event, data:{} }, $ = args[0]
     const target = this.entities [ $ && $.name ? $.name.match(/\w*$/)[0] : $ ]

package/lib/serve/adapters.js

@@ -1,11 +1,11 @@
 const lib = require('../../libx/_runtime')
 const registry = {
-  rest: lib.to.old_rest,
-  new_rest: lib.to.new_rest,
-  odata: lib.to.odata_v4,
-  odata_v2: lib.to.odata_v4,
-  odata_v4: lib.to.odata_v4,
-  fiori: lib.to.odata_v4,
+  get rest() { return lib.to.old_rest },
+  get new_rest() { return lib.to.new_rest },
+  get odata() { return lib.to.odata_v4 },
+  get odata_v2() { return lib.to.odata_v4 },
+  get odata_v4() { return lib.to.odata_v4 },
+  get fiori() { return lib.to.odata_v4 },
 }
 
 

package/lib/serve/factory.js

@@ -1,5 +1,6 @@
-const cds = require('..')
-const { path, isfile } = cds.utils
+const cds = require('..'), { path, isfile } = cds.utils
+const paths = Array.from (new Set ([ cds.root, ...require.resolve.paths('x') ]))
+const DEBUG = cds.debug('srv.factory'); DEBUG && DEBUG ({ 'cds.root':cds.root, paths })
 
 /** @typedef {import('./Service-api')} Service @type { (()=>Service) & (new()=>Service) } */
 const ServiceFactory = function (name, model, options) { //NOSONAR
@@ -8,6 +9,7 @@ const ServiceFactory = function (name, model, options) { //NOSONAR
   const serve = !cds.requires[name] || o.mocked
   const defs = !model ? {[name]:{}} : model.definitions || cds.error (`Invalid argument for 'model': ${model}`)
   const def = !name || name === 'db' ? {} : defs[name] || {}
+  DEBUG && DEBUG ({ name, definition:def, options:o })
 
   let it /* eslint-disable no-cond-assign */
   if (it = o.with)                 return _use (it) // from cds.serve (<options>)
@@ -27,21 +29,24 @@ const ServiceFactory = function (name, model, options) { //NOSONAR
 
   function _required() {
     const kind = o.kind = serve && def['@kind'] || o.kind || 'app-service'
-    if (_required[kind]) return _required[kind]
+    if (_require[kind]) return _require[kind]
     const {impl} = cds.requires[kind] || cds.error (`No configuration found for 'cds.requires.${kind}'`)
-    return _required[kind] = _require (impl || cds.error (`No 'impl' configured for 'cds.requires.${kind}'`))
+    DEBUG && DEBUG ('requires',{kind,impl})
+    return _require[kind] = _require (impl || cds.error (`No 'impl' configured for 'cds.requires.${kind}'`))
   }
 }
 
 const _require = (it,d) => {
-  if (it.startsWith('@sap/cds/')) it = cds.home + it.slice(8)    //> for local tests in @sap/cds dev
-  else if (it.startsWith('./')) it = _relative (d, it.slice(2)) //> relative to <service>.cds
-  else if (it.startsWith('//')) it = path.resolve (cds.root,it.slice(2)) //> relative to cds.root
-  try { var resolved = require.resolve(it) } catch(e) {
+  DEBUG && d && DEBUG ('requires',{ service: d.name, source:_source(d), impl:it })
+  if (it.startsWith('@sap/cds/')) it = cds.home + it.slice(8)  //> for local tests in @sap/cds dev
+  if (it.startsWith('./')) it = _relative (d,it.slice(2))     //> relative to <service>.cds
+  try { var resolved = require.resolve(it,{paths}) } catch(e) {
     try { resolved = require.resolve(it = path.resolve(cds.root,it)) } catch(e) { // for compatibility
+      DEBUG && DEBUG (`Failed loading service implementation from '${it}'`, { 'cds.root':cds.root, paths })
       throw cds.error(`Failed loading service implementation from '${it}'`)
     }
   }
+  DEBUG && DEBUG({resolved})
   return require(resolved)
 }
 
