@sap/cds 5.9.1 → 5.9.4

package/CHANGELOG.md

@@ -4,6 +4,54 @@
 - The format is based on [Keep a Changelog](http://keepachangelog.com/).
 - This project adheres to [Semantic Versioning](http://semver.org/).
 
+## Version 5.9.4 - 2022-05-02
+
+### Fixed
+
+- Error messages are improved if no `passport` module was found or if no `xsuaa` service binding is available
+- Issue fixed for `srv.get()`. It was returning `TypeError` in plain REST usage for external services, e.g. `srv.get('/some/arbitrary/path/111')`
+- Allow unrestricted services to run unauthenticated, removing the `Unable to require required package/file "passport"` error. Totally not recommended in production.  Note that though this restores pre 5.9.0 behavior, this will come again starting in 6.0.
+- Audit logging of sensitive data in a composition child if its parent is annotated with `@PersonalData.EntitySemantics: 'Other'` and has no data privacy annotations other than `@PersonalData.FieldSemantics: 'DataSubjectID'` annotating a corresponding composition, for example:
+  ```js
+    annotate Customers with @PersonalData : {
+      DataSubjectRole : 'Address',
+      EntitySemantics : 'Other'
+    } {
+      addresses @PersonalData.FieldSemantics: 'DataSubjectID';
+    }
+    annotate CustomerPostalAddress with @PersonalData : {
+      DataSubjectRole : 'Address',
+      EntitySemantics : 'DataSubject'
+    } {
+      ID @PersonalData.FieldSemantics : 'DataSubjectID';
+      street @PersonalData.IsPotentiallyPersonal;
+      town @PersonalData.IsPotentiallySensitive;
+    }
+  ```
+
+## Version 5.9.3 - 2022-04-25
+
+### Fixed
+
+- Since 5.8.2 `req.target` for requests like `srv.put('/MyService.entity')` is defined, but `req.query` undefined (before `req.target` was also undefined). This was leading to accessing undefined, which has been fixed.
+- Custom actions with names conflicting with methods from service base classes, e.g. `run()`, could lead to hard-to-detect errors. This is now detected and avoided with a warning.
+- Typed methods for custom actions were erroneously applied to `cds.db` service, which led to server crashes, e.g. when the action was named `deploy()`.
+- Invalid batch requests were further processed after error response was already sent to client, leading to an InternalServerError
+- Full support of `SELECT` queries with operator expressions (`xpr`)
+
+
+## Version 5.9.2 - 2022-04-07
+
+### Fixed
+
+- i18n translation for errors did not work correctly in some cases
+- Normalization in custom `getRestrictions`
+- Throw exception by `INSERT` into HANA queries if number of provided rows deviates from number of affected rows returned by hdb to prevent data losses
+- Handler detection for extended services
+- Speed-up in localization handling
+- Draft: navigation via an association to many from a non-draft enabled entity to a draft-enabled entity
+- Limited support of `SELECT` queries with operator expressions (`xpr`)
+
 ## Version 5.9.1 - 2022-03-31
 
 ### Fixed

package/lib/compile/etc/_localized.js

@@ -97,8 +97,8 @@ function unfold_csn (m) { // NOSONAR
 
 
 const $localized = '$$localized', _is_localized = (d,_path={}) => {
-	if (d.own($localized)) return true
-	if (!d.elements || d.name.endsWith('.texts')) return false
+	if (typeof d.own($localized) === 'boolean') return d.own($localized)
+	if (!d.elements || d.name.endsWith('.texts')) return d.set($localized,false)
 	// if (d.elements.texts && d.elements.texts.target === `${d.name}.texts`) return d.set($localized,true)
 	for (let each in d.elements) {
 		const e = d.elements [each]
@@ -106,6 +106,7 @@ const $localized = '$$localized', _is_localized = (d,_path={}) => {
 			return d.set($localized,true)
 		}
 	}
+  return d.set($localized,false)
 }
 
