@sap/cds 6.7.0 → 6.7.1

package/CHANGELOG.md

@@ -4,6 +4,19 @@
 - The format is based on [Keep a Changelog](http://keepachangelog.com/).
 - This project adheres to [Semantic Versioning](http://semver.org/).
 
+## Version 6.7.1 - 2023-04-14
+
+### Changed
+
+- Calling a parameterized view without params error now results in the status code 400 with an improved error message.
+
+### Fixed
+
+- cds build error CreateListFromArrayLike
+- Disabling of arbitrary user config in mock auth config using `"users": { "*": false }`
+- Various fixes for `cds.fiori.lean_draft`
+- User attributes that look like numbers are quoted in SQL clause for `@restrict`
+
 ## Version 6.7.0 - 2023-03-28
 
 ### Added

package/bin/cds.js

@@ -14,8 +14,10 @@ const cli = { //NOSONAR
 
     const task = this.load ('./'+cmd)
 
-    let args
-    try { args = task && cmd !== 'build' && this.args(task, argv) }
+    let args = []
+    try {
+      if (task && cmd !== 'build') args = this.args(task, argv)
+    }
     catch (err) { process.exitCode = 1; return console.error(err) }
 
     if (task && cmd !== 'build')  return task.apply (this, args)

package/lib/compile/for/lean_drafts.js

@@ -108,6 +108,7 @@ module.exports = function cds_compile_for_lean_drafts(csn) {
     Object.defineProperty(model.definitions, _draftEntity, { value: draft })
     Object.defineProperty(active, 'drafts', { value: draft })
     Object.defineProperty(draft, 'actives', { value: active })
+    Object.defineProperty(draft, 'isDraft', { value: true })
     draft['@cds.persistence.table'] = _draftEntity
 
     for (const key in draft) {

package/libx/_runtime/auth/strategies/mock.js

@@ -16,7 +16,7 @@ class MockStrategy {
     if (!base64) return this.fail(CHALLENGE)
 
     const [id, password] = Buffer.from(base64, 'base64').toString().split(':')
-    const user = this.users[id] || ('*' in this.users && { id })
+    const user = this.users[id] || (this.users['*'] && { id })
     if (!user) return this.fail(CHALLENGE)
     if (user.password && user.password !== password) return this.fail(CHALLENGE)
 

package/libx/_runtime/cds-services/adapter/odata-v4/handlers/action.js

@@ -81,7 +81,7 @@ const action = service => {
         await tx.rollback(e).catch(() => {})
       }
     } finally {
-      req.messages && odataRes.setHeader('sap-messages', getSapMessages(req.messages, req.http.req))
+      req.messages?.length && odataRes.setHeader('sap-messages', getSapMessages(req.messages, req.http.req))
 
       if (err) next(err)
       else next(null, toODataResult(result, req))

package/libx/_runtime/cds-services/adapter/odata-v4/handlers/create.js

@@ -68,7 +68,7 @@ const create = service => {
         await tx.rollback(e).catch(() => {})
       }
     } finally {
-      req.messages && odataRes.setHeader('sap-messages', getSapMessages(req.messages, req.http.req))
+      req.messages?.length && odataRes.setHeader('sap-messages', getSapMessages(req.messages, req.http.req))
 
       if (err) next(err)
       else next(null, toODataResult(result, req))

package/libx/_runtime/cds-services/adapter/odata-v4/handlers/delete.js

@@ -49,7 +49,7 @@ const del = service => {
         await tx.rollback(e).catch(() => {})
       }
     } finally {
-      req.messages && odataRes.setHeader('sap-messages', getSapMessages(req.messages, req.http.req))
+      req.messages?.length && odataRes.setHeader('sap-messages', getSapMessages(req.messages, req.http.req))
 
       if (err) next(err)
       else next(null, null)