@@ -59,7 +64,7 @@ const sibling = (d) => {
     let found
     if (process.env.CDS_TYPESCRIPT === 'true') found = isfile(path.join(home, each, file + '.ts'))
     if (!found) found = isfile(path.join(home, each, file + '.js'))
-    if (found)  return found
+    if (found)  return found //> equiv to '.'+found.slice(home.length)
   }
 }
 

package/lib/serve/index.js

@@ -1,6 +1,6 @@
-const { ProtocolAdapter } = require('./adapters')
-const { Service } = require('./factory')
 const cds = require ('..')
+const { ProtocolAdapter } = cds.service.adapters
+const { Service } = cds.service.factory
 const _ready = Symbol(), _pending = cds.services._pending || {}
 
 /** @param som - a service name or a model (name or csn) */
@@ -54,7 +54,8 @@ function cds_serve (som, _options) { // NOSONAR
     // Shortcut for directly passed service classes
     if (o.service && o.service._is_service_class) {
       const Service = o.service, d = { name: o.service.name }
-      return all.push (_new (Service, d,csn,o))
+      const srv = _new (Service, d,csn,o)
+      return all.push (srv)
     }
 
     // Get relevant service definitions from model...

package/libx/_runtime/cds-services/adapter/odata-v4/OData.js

@@ -66,7 +66,12 @@ function _log(level, arg) {
 
     // reduce 4xx to warning
     if (isClientError(obj)) {
-      if (!LOG._warn) return
+      if (!LOG._warn) {
+        // restore
+        obj.message = _message
+        if (_details) obj.details = _details
+        return
+      }
       level = 'warn'
     }
   }

package/libx/_runtime/cds-services/adapter/odata-v4/okra/odata-server/deserializer/BatchRequestListBuilder.js

@@ -89,7 +89,9 @@ class BatchRequestListBuilder {
     source
       .pipe(reader)
       .on('finish', () => {
-        callback(null, this._requestInBatchList)
+        //Revisit: if statement needed in node v12 and v14, not in v16.
+        //Without it, finish callback reached in 12/14 after error handler was thrown
+        if (!source.res || !source.res.headersSent) callback(null, this._requestInBatchList)
       })
       .on('error', callback)
   }

package/libx/_runtime/cds-services/adapter/odata-v4/utils/dispatcherUtils.js

@@ -1,5 +1,6 @@
 const cds = require('../../../../cds')
 const OData = require('../OData')
+const DEBUG = cds.debug('extensibility')
 
 const { alias2ref } = require('../../../../common/utils/csn')
 const { BASE_TENANT } = require('../../../../common/utils/extensibilityUtils')
@@ -17,13 +18,18 @@ function createOdataService(service) {
   return odataService
 }
 
-async function createNewService(name, csn, defaultOptions) {
-  const options = Object.assign({}, defaultOptions, { reflectedModel: csn })
-
-  const service = new cds.ApplicationService(name, csn, options)
-  await service.init()
-  if (options.impl) service.impl(options.impl)
-
+async function createNewService(name, model, options) {
+  const { constructor: Service, path } = cds.services[name]
+  const service = new Service(name, model, { ...options }) // cloning options to be safe
+  if (service.init) await service.prepend(service.init)
+  if (options.impl) await service.prepend(options.impl)
+  if (path) service.path = path
+  DEBUG &&
+    DEBUG('Created tenant-specific service:', service.name, '= new', Service.name, {
+      _handlers: {
+        on: service._handlers.on.map(h => ({ on: h.on, handler: () => {} }))
+      }
+    })
   return createOdataService(service)
 }
 

