@sap/cds 6.8.3 → 7.0.0

package/libx/_runtime/cds-services/services/Service.js

@@ -5,126 +5,75 @@ const { postProcess } = require('../../common/utils/postProcessing')
 
 const _isSimpleCqnQuery = q => typeof q === 'object' && q !== null && !Array.isArray(q) && Object.keys(q).length > 0
 
-// for getRestrictions()
-const { getNormalizedRestrictions, getApplicableRestrictions } = require('../../common/generic/auth/restrictions.js')
-const WRITE_EVENTS = { CREATE: 1, NEW: 1, UPDATE: 1, PATCH: 1, DELETE: 1, CANCEL: 1, EDIT: 1 }
-const CRUD = Object.assign({ READ: 1 }, WRITE_EVENTS)
-
 /**
- * Generic Service Event Handler.
+ * Generic Application Service Provider
  */
 class ApplicationService extends cds.Service {
   init() {
-    require('../../common/generic/auth').call(this, this)
-    require('../../common/generic/etag').call(this, this)
-    require('../../common/generic/input').call(this, this)
-    require('../../common/generic/put').call(this, this)
-    require('../../common/generic/temporal').call(this, this)
-    require('../../common/generic/paging').call(this, this) // > paging must be executed before sorting
-    require('../../common/generic/sorting').call(this, this)
+    const clazz = this.constructor,
+      { generics } = clazz
+    for (let each of generics) clazz[each].call(this)
+    return super.init()
+  }
 
-    if (cds.env.requires.extensibility?.code) require('../../common/code-ext/handlers').call(this, this)
+  static get generics() {
+    let generics = Reflect.getOwnPropertyDescriptor(this, '_generics')
+    if (generics) return generics.value
+    else {
+      const set = new Set(this.__proto__.generics)
+      for (let p of Reflect.ownKeys(this)) if (p.startsWith('handle_')) set.add(p)
+      Object.defineProperty(this, '_generics', { value: (generics = [...set]) })
+    }
+    return generics
+  }
 
-    this.registerFioriHandlers(this)
-    this.registerPersonalDataHandlers(this)
-    this.registerCrudHandlers(this) // default .on handlers, have to go last
-    return this
+  static handle_authorization() {
+    require('../../common/generic/auth').call(this)
   }
 
-  /**
-   * @param serviceImpl
-   * @deprecated since version 1.11.0 - use Service.prepend instead
-   */
-  with(serviceImpl) {
-    return this.prepend(serviceImpl)
+  static handle_etags() {
+    require('../../common/generic/etag').call(this)
   }
 
-  /**
-   * Registers custom handlers.
-   * @param {string | object | Function} serviceImpl - init function to register custom handlers.
-   */
-  impl(serviceImpl) {
-    if (typeof serviceImpl === 'string') serviceImpl = require(serviceImpl)
-    return this.prepend(serviceImpl)
+  static handle_validations() {
+    require('../../common/generic/input').call(this)
   }
 
-  registerPersonalDataHandlers() {
-    return cds.env.features.audit_personal_data && require('../../audit/generic/personal').impl.call(this)
-  }
-
-  registerFioriHandlers() {
-    if (cds.env.fiori.lean_draft) {
-      const { onNew, onPrepare, onEdit, onCancel } = require('../../fiori/lean-draft')
-
-      for (const each of this.entities)
-        if (each.drafts) {
-          this.on('NEW', each.drafts, onNew)
-          this.on('EDIT', each, onEdit)
-          this.on('CANCEL', each.drafts, onCancel)
-          this.on('draftPrepare', each.drafts, onPrepare)
-          if (cds.env.fiori.draft_compat) {
-            // register after read handlers to add `IsActiveEntity`,
-            // so stakeholders have access to it when calling next()
-
-            // to check if data contains a key value
-            let _key
-            for (const key in each.keys) {
-              if (key === 'IsActiveEntity') continue
-              _key = key
-              break
-            }
-            const _addIsActiveEntity = (data, IsActiveEntity) => {
-              if (!data) return
-              if (Array.isArray(data)) return data.map(d => _addIsActiveEntity(d, IsActiveEntity))
-              if (_key in data) data.IsActiveEntity = IsActiveEntity
-            }
-            this.on('READ', each, async (req, next) => {
-              const data = await next()
-              _addIsActiveEntity(data, !req.target?.isDraft)
-              return data
-            })
-          }
-        }
-    } else return require('../../fiori/generic').impl.call(this)
-  }
-
-  registerCrudHandlers() {
-    return require('../../common/generic/crud').impl.call(this)
+  static handle_stream_property() {
+    require('../../common/generic/stream').call(this)
   }
 