package/libx/_runtime/cds-services/adapter/odata-v4/handlers/read.js

@@ -523,7 +523,7 @@ const read = service => {
         await tx.rollback(e).catch(() => {})
       }
     } finally {
-      req.messages && odataRes.setHeader('sap-messages', getSapMessages(req.messages, req.http.req))
+      req.messages?.length && odataRes.setHeader('sap-messages', getSapMessages(req.messages, req.http.req))
 
       if (err) next(err)
       else next(null, result, additional)

package/libx/_runtime/cds-services/adapter/odata-v4/handlers/update.js

@@ -179,7 +179,7 @@ const update = service => {
         await tx.rollback(e).catch(() => {})
       }
     } finally {
-      req.messages && odataRes.setHeader('sap-messages', getSapMessages(req.messages, req.http.req))
+      req.messages?.length && odataRes.setHeader('sap-messages', getSapMessages(req.messages, req.http.req))
 
       if (err) next(err)
       else if (primitive && result) {

package/libx/_runtime/cds-services/adapter/odata-v4/odata-to-cqn/readToCQN.js

@@ -223,12 +223,12 @@ const _checkViewWithParamCall = (isView, segments, kind, name) => {
   }
 
   if (segments.length < 2) {
-    throw new Error(`Incorrect call to a view with parameter "${name}"`)
+    throw cds.error(`Invalid call to "${name}". You need to navigate to Set`, { status: 400, code: 400 })
   }
 
   // if the last segment is count, check if previous segment is Set, otherwise check if the last segment equals Set
   if (!_isSet(segments[segments.length - (_isCount(kind) ? 2 : 1)])) {
-    throw new Error(`Incorrect call to a view with parameter "${name}"`)
+    throw cds.error(`Invalid call to "${name}". You need to navigate to Set`, { status: 400, code: 400 })
   }
 }
 

package/libx/_runtime/cds-services/services/Service.js

@@ -62,6 +62,33 @@ class ApplicationService extends cds.Service {
           this.on('EDIT', each, onEdit)
           this.on('CANCEL', each.drafts, onCancel)
           this.on('draftPrepare', each.drafts, onPrepare)
+          if (cds.env.fiori.draft_compat) {
+            // register after read handlers to add `IsActiveEntity`,
+            // so stakeholders have access to it when calling next()
+
+            // to check if data contains a key value
+            let _key
+            for (const key in each.keys) {
+              if (key === 'IsActiveEntity') continue
+              _key = key
+              break
+            }
+            const _addIsActiveEntity = (data, IsActiveEntity) => {
+              if (!data) return
+              if (Array.isArray(data)) return data.map(d => _addIsActiveEntity(d, IsActiveEntity))
+              if (_key in data) data.IsActiveEntity = IsActiveEntity
+            }
+            this.on('READ', each, async (_, next) => {
+              const data = await next()
+              _addIsActiveEntity(data, true)
+              return data
+            })
+            this.on('READ', each, async (_, next) => {
+              const data = await next()
+              _addIsActiveEntity(data, false)
+              return data
+            })
+          }
         }
     } else return require('../../fiori/generic').impl.call(this)
   }

package/libx/_runtime/common/generic/auth/utils.js

@@ -141,8 +141,11 @@ const resolveUserAttrs = (restrict, req) => {
       attr = parts.shift()
     }
 
-    if (!skip)
-      restrict.where = restrict.where.replace(next[0], val === undefined ? null : val).replace('in null', 'is null')
+    if (!skip) {
+      const v = val === undefined ? null : typeof val === 'string' && val.match(/^\d*$/) ? `'${val}'` : val
+      restrict.where = restrict.where.replace(next[0], v).replace('in null', 'is null')
+    }
+
     next = _getNext(restrict.where)
   }
 

package/libx/_runtime/common/utils/cqn2cqn4sql.js

@@ -280,7 +280,7 @@ const _createWindowCQN = (SELECT, model) => {
     }
   }
 
-  delete SELECT.groupBy
+  SELECT.groupBy = undefined
 }
 
 const _unshiftRefsWithNavigation = nav => el => {

package/libx/_runtime/fiori/lean-draft.js

@@ -42,6 +42,14 @@ const _inProcessByUserXpr = lockShiftedNow => ({
   cast: { type: 'cds.String' }
 })
 