 

package/lib/compile/for/drafts.js

@@ -4,6 +4,6 @@ module.exports = function cds_compile_for_drafts (csn,o) {
   const unfold = cds_compile_for_drafts.unfold || (
     cds_compile_for_drafts.unfold = require ('@sap/cds-compiler/lib/transform/draft/odata')
   )
-  // csn = JSON.parse (JSON.stringify (csn)) // REVISIT: workaround for bad test setup
+  csn = JSON.parse (JSON.stringify (csn)) // REVISIT: workaround for bad test setup
   return unfold (csn,o||{})
 }

package/lib/connect/bindings.js

@@ -1,4 +1,4 @@
-const DEBUG = /\b(y|all|serve)\b/.test (process.env.DEBUG) && console.warn
+const DEBUG = /\b(y|all|serve|bindings)\b/.test (process.env.DEBUG) && console.warn
 // || console.debug
 
 const cds = require ('..')

package/lib/connect/index.js

@@ -1,5 +1,4 @@
 const cds = require('..'), {one_model} = cds.env.features, LOG = cds.log('cds.connect')
-const factory = require('../serve/factory')
 const _pending = cds.services._pending || {} // used below to chain parallel connect.to(<same>)
 
 /**
@@ -22,7 +21,7 @@ const connect = module.exports = async function cds_connect (options) {
  * @returns { Promise<import('../serve/Service-api')> }
  */
 connect.to = async (datasource, options) => {
-  let Service = factory, _done = x=>x
+  let Service = cds.service.factory, _done = x=>x
   if (typeof datasource === 'object') [options,datasource] = [datasource]
   else if (datasource) {
     if (datasource._is_service_class) [ Service, datasource ] = [ datasource, datasource.name ]
@@ -33,7 +32,7 @@ connect.to = async (datasource, options) => {
     // queue parallel requests to a single promise, to avoid creating multiple services
     _pending[datasource] = new Promise (r=>_done=r).finally(()=>{ delete _pending[datasource] })
   }
-  const o = Service === factory ? options4 (datasource, options) : {}
+  const o = Service === cds.service.factory ? options4 (datasource, options) : {}
   const m = await model4 (o)
   // check if required service definition exists
   const required = cds.requires[datasource]

package/lib/env/requires.js

@@ -1,4 +1,4 @@
-const _runtime = '../../libx/_runtime'
+const _runtime = '@sap/cds/libx/_runtime'
 
 exports = module.exports = {
 

package/lib/index.js

@@ -12,6 +12,7 @@ if (global.cds) Object.assign(module,{exports:global.cds}) ; else {
       /** @type {{ [path:string] : Service }} */ paths: {},
       /** @type Service[] */ providers: [],
       factory: require ('./serve/factory'),
+      adapters: require ('./serve/adapters'),
       bindings: require ('./connect/bindings'),
     })}
     /** @type {import './req/context'} */
@@ -80,7 +81,7 @@ if (global.cds) Object.assign(module,{exports:global.cds}) ; else {
     ApplicationService: lazy => require('../libx/_runtime/cds-services/services/Service.js'),
     MessagingService: lazy => require('../libx/_runtime/messaging/service.js'),
     DatabaseService: lazy => require('../libx/_runtime/db/Service.js'),
-    RemoteService: lazy => require('../libx/_runtime/rest/service.js'),
+    RemoteService: lazy => require('../libx/_runtime/remote/Service.js'),
     AuditLogService: lazy => require('../libx/_runtime/audit/Service.js'),
     odata: require('../libx/odata'),
 

package/lib/serve/Service-methods.js

@@ -1,5 +1,12 @@
+const cds = require('..')
+const LOG = cds.log('cds-app-service-methods')
+
 