-  /**
-   * Returns the applicable restrictions for the current request as follows:
-   * - null: unrestricted access
-   * - []: no access
-   * - [{ grant: '...', to: ['...'], where: '...' }, ...]: applicable restrictions with grant normalized to strings,
-   *     i.e., grant: ['CREATE', 'UPDATE'] in model becomes [{ grant: 'CREATE' }, { grant: 'UPDATE' }]
-   * - Promise resovling to any of the above (needed for CAS overrides)
-   *
-   * @param {object} definition - then csn definition of an entity or an (un)bound action or function
-   * @param {string} event - the event name
-   * @param {import('../../../../lib/req/user')} user - the current user
-   * @returns {Promise | Array | null}
-   */
-  getRestrictions(definition, event, user) {
-    let restrictions = getNormalizedRestrictions(definition, this.model.definitions, event)
-    if (!restrictions && (event in CRUD || !definition.parent)) {
-      // > unrestricted entity or unbound
-      return null
-    }
-    if (event in CRUD && restrictions.length && restrictions.every(r => r.grant !== '*' && !(r.grant in CRUD))) {
-      // > only bounds are restricted
-      return null
-    }
-    if (!(event in CRUD) && !restrictions && definition.parent) {
-      // > bound without own restrictions -> get from parent
-      restrictions = getNormalizedRestrictions(definition.parent, this.model.definitions, event)
-      if (!restrictions) {
-        // > unrestricted bound
-        return null
-      }
-    }
-    // return the applicable restrictions (grant and to fit to request and user)
-    return getApplicableRestrictions(restrictions, event, user)
+  static handle_puts() {
+    require('../../common/generic/put').call(this)
+  }
+
+  static handle_temporal_data() {
+    require('../../common/generic/temporal').call(this)
+  }
+
+  static handle_localized_data() {
+    // TODO: can we move handling of localized data here?
+  }
+
+  static handle_managed_data() {
+    // TODO: can we move handling of managed data here?
+  }
+
+  static handle_paging() {
+    require('../../common/generic/paging').call(this) // > paging must be executed before sorting
+    require('../../common/generic/sorting').call(this)
+  }
+
+  static handle_code_ext() {
+    if (cds.env.requires.extensibility?.code) require('../../common/code-ext/handlers').call(this)
+  }
+
+  static handle_fiori() {
+    require('../../fiori/draft').impl.call(this)
+  }
+
+  static handle_crud() {
+    require('../../common/generic/crud').impl.call(this)
   }
 
   // Overload .handle in order to resolve projections up to a definition that is known by the remote service instance.
@@ -139,7 +88,7 @@ class ApplicationService extends cds.Service {
     // - undefined/null in case of plain string queries
     if (this.model && _isSimpleCqnQuery(req.query)) {
       const q = resolveView(req.query, this.model, this)
-      const t = findQueryTarget(q) || req.target
+      const t = findQueryTarget(q) || req.target // REVISIT: why is req.target not correct?
 
       // compat
       restoreLink(req)
@@ -156,6 +105,29 @@ class ApplicationService extends cds.Service {
 
     return super.handle(req)
   }
+
+  /**
+   * @param serviceImpl
+   * @deprecated since version 1.11.0 - use Service.prepend instead
+   */
+  with(serviceImpl) {
+    return this.prepend(serviceImpl)
+  }
+
+  /**
+   * Registers custom handlers.
+   * @param {string | object | Function} serviceImpl - init function to register custom handlers.
+   */
+  impl(serviceImpl) {
+    if (typeof serviceImpl === 'string') serviceImpl = require(serviceImpl)
+    return this.prepend(serviceImpl)
+  }
+}
+
+// NOTE: getRestrictions is VERY INOFFICIAL!!!
+const { getRestrictions } = require('../../common/generic/auth/restrictions')
+ApplicationService.prototype.getRestrictions = function (..._) {
+  return getRestrictions.call(this, ..._)
 }
 