+/// It's important to wait for the completion of all promises, otherwise a rollback might happen too soon
+const _promiseAll = async array => {
+  const results = await Promise.allSettled(array)
+  const e = results.find(r => r.status === 'rejected')
+  if (e) throw e.reason
+  return results.map(r => r.value)
+}
+
 const _lock = {
   get shiftedNow() {
     return new Date(Math.max(0, Date.now() - DRAFT_CANCEL_TIMEOUT_IN_MIN() * 60 * 1000)).toISOString()
@@ -111,15 +119,11 @@ cds.ApplicationService.prototype.handle = async function (req) {
     _req.validateEtag = req.validateEtag
     const cqnData = _req.query.UPDATE?.data || _req.query.INSERT?.entries?.[0]
     if (cqnData) _req.data = cqnData // must point to the same object
-
-    // Dirty hack: delegate messages to original request by binding the getter _messages to req
-    let proto = req
-    let _messagesDescr
-    while (proto && !(_messagesDescr = Object.getOwnPropertyDescriptor(proto, '_messages')))
-      proto = Object.getPrototypeOf(proto)
-    if (_messagesDescr)
-      Object.defineProperty(_req, '_messages', { ..._messagesDescr, get: _messagesDescr.get.bind(req) })
-
+    Object.defineProperty(_req, '_messages', {
+      get: function () {
+        return req._messages
+      }
+    })
     if (req.tx) _req.tx = req.tx
     return _req
   }
@@ -170,7 +174,7 @@ cds.ApplicationService.prototype.handle = async function (req) {
       deletes.push(
         DELETE.from('DRAFT.DraftAdministrativeData').where({ DraftUUID: draft.DraftAdministrativeData_DraftUUID })
       )
-    await Promise.all(deletes)
+    await _promiseAll(deletes)
     return req.data
   }
 
@@ -203,7 +207,8 @@ cds.ApplicationService.prototype.handle = async function (req) {
     delete res.DraftAdministrativeData
     const HasActiveEntity = res.HasActiveEntity
     delete res.HasActiveEntity
-    await Promise.all([
+    delete res.IsActiveEntity
+    await _promiseAll([
       run(DELETE.from(targetDraft).where(targetWhere)),
       DELETE.from('DRAFT.DraftAdministrativeData').where({ DraftUUID: DraftAdministrativeData_DraftUUID })
     ])
@@ -342,7 +347,7 @@ const Read = {
     // DraftAdministrativeData is only accessible via drafts
     if (query._target.name.endsWith('.DraftAdministrativeData')) return run(query._drafts)
     if (!query._target._isDraftEnabled) return run(query)
-    if (query.SELECT.columns && !query.SELECT.columns.some(c => c === '*')) {
+    if (!query.SELECT.groupBy && query.SELECT.columns && !query.SELECT.columns.some(c => c === '*')) {
       const keys = Object_keys(query._target.keys).filter(k => k !== 'IsActiveEntity')
       for (const key of keys) {
         if (!query.SELECT.columns.some(c => c.ref?.[0] === key)) query.SELECT.columns.push({ ref: [key] })
@@ -382,7 +387,7 @@ const Read = {
     draftsQuery.SELECT.columns = keys.map(k => ({ ref: [k] }))
 