 module.exports = (srv) => {
+  if (!( //> we only support that for app services
+    srv instanceof cds.ApplicationService ||
+    srv instanceof cds.RemoteService
+  )) return
   for (const each of srv.operations) {
     add_handler_for (srv, each)
   }
@@ -16,7 +23,23 @@ const add_handler_for = (srv, def) => {
   // Use existing methods as handler implementations
   const method = srv[event]
   if (method) {
-    if (method._is_stub || method.name in srv.__proto__.__proto__) return
+    if (method._is_stub) return
+    const baseclass = (
+      srv.__proto__ === cds.ApplicationService.prototype ? srv.__proto__ :
+      srv.__proto__ === cds.RemoteService.prototype ? srv.__proto__ :
+      srv.__proto__.__proto__ // in case of class-based impls
+    )
+    if (method.name in baseclass) return LOG.warn(`WARNING: custom ${def.kind} '${event}()' conflicts with method in base class.
+
+      Cannot add typed method for custom ${def.kind} '${event}' to service impl of '${srv.name}',
+      as this would shadow equally named method in service base class '${baseclass.constructor.name}'.
+      Consider choosing a different name for your custom ${def.kind}.
+      Learn more at https://cap.cloud.sap/docs/guides/providing-services#actions-and-functions.
+    `)
+    LOG.debug (`
+      Using method ${event} from service class '${baseclass.constructor.name}'
+      as handler for ${def.kind} '${event}' in service '${srv.name}'
+    `)
     srv.on (event, function ({params,data}) {
       const args = []; if (def.parent) args.push (def.parent)
       for (let p in params) args.push(params[p])
@@ -26,6 +49,10 @@ const add_handler_for = (srv, def) => {
   }
 
   // Add stub methods to send request via typed API
+  LOG.debug (`
+    Adding typed method stub for calling custom ${def.kind} '${event}'
+    to service impl '${srv.name}'
+  `)
   const stub = srv[event] = function (...args) {
     const req = { event, data:{} }, $ = args[0]
     const target = this.entities [ $ && $.name ? $.name.match(/\w*$/)[0] : $ ]

package/lib/serve/adapters.js

@@ -1,11 +1,11 @@
 const lib = require('../../libx/_runtime')
 const registry = {
-  rest: lib.to.old_rest,
-  new_rest: lib.to.new_rest,
-  odata: lib.to.odata_v4,
-  odata_v2: lib.to.odata_v4,
-  odata_v4: lib.to.odata_v4,
-  fiori: lib.to.odata_v4,
+  get rest() { return lib.to.old_rest },
+  get new_rest() { return lib.to.new_rest },
+  get odata() { return lib.to.odata_v4 },
+  get odata_v2() { return lib.to.odata_v4 },
+  get odata_v4() { return lib.to.odata_v4 },
+  get fiori() { return lib.to.odata_v4 },
 }
 
 

package/lib/serve/factory.js

@@ -1,5 +1,6 @@
-const cds = require('..')
-const { path, isfile } = cds.utils
+const cds = require('..'), { path, isfile } = cds.utils
+const paths = Array.from (new Set ([ cds.root, ...require.resolve.paths('x') ]))
+const DEBUG = cds.debug('srv.factory'); DEBUG && DEBUG ({ 'cds.root':cds.root, paths })
 
 /** @typedef {import('./Service-api')} Service @type { (()=>Service) & (new()=>Service) } */
 const ServiceFactory = function (name, model, options) { //NOSONAR
@@ -8,6 +9,7 @@ const ServiceFactory = function (name, model, options) { //NOSONAR
   const serve = !cds.requires[name] || o.mocked
   const defs = !model ? {[name]:{}} : model.definitions || cds.error (`Invalid argument for 'model': ${model}`)
   const def = !name || name === 'db' ? {} : defs[name] || {}
+  DEBUG && DEBUG ({ name, definition:def, options:o })
 
   let it /* eslint-disable no-cond-assign */
   if (it = o.with)                 return _use (it) // from cds.serve (<options>)
@@ -27,21 +29,24 @@ const ServiceFactory = function (name, model, options) { //NOSONAR
 
   function _required() {
     const kind = o.kind = serve && def['@kind'] || o.kind || 'app-service'
-    if (_required[kind]) return _required[kind]
+    if (_require[kind]) return _require[kind]
     const {impl} = cds.requires[kind] || cds.error (`No configuration found for 'cds.requires.${kind}'`)
-    return _required[kind] = _require (impl || cds.error (`No 'impl' configured for 'cds.requires.${kind}'`))
+    DEBUG && DEBUG ('requires',{kind,impl})
+    return _require[kind] = _require (impl || cds.error (`No 'impl' configured for 'cds.requires.${kind}'`))
   }
 }
 