 ApplicationService.prototype.isAppService = true

package/libx/_runtime/cds-services/services/utils/columns.js

@@ -1,10 +1,8 @@
 const cds = require('../../../cds')
 // requesting logger without module on purpose!
 const LOG = cds.log()
-
 const { DRAFT_COLUMNS_UNION_MAP } = require('../../../common/constants/draft')
-
-const defaultSearchableType = 'cds.String'
+const DEFAULT_SEARCHABLE_TYPE = 'cds.String'
 
 // REVISIT: Can we combine that with db/utils/columns.js?
 /**
@@ -18,6 +16,7 @@ const defaultSearchableType = 'cds.String'
  * @param [options.filterDraft=false] - indicates whether the draft columns should be filtered if the entity is draft enabled
  * @param [options.removeIgnore=false]
  * @param [options.filterVirtual=false]
+ * @param [options.keysOnly=false]
  * @returns {Array<object>} - array of columns
  */
 const getColumns = (
@@ -46,10 +45,12 @@ const _getSearchableColumns = entity => {
   const columns = getColumns(entity, columnsOptions)
   const cdsSearchTerm = '@cds.search'
   const cdsSearchKeys = []
+  const cdsSearchColumnMap = new Map()
+
   for (const key in entity) {
     if (key.startsWith(cdsSearchTerm)) cdsSearchKeys.push(key)
   }
-  const cdsSearchColumnMap = new Map()
+
   let atLeastOneColumnIsSearchable = false
 
   // build a map of columns annotated with the @cds.search annotation
@@ -62,7 +63,7 @@ const _getSearchableColumns = entity => {
       continue
     }
 
-    const annotationKey = cdsSearchTerm + '.' + columnName
+    const annotationKey = `${cdsSearchTerm}.${columnName}`
     const annotationValue = entity[annotationKey]
     if (annotationValue) atLeastOneColumnIsSearchable = true
     cdsSearchColumnMap.set(columnName, annotationValue)
@@ -71,21 +72,22 @@ const _getSearchableColumns = entity => {
   const searchableColumns = columns.filter(column => {
     const annotatedColumnValue = cdsSearchColumnMap.get(column.name)
 
-    // A column is searchable if one of the following conditions evaluates to true.
-    //
-    // The @cds.search annotation is provided, and the column is annotated as searchable, e.g.:
-    // @cds.search { column1: true } or just @cds.search { column1 }
+    // the element is searchable if it is annotated with the @cds.search, e.g.:
+    // `@cds.search { element1: true }` or `@cds.search { element1 }`
     if (annotatedColumnValue) return true
 
-    // If at least one column is explicitly annotated as searchable, e.g.:
-    // @cds.search { column1: true } or just @cds.search { column1 }
+    // if at least one element is explicitly annotated as searchable, e.g.:
+    // `@cds.search { element1: true }` or `@cds.search { element1 }`
     // and it is not the current column name, then it must be excluded from the search
     if (atLeastOneColumnIsSearchable) return false
 
-    // - The @cds.search annotation is provided, the column name is not included, and the column
-    // is typed as string.
-    // - The @cds.search annotation is not provided, and the column is typed as string
-    return annotatedColumnValue === undefined && column._type === defaultSearchableType
+    // the element is considered searchable if it is explicitly annotated as such or
+    // if it is not annotated and the column is typed as a string (excluding elements/elements expressions)
+    return (
+      annotatedColumnValue === undefined &&
+      column._type === DEFAULT_SEARCHABLE_TYPE &&
+      !entity?.query?.SELECT?.columns?.find(col => col.xpr && col.as === column.name)
+    )
   })
 
   // if the @cds.search annotation is provided -->
@@ -109,7 +111,8 @@ const _getSearchableColumns = entity => {
     if (!cds._deprecationWarningForDefaultSearchElement) {
       LOG._warn &&
         LOG.warn(
-          'Annotation "@Search.defaultSearchElement" is deprecated and will be removed in an upcoming release. Use "@cds.search" instead.'
+          'Annotation "@Search.defaultSearchElement" is deprecated and will be removed in an upcoming release. ' +
+            'Use "@cds.search" instead.'
         )
       cds._deprecationWarningForDefaultSearchElement = true
     }
@@ -137,8 +140,9 @@ const computeColumnsToBeSearched = (cqn, entity = { __searchableColumns: [] }, a
             cqn.SELECT.columns.length === 1 &&
             column.func === 'count' &&
             (column.as === '_counted_' || column.as === '$count')
-          )
+          ) {
             return
+          }
 