     const drafts = await run(draftsQuery)
-    const res = Read.onlyActives(run, query.where(Read.whereNotIn(query._target, drafts)), {
+    const res = await Read.onlyActives(run, query.where(Read.whereNotIn(query._target, drafts)), {
       ignoreDrafts: true
     })
     return _requested(res, query)
@@ -528,6 +533,7 @@ const Read = {
   whereIn: (target, data, not = false) => {
     const keys = Object_keys(target.keys).filter(k => k !== 'IsActiveEntity')
     const dataArray = data ? (Array.isArray(data) ? data : [data]) : []
+    if (not && !dataArray.length) return []
     return [
       { list: keys.map(k => ({ ref: [k] })) },
       not ? 'not in' : 'in',
@@ -724,9 +730,9 @@ function _cleansed(query, model) {
               '=',
               { val: cds.context.user.id },
               'then',
-              { val: true },
+              'true',
               'else',
-              { val: false },
+              'false',
               'end'
             ],
             as: 'DraftIsCreatedByMe',
@@ -747,9 +753,9 @@ function _cleansed(query, model) {
               '>',
               { val: _lock.shiftedNow },
               'then',
-              { val: true },
+              'true',
               'else',
-              { val: false },
+              'false',
               'end'
             ],
             as: 'DraftIsProcessedByMe',
@@ -862,7 +868,10 @@ async function onNew(req) {
 
     // Also support deep insertions
     for (const key in newObj) {
-      if (typeof newObj[key] === 'object' && target.elements[key]?.isComposition) {
+      if (!target.elements[key]?.isComposition) continue
+      if (Array.isArray(newObj[key]))
+        newObj[key] = newObj[key].map(v => _assignDraftData(v, target.elements[key]._target))
+      else if (typeof newObj[key] === 'object') {
         newObj[key] = _assignDraftData(newObj[key], target.elements[key]._target)
       }
     }
@@ -875,7 +884,7 @@ async function onNew(req) {
   delete draftData.IsActiveEntity
   const draftCQN = INSERT.into(req.target).entries(draftData)
 
-  await Promise.all([cds.run(adminDataCQN), this.run(draftCQN)])
+  await _promiseAll([cds.run(adminDataCQN), this.run(draftCQN)])
   req._.readAfterWrite = true
   return { ...draftData, IsActiveEntity: false }
 }
@@ -906,20 +915,29 @@ async function onEdit(req) {
     }
   }
   _addDraftColumns(req.target, cols)
-  const draftsCheck = SELECT.one(req.target.drafts)
+
+  const existingDraft = SELECT.one(req.target.drafts)
     .columns({ ref: ['DraftAdministrativeData'], expand: [_inProcessByUserXpr(_lock.shiftedNow)] })
     .where(targetWhere)
-    .forUpdate({ wait: 0 })
   // prevent service to check for own user
-  Object.defineProperty(draftsCheck, '_draftParams', { value: draftParams, enumerable: false })
+  Object.defineProperty(existingDraft, '_draftParams', { value: draftParams, enumerable: false })
 
-  const activeCQN = SELECT.one.from(req.target).columns(cols).where(targetWhere).forUpdate({ wait: 0 })
+  const activeCQN = SELECT.one.from(req.target).columns(cols).where(targetWhere)
   activeCQN._suppressLocalization = true // in the future we should be able to just set activeCQN.SELECT.localized = false
-  const [res, draft] = await Promise.all([
+
+  const activeCheck = SELECT.one(req.target).columns([1]).where(targetWhere).forUpdate()
+  Object.defineProperty(activeCheck, '_draftParams', { value: draftParams, enumerable: false })
+  // It's not possible to use `FOR UPDATE` in HANA if the view contains joins/unions. Unfortunately, we can't resolve the table entity
+  // because we must trigger the app-service request on the target entity (which could be delegated to a remote service).
+  // The best we can do is to catch a potential error
+  await this.run(activeCheck).catch(_ => {})
+
+  const [res, draft] = await _promiseAll([
     this.run(activeCQN),
     // no user check must be done here...
-    this.run(draftsCheck)
+    this.run(existingDraft)
   ])
+
   if (!res) req.reject(404)
   const preserveChanges = req.context?.data?.PreserveChanges
   const inProcessByUser = draft?.DraftAdministrativeData?.InProcessByUser
@@ -927,7 +945,7 @@ async function onEdit(req) {
     if (inProcessByUser || preserveChanges) req.reject(409, 'DRAFT_ALREADY_EXISTS')
     const keys = {}
     for (const key in req.target.drafts.keys) keys[key] = res[key]
-    await Promise.all([
+    await _promiseAll([
       DELETE.from('DRAFT.DraftAdministrativeData').where({ DraftUUID }),
       this.run(DELETE.from(req.target.drafts).where(keys))
     ])
@@ -983,7 +1001,7 @@ async function onCancel(req) {
       DELETE.from('DRAFT.DraftAdministrativeData').where({ DraftUUID: draft.DraftAdministrativeData_DraftUUID })
     )
   if (draftParams.IsActiveEntity) deletes.push(this.run(DELETE.from({ ref: activeRef })))
-  await Promise.all(deletes)
+  await _promiseAll(deletes)
   return req.data
 }
 