 const _require = (it,d) => {
-  if (it.startsWith('@sap/cds/')) it = cds.home + it.slice(8)    //> for local tests in @sap/cds dev
-  else if (it.startsWith('./')) it = _relative (d, it.slice(2)) //> relative to <service>.cds
-  else if (it.startsWith('//')) it = path.resolve (cds.root,it.slice(2)) //> relative to cds.root
-  try { var resolved = require.resolve(it) } catch(e) {
+  DEBUG && d && DEBUG ('requires',{ service: d.name, source:_source(d), impl:it })
+  if (it.startsWith('@sap/cds/')) it = cds.home + it.slice(8)  //> for local tests in @sap/cds dev
+  if (it.startsWith('./')) it = _relative (d,it.slice(2))     //> relative to <service>.cds
+  try { var resolved = require.resolve(it,{paths}) } catch(e) {
     try { resolved = require.resolve(it = path.resolve(cds.root,it)) } catch(e) { // for compatibility
+      DEBUG && DEBUG (`Failed loading service implementation from '${it}'`, { 'cds.root':cds.root, paths })
       throw cds.error(`Failed loading service implementation from '${it}'`)
     }
   }
+  DEBUG && DEBUG({resolved})
   return require(resolved)
 }
 
@@ -59,7 +64,7 @@ const sibling = (d) => {
     let found
     if (process.env.CDS_TYPESCRIPT === 'true') found = isfile(path.join(home, each, file + '.ts'))
     if (!found) found = isfile(path.join(home, each, file + '.js'))
-    if (found)  return found
+    if (found)  return found //> equiv to '.'+found.slice(home.length)
   }
 }
 

package/lib/serve/index.js

@@ -1,6 +1,6 @@
-const { ProtocolAdapter } = require('./adapters')
-const { Service } = require('./factory')
 const cds = require ('..')
+const { ProtocolAdapter } = cds.service.adapters
+const { Service } = cds.service.factory
 const _ready = Symbol(), _pending = cds.services._pending || {}
 
 /** @param som - a service name or a model (name or csn) */
@@ -54,7 +54,8 @@ function cds_serve (som, _options) { // NOSONAR
     // Shortcut for directly passed service classes
     if (o.service && o.service._is_service_class) {
       const Service = o.service, d = { name: o.service.name }
-      return all.push (_new (Service, d,csn,o))
+      const srv = _new (Service, d,csn,o)
+      return all.push (srv)
     }
 
     // Get relevant service definitions from model...

package/libx/_runtime/auth/index.js

@@ -44,7 +44,10 @@ const _initializers = {
       // REVISIT: compat, remove with cds^6
       passport.use(new XSUAAStrategy(uaa.credentials))
     } else {
-      throw Object.assign(new Error('No or malformed credentials for auth kind "xsuaa"'), { credentials })
+      throw Object.assign(
+        new Error('No or malformed credentials for auth kind "xsuaa". Make sure to bind the app to an "xsuaa" service'),
+        { credentials }
+      )
     }
   }
 }
@@ -178,6 +181,18 @@ module.exports = (srv, app, options) => {
     // > dummy or mock authentication (for development/testing)
     _mountMockAuth(srv, app, strategy, config)
   } else {
+    // if no restriction and no binding, don't mount passport middleware
+    if (!restricted && !config.credentials) {
+      if (!logged) {
+        const msg = `Service ${srv.name} is unrestricted`
+        if (process.env.NODE_ENV !== 'production') LOG._debug && LOG.debug(msg)
+        else LOG._info && LOG.info(`${msg}. This is not recommended in production.`)
+      }
+
+      // no auth wanted > return
+      return
+    }
+
     // > passport authentication
     _mountPassportAuth(srv, app, strategy, config)
   }

package/libx/_runtime/cds-services/adapter/odata-v4/OData.js

@@ -66,7 +66,12 @@ function _log(level, arg) {
 
     // reduce 4xx to warning
     if (isClientError(obj)) {
-      if (!LOG._warn) return
+      if (!LOG._warn) {
+        // restore
+        obj.message = _message
+        if (_details) obj.details = _details
+        return
+      }
       level = 'warn'
     }
   }

package/libx/_runtime/cds-services/adapter/odata-v4/okra/odata-server/deserializer/BatchRequestListBuilder.js