package/libx/_runtime/cds-services/adapter/odata-v4/utils/stream.js

@@ -30,9 +30,7 @@ const _adaptSubSelectsDraft = select => {
       if (element.SELECT) {
         _adaptSubSelectsDraft(element)
       } else if (element.xpr) {
-        for (const ele of element.xpr.filter(e => e.SELECT)) {
-          _adaptSubSelectsDraft(ele)
-        }
+        _adaptSubSelectsDraft({ SELECT: { from: {}, where: element.xpr } })
       }
     }
   }

package/libx/_runtime/cds-services/services/Service.js

@@ -8,7 +8,7 @@ const { postProcess } = require('../../common/utils/postProcessing')
 const _isSimpleCqnQuery = q => typeof q === 'object' && q !== null && !Array.isArray(q) && Object.keys(q).length > 0
 
 // for getRestrictions()
-const { getNormalizedRestrictions, getApplicableRestrictions } = require('./utils/restrictions')
+const { getNormalizedRestrictions, getApplicableRestrictions } = require('../../common/generic/auth/restrictions.js')
 const WRITE_EVENTS = { CREATE: 1, NEW: 1, UPDATE: 1, PATCH: 1, DELETE: 1, CANCEL: 1, EDIT: 1 }
 const CRUD = Object.assign({ READ: 1 }, WRITE_EVENTS)
 

package/libx/_runtime/common/composition/data.js

@@ -12,20 +12,13 @@ const { SELECT } = cds.ql
  * own utils
  */
 
-const _isSameEntity = (cqn, req) => {
-  const where = cqn.UPDATE.where || []
-  const persistentObj = Array.isArray(req._.partialPersistentState)
-    ? req._.partialPersistentState[0]
-    : req._.partialPersistentState
-  if (!persistentObj) {
-    // If no data was found we don't know if it is the same entity
-    return false
-  }
-  const target = getDBTable(req.target)
-  if (target.name !== (cqn.UPDATE.entity.ref && cqn.UPDATE.entity.ref[0]) && target.name !== cqn.UPDATE.entity) {
-    return false
-  }
+const _isSameEntityInWhere = (where, target, persistentObj) => {
   for (let i = 0; i < where.length; i++) {
+    if (where[i].xpr) {
+      const res = _isSameEntityInWhere(where[i].xpr, target, persistentObj)
+      if (!res) return res
+      continue
+    }
     if (!where[i] || !where[i].ref || !target.elements[where[i].ref]) {
       continue
     }
@@ -40,6 +33,22 @@ const _isSameEntity = (cqn, req) => {
   return true
 }
 
+const _isSameEntity = (cqn, req) => {
+  const where = cqn.UPDATE.where || []
+  const persistentObj = Array.isArray(req._.partialPersistentState)
+    ? req._.partialPersistentState[0]
+    : req._.partialPersistentState
+  if (!persistentObj) {
+    // If no data was found we don't know if it is the same entity
+    return false
+  }
+  const target = getDBTable(req.target)
+  if (target.name !== (cqn.UPDATE.entity.ref && cqn.UPDATE.entity.ref[0]) && target.name !== cqn.UPDATE.entity) {
+    return false
+  }
+  return _isSameEntityInWhere(where, target, persistentObj)
+}
+
 const _getLinksOfCompTree = compositionTree => {
   const links = []
   for (const link of [...compositionTree.backLinks, ...compositionTree.customBackLinks]) {

package/libx/_runtime/common/composition/delete.js

@@ -216,6 +216,18 @@ const resolveNavigationTarget = (cqn, ref, model) => {
   return { target, elementName }
 }
 