package/libx/_runtime/hana/search2cqn4sql.js

@@ -6,7 +6,7 @@ const { addAliasToExpression } = require('../db/utils/generateAliases')
 const targetAlias = 'Target'
 const textsAlias = 'Texts'
 const _generateKeysWhereCondition = (entity, alias1, alias2) => {
-  const keys = Object.keys(entity.keys).filter(k => !entity.keys[k].isAssociation)
+  const keys = Object.keys(entity.keys).filter(k => !entity.keys[k].isAssociation && !entity.keys[k].virtual)
   const where = []
   keys.forEach(key => {
     if (where.length > 0) where.push('and')

package/libx/odata/afterburner.js

@@ -266,7 +266,7 @@ function _processSegments(from, model, namespace, cqn) {
         ref[i].where = undefined
         if (ref[i + 1] !== 'Set') {
           // /Set is missing
-          throw new Error(`Incorrect call to a view with parameter "${current.name}"`)
+          throw cds.error(`Invalid call to "${current.name}". You need to navigate to Set`, { status: 400, code: 400 })
         }
         ref[++i] = null
       } else if (current.kind === 'entity') {
@@ -372,11 +372,11 @@ function _processSegments(from, model, namespace, cqn) {
 const AGGREGATION_DEFAULT = '@Aggregation.default'
 
 function _addKeys(columns, target) {
-  let hasAggregatedColumn = false, hasStarColumn = false
+  let hasAggregatedColumn = false,
+    hasStarColumn = false
   for (let k = 0; k < columns.length; k++) {
     if (columns[k] === '*') hasStarColumn = true
     else if (columns[k].func || columns[k].func === null) hasAggregatedColumn = true
-
     // Add keys to (sub-)expands
     else if (columns[k].expand && columns[k].expand[0] !== '*')
       _addKeys(columns[k].expand, target.elements[columns[k].ref]._target)
@@ -444,7 +444,7 @@ const _checkAllKeysProvided = (params, entity) => {
   if (isView) {
     // view with params
     if (params === undefined) {
-      throw new Error(`Incorrect call to a view with parameter "${entity.name}"`)
+      throw cds.error(`Invalid call to "${entity.name}". You need to navigate to Set`, { status: 400, code: 400 })
     } else if (Object.keys(params).length === 0) {
       throw new Error('KEY_EXPECTED')
     }

package/libx/odata/cqn2odata.js

@@ -1,4 +1,5 @@
 const { formatVal } = require('./utils')
+const cds = require('../_runtime/cds')
 
 const OPERATORS = {
   '=': 'eq',
@@ -253,7 +254,7 @@ function _getQueryTarget(entity, propOrEntity, model) {
 
 const _params = (args, kind, target) => {
   if (!args) {
-    throw new Error(`Incorrect call to a view with parameter "${target.name}"`)
+    throw cds.error(`Invalid call to "${target.name}". You need to navigate to Set`, { status: 400, code: 400 })
   }
   const params = Object.keys(args)
   if (params.length !== Object.keys(target.params).length) {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@sap/cds",
-  "version": "6.7.0",
+  "version": "6.7.1",
   "description": "SAP Cloud Application Programming Model - CDS for Node.js",
   "homepage": "https://cap.cloud.sap/",
   "keywords": [