@@ -89,7 +89,9 @@ class BatchRequestListBuilder {
     source
       .pipe(reader)
       .on('finish', () => {
-        callback(null, this._requestInBatchList)
+        //Revisit: if statement needed in node v12 and v14, not in v16.
+        //Without it, finish callback reached in 12/14 after error handler was thrown
+        if (!source.res || !source.res.headersSent) callback(null, this._requestInBatchList)
       })
       .on('error', callback)
   }

package/libx/_runtime/cds-services/adapter/odata-v4/utils/dispatcherUtils.js

@@ -1,5 +1,6 @@
 const cds = require('../../../../cds')
 const OData = require('../OData')
+const DEBUG = cds.debug('extensibility')
 
 const { alias2ref } = require('../../../../common/utils/csn')
 const { BASE_TENANT } = require('../../../../common/utils/extensibilityUtils')
@@ -17,14 +18,18 @@ function createOdataService(service) {
   return odataService
 }
 
-const { Service } = require('../../../../../../lib/serve/factory')
-async function createNewService(name, csn, defaultOptions) {
-  const options = Object.assign({}, defaultOptions)
-  const service = new Service(name, csn, options)
-  if (!service.path) service.path = cds.service.path4(service)
+async function createNewService(name, model, options) {
+  const { constructor: Service, path } = cds.services[name]
+  const service = new Service(name, model, { ...options }) // cloning options to be safe
   if (service.init) await service.prepend(service.init)
   if (options.impl) await service.prepend(options.impl)
-
+  if (path) service.path = path
+  DEBUG &&
+    DEBUG('Created tenant-specific service:', service.name, '= new', Service.name, {
+      _handlers: {
+        on: service._handlers.on.map(h => ({ on: h.on, handler: () => {} }))
+      }
+    })
   return createOdataService(service)
 }
 

package/libx/_runtime/cds-services/adapter/odata-v4/utils/stream.js

@@ -30,9 +30,7 @@ const _adaptSubSelectsDraft = select => {
       if (element.SELECT) {
         _adaptSubSelectsDraft(element)
       } else if (element.xpr) {
-        for (const ele of element.xpr.filter(e => e.SELECT)) {
-          _adaptSubSelectsDraft(ele)
-        }
+        _adaptSubSelectsDraft({ SELECT: { from: {}, where: element.xpr } })
       }
     }
   }

package/libx/_runtime/cds-services/services/Service.js

@@ -8,7 +8,7 @@ const { postProcess } = require('../../common/utils/postProcessing')
 const _isSimpleCqnQuery = q => typeof q === 'object' && q !== null && !Array.isArray(q) && Object.keys(q).length > 0
 
 // for getRestrictions()
-const { getNormalizedRestrictions, getApplicableRestrictions } = require('./utils/restrictions')
+const { getNormalizedRestrictions, getApplicableRestrictions } = require('../../common/generic/auth/restrictions.js')
 const WRITE_EVENTS = { CREATE: 1, NEW: 1, UPDATE: 1, PATCH: 1, DELETE: 1, CANCEL: 1, EDIT: 1 }
 const CRUD = Object.assign({ READ: 1 }, WRITE_EVENTS)
 

package/libx/_runtime/common/aspects/utils.js

@@ -44,7 +44,9 @@ const hasPersonalData = entity => {
     for (const ele in entity.elements) {
       if (
         entity.elements[ele]['@PersonalData.IsPotentiallyPersonal'] ||
-        entity.elements[ele]['@PersonalData.IsPotentiallySensitive']
+        entity.elements[ele]['@PersonalData.IsPotentiallySensitive'] ||
+        (entity.elements[ele]['@PersonalData.FieldSemantics'] &&
+          entity.elements[ele]['@PersonalData.FieldSemantics'] === 'DataSubjectID')
       ) {
         val = true
         break
@@ -58,7 +60,11 @@ const hasSensitiveData = entity => {
   let val
   if (entity['@PersonalData.DataSubjectRole'] && entity['@PersonalData.EntitySemantics']) {
     for (const ele in entity.elements) {
-      if (entity.elements[ele]['@PersonalData.IsPotentiallySensitive']) {
+      if (
+        entity.elements[ele]['@PersonalData.IsPotentiallySensitive'] ||
+        (entity.elements[ele]['@PersonalData.FieldSemantics'] &&
+          entity.elements[ele]['@PersonalData.FieldSemantics'] === 'DataSubjectID')
+      ) {
         val = true
         break
       }