+const _getDataFromOncond = (onCond, parent) => {
+  return onCond.reduce((res, e) => {
+    if (e.xpr) {
+      return Object.assign(res, _getDataFromOncond(e.xpr, parent))
+    }
+    if (!e.ref || e.ref[0] !== '$$parent') return res
+    const fk = e.ref.slice(1).join('_')
+    if (!parent.keys[fk]) res[fk] = null
+    return res
+  }, {})
+}
+
 // eslint-disable-next-line complexity
 const getSetNullParentForeignKeyCQNs = async (model, req, dbQuery) => {
   const cqns = []
@@ -229,12 +241,7 @@ const getSetNullParentForeignKeyCQNs = async (model, req, dbQuery) => {
     const element = parent.elements[elementName]
     if (element && element._isCompositionEffective && element.is2one) {
       const onCond = element && parent._relations[element.name].join('$$whatever', '$$parent')
-      const data = onCond.reduce((res, e) => {
-        if (!e.ref || e.ref[0] !== '$$parent') return res
-        const fk = e.ref.slice(1).join('_')
-        if (!parent.keys[fk]) res[fk] = null
-        return res
-      }, {})
+      const data = _getDataFromOncond(onCond, parent)
       cqn.data(data)
       cqn.__4delete = true
       if (Object.keys(data).length) cqns.push(cqn)
@@ -247,12 +254,7 @@ const getSetNullParentForeignKeyCQNs = async (model, req, dbQuery) => {
     for (const element of comp2oneParents) {
       const parent = element.parent
       const onCond = parent._relations[element.name].join('$$child', '$$parent')
-      const data = onCond.reduce((res, e) => {
-        if (!e.ref || e.ref[0] !== '$$parent') return res
-        const fk = e.ref.slice(1).join('_')
-        if (!parent.keys[fk]) res[fk] = null
-        return res
-      }, {})
+      const data = _getDataFromOncond(onCond, parent)
       const columns = getColumns(parent, { _4db: true, onlyKeys: true }).map(c => ({ ref: ['$$parent', c.name] }))
       const as = query.DELETE.from.as || (query.DELETE.from.ref && query.DELETE.from.ref[0]) || query.DELETE.from
       const selectCQN = SELECT.from(`${parent.name} as $$parent`)

package/libx/_runtime/common/generic/auth/restrict.js

@@ -2,6 +2,7 @@ const cds = require('../../../cds')
 
 const { reject, getRejectReason, resolveUserAttrs, getAuthRelevantEntity } = require('./utils')
 const { DRAFT_EVENTS, MOD_EVENTS } = require('./constants')
+const { getNormalizedPlainRestrictions } = require('./restrictions')
 
 const { cqn2cqn4sql } = require('../../utils/cqn2cqn4sql')
 
@@ -250,7 +251,8 @@ async function handler(req) {
     // > no applicable restrictions -> 403
     reject(req, getRejectReason(req, '@restrict', definition))
   }
-
+  // normalize
+  restrictions = getNormalizedPlainRestrictions(restrictions, definition)
   // at least one if the user's roles grants unrestricted access => done
   if (restrictions.some(restrict => !restrict.where)) return
 

package/libx/_runtime/{cds-services/services/utils → common/generic/auth}/restrictions.js

@@ -72,7 +72,14 @@ const getApplicableRestrictions = (restrictions, event, user) => {
   })
 }
 
+const getNormalizedPlainRestrictions = (restrictions, definition) => {
+  const result = []
+  for (const restriction of restrictions) _addNormalizedRestrict(restriction, result, definition)
+  return result
+}
+
 module.exports = {
   getNormalizedRestrictions,
-  getApplicableRestrictions
+  getApplicableRestrictions,
+  getNormalizedPlainRestrictions
 }

package/libx/_runtime/common/generic/input.js

@@ -184,6 +184,7 @@ const _getBoundActionBindingParameter = req => {
 }
 
 function _handler(req) {
+  if (!req.query) return // FIXME: the code below expects req.query to be defined
   if (!req.target) return
 
   const template = getTemplate('app-input', this, req.target, { pick: _pick })

package/libx/_runtime/common/generic/put.js

@@ -57,6 +57,7 @@ const _pick = element => {
 
 function _handler(req) {
   if (req.method !== 'PUT') return
+  if (!req.query) return // FIXME: the code below expects req.query to be defined
   if (!req.target) return
 
   // not for payloads with stream properties