package/libx/_runtime/common/composition/data.js

@@ -12,20 +12,13 @@ const { SELECT } = cds.ql
  * own utils
  */
 
-const _isSameEntity = (cqn, req) => {
-  const where = cqn.UPDATE.where || []
-  const persistentObj = Array.isArray(req._.partialPersistentState)
-    ? req._.partialPersistentState[0]
-    : req._.partialPersistentState
-  if (!persistentObj) {
-    // If no data was found we don't know if it is the same entity
-    return false
-  }
-  const target = getDBTable(req.target)
-  if (target.name !== (cqn.UPDATE.entity.ref && cqn.UPDATE.entity.ref[0]) && target.name !== cqn.UPDATE.entity) {
-    return false
-  }
+const _isSameEntityInWhere = (where, target, persistentObj) => {
   for (let i = 0; i < where.length; i++) {
+    if (where[i].xpr) {
+      const res = _isSameEntityInWhere(where[i].xpr, target, persistentObj)
+      if (!res) return res
+      continue
+    }
     if (!where[i] || !where[i].ref || !target.elements[where[i].ref]) {
       continue
     }
@@ -40,6 +33,22 @@ const _isSameEntity = (cqn, req) => {
   return true
 }
 
+const _isSameEntity = (cqn, req) => {
+  const where = cqn.UPDATE.where || []
+  const persistentObj = Array.isArray(req._.partialPersistentState)
+    ? req._.partialPersistentState[0]
+    : req._.partialPersistentState
+  if (!persistentObj) {
+    // If no data was found we don't know if it is the same entity
+    return false
+  }
+  const target = getDBTable(req.target)
+  if (target.name !== (cqn.UPDATE.entity.ref && cqn.UPDATE.entity.ref[0]) && target.name !== cqn.UPDATE.entity) {
+    return false
+  }
+  return _isSameEntityInWhere(where, target, persistentObj)
+}
+
 const _getLinksOfCompTree = compositionTree => {
   const links = []
   for (const link of [...compositionTree.backLinks, ...compositionTree.customBackLinks]) {

package/libx/_runtime/common/composition/delete.js

@@ -216,6 +216,18 @@ const resolveNavigationTarget = (cqn, ref, model) => {
   return { target, elementName }
 }
 
+const _getDataFromOncond = (onCond, parent) => {
+  return onCond.reduce((res, e) => {
+    if (e.xpr) {
+      return Object.assign(res, _getDataFromOncond(e.xpr, parent))
+    }
+    if (!e.ref || e.ref[0] !== '$$parent') return res
+    const fk = e.ref.slice(1).join('_')
+    if (!parent.keys[fk]) res[fk] = null
+    return res
+  }, {})
+}
+
 // eslint-disable-next-line complexity
 const getSetNullParentForeignKeyCQNs = async (model, req, dbQuery) => {
   const cqns = []
@@ -229,12 +241,7 @@ const getSetNullParentForeignKeyCQNs = async (model, req, dbQuery) => {
     const element = parent.elements[elementName]
     if (element && element._isCompositionEffective && element.is2one) {
       const onCond = element && parent._relations[element.name].join('$$whatever', '$$parent')
-      const data = onCond.reduce((res, e) => {
-        if (!e.ref || e.ref[0] !== '$$parent') return res
-        const fk = e.ref.slice(1).join('_')
-        if (!parent.keys[fk]) res[fk] = null
-        return res
-      }, {})
+      const data = _getDataFromOncond(onCond, parent)
       cqn.data(data)
       cqn.__4delete = true
       if (Object.keys(data).length) cqns.push(cqn)
@@ -247,12 +254,7 @@ const getSetNullParentForeignKeyCQNs = async (model, req, dbQuery) => {
     for (const element of comp2oneParents) {
       const parent = element.parent
       const onCond = parent._relations[element.name].join('$$child', '$$parent')
-      const data = onCond.reduce((res, e) => {
-        if (!e.ref || e.ref[0] !== '$$parent') return res
-        const fk = e.ref.slice(1).join('_')
-        if (!parent.keys[fk]) res[fk] = null
-        return res
-      }, {})
+      const data = _getDataFromOncond(onCond, parent)
       const columns = getColumns(parent, { _4db: true, onlyKeys: true }).map(c => ({ ref: ['$$parent', c.name] }))
       const as = query.DELETE.from.as || (query.DELETE.from.ref && query.DELETE.from.ref[0]) || query.DELETE.from
       const selectCQN = SELECT.from(`${parent.name} as $$parent`)

package/libx/_runtime/common/generic/auth/expand.js

@@ -41,6 +41,7 @@ const _getRestrictedExpand = (columns, target, definitions) => {
 }
 
 function handler(req) {
+  if (!req.query) return
   const restricted = _getRestrictedExpand(
     req.query.SELECT && req.query.SELECT.columns,
     req.target,

package/libx/_runtime/common/generic/auth/restrict.js

@@ -2,6 +2,7 @@ const cds = require('../../../cds')
 
 const { reject, getRejectReason, resolveUserAttrs, getAuthRelevantEntity } = require('./utils')
 const { DRAFT_EVENTS, MOD_EVENTS } = require('./constants')
+const { getNormalizedPlainRestrictions } = require('./restrictions')
 
 const { cqn2cqn4sql } = require('../../utils/cqn2cqn4sql')
 
@@ -250,7 +251,8 @@ async function handler(req) {
     // > no applicable restrictions -> 403
     reject(req, getRejectReason(req, '@restrict', definition))
   }
-
+  // normalize
+  restrictions = getNormalizedPlainRestrictions(restrictions, definition)
   // at least one if the user's roles grants unrestricted access => done
   if (restrictions.some(restrict => !restrict.where)) return
 

package/libx/_runtime/{cds-services/services/utils → common/generic/auth}/restrictions.js

@@ -72,7 +72,14 @@ const getApplicableRestrictions = (restrictions, event, user) => {
   })
 }
 
+const getNormalizedPlainRestrictions = (restrictions, definition) => {
+  const result = []
+  for (const restriction of restrictions) _addNormalizedRestrict(restriction, result, definition)
+  return result
+}
+
 module.exports = {
   getNormalizedRestrictions,
-  getApplicableRestrictions
+  getApplicableRestrictions,
+  getNormalizedPlainRestrictions
 }

package/libx/_runtime/common/generic/input.js

@@ -184,6 +184,7 @@ const _getBoundActionBindingParameter = req => {
 }
 
 function _handler(req) {
+  if (!req.query) return // FIXME: the code below expects req.query to be defined
   if (!req.target) return
 
   const template = getTemplate('app-input', this, req.target, { pick: _pick })

package/libx/_runtime/common/generic/put.js

@@ -57,6 +57,7 @@ const _pick = element => {
 
 function _handler(req) {
   if (req.method !== 'PUT') return
+  if (!req.query) return // FIXME: the code below expects req.query to be defined
   if (!req.target) return
 
   // not for payloads with stream properties

package/libx/_runtime/common/utils/cqn.js

@@ -16,20 +16,16 @@ const getEntityNameFromUpdateCQN = cqn => {
   return (cqn.UPDATE.entity.ref && cqn.UPDATE.entity.ref[0]) || cqn.UPDATE.entity.name || cqn.UPDATE.entity
 }
 
-const addToWhere = (cqn, where) => {
-  const partial = cqn.SELECT || cqn.UPDATE || cqn.DELETE
-  if (!partial.where) partial.where = where
-  else {
-    partial.where.unshift('(')
-    partial.where.push(')', 'and', '(', ...where, ')')
-  }
-}
-
 // scope: simple wheres à la "[{ ref: ['foo'] }, '=', { val: 'bar' }, 'and', ... ]"
 function where2obj(where, target = null) {
   const data = {}
   for (let i = 0; i < where.length; i++) {
     const whereEl = where[i]
+
+    if (whereEl.xpr) {
+      where2obj(whereEl.xpr, target, data)
+    }
+
     const colName = whereEl.ref && whereEl.ref[whereEl.ref.length - 1]
     // optional validation if target is passed
     if (target) {
@@ -85,7 +81,6 @@ function isPathToDraft(path, model) {
 }
 
 module.exports = {
-  addToWhere,
   getEntityNameFromDeleteCQN,
   getEntityNameFromUpdateCQN,
   where2obj,