           toBeSearched.push(column)
           return
@@ -146,7 +150,7 @@ const computeColumnsToBeSearched = (cqn, entity = { __searchableColumns: [] }, a
 
         const columnRef = column.ref
         if (columnRef) {
-          if (entity.elements[columnRef[columnRef.length - 1]]?._type !== defaultSearchableType) return
+          if (entity.elements[columnRef[columnRef.length - 1]]?._type !== DEFAULT_SEARCHABLE_TYPE) return
           column = { ref: [...column.ref] }
           if (alias) column.ref.unshift(alias)
           toBeSearched.push(column)
@@ -154,7 +158,6 @@ const computeColumnsToBeSearched = (cqn, entity = { __searchableColumns: [] }, a
       })
   } else {
     toBeSearched = entity.own('__searchableColumns') || entity.set('__searchableColumns', _getSearchableColumns(entity))
-
     if (cqn.SELECT.groupBy) toBeSearched = toBeSearched.filter(tbs => cqn.SELECT.groupBy.some(gb => gb.ref[0] === tbs))
     toBeSearched = toBeSearched.map(c => {
       const col = { ref: [c] }
@@ -162,6 +165,7 @@ const computeColumnsToBeSearched = (cqn, entity = { __searchableColumns: [] }, a
       return col
     })
   }
+
   return toBeSearched
 }
 

package/libx/_runtime/cds-services/services/utils/compareJson.js

@@ -154,10 +154,20 @@ const _skipToMany = (entity, prop) => {
   return entity.elements[prop] && entity.elements[prop].is2many && _skip(entity, prop)
 }
 
+// Returns all property names from the new entry and add missing managed elements
+const _propertiesAndManaged = (newEntry, entity) => {
+  return [
+    ...Object.getOwnPropertyNames(newEntry),
+    ...Object.keys(entity.elements).filter(
+      elementName => newEntry[elementName] === undefined && entity.elements[elementName]['@cds.on.update']
+    )
+  ]
+}
+
 const _iteratePropsInNewEntry = (newEntry, keys, result, oldEntry, entity, opts) => {
   // On app-service layer, generated foreign keys are not enumerable,
   // include them here too.
-  for (const prop of Object.getOwnPropertyNames(newEntry)) {
+  for (const prop of _propertiesAndManaged(newEntry, entity)) {
     if (keys.includes(prop)) {
       _addKeysToResult(result, prop, newEntry, oldEntry)
       continue

package/libx/_runtime/cds-services/services/utils/differ.js

@@ -9,6 +9,7 @@ const { DRAFT_COLUMNS_MAP } = require('../../../common/constants/draft')
 const { cqn2cqn4sql, convertPathExpressionToWhere } = require('../../../common/utils/cqn2cqn4sql')
 const { revertData } = require('../../../common/utils/resolveView')
 const { removeIsActiveEntityRecursively } = require('../../../fiori/utils/where')
+const { enrichDataWithKeysFromWhere } = require('../../../common/utils/keys')
 
 module.exports = class Differ {
   constructor(srv) {
@@ -37,8 +38,9 @@ module.exports = class Differ {
   }
 
   _diffDelete(req) {
-    const { DELETE } = (req._ && req._.query) || req.query
-    const query = SELECT.from(DELETE.from).columns(this._createSelectColumnsForDelete(req.target))
+    const { DELETE } = cds.env.fiori.lean_draft ? req.query : (req._ && req._.query) || req.query
+    const target = DELETE._transitions?.[DELETE._transitions.length - 1]?.target || req.target
+    const query = SELECT.from(DELETE.from).columns(this._createSelectColumnsForDelete(target))
     if (DELETE.where) query.where(DELETE.where)
 
     return cds
@@ -57,6 +59,7 @@ module.exports = class Differ {
     if (cds.db) await this._addPartialPersistentState(req)
     const newQuery = cqn2cqn4sql(req.query, this._srv.model)
     const combinedData = providedData || Object.assign({}, req.query.UPDATE.data || {}, req.query.UPDATE.with || {})
+    enrichDataWithKeysFromWhere(combinedData, req, this._srv)
     const lastTransition = newQuery.UPDATE._transitions[newQuery.UPDATE._transitions.length - 1]
     const revertedPersistent = revertData(req._.partialPersistentState, lastTransition, this._srv)
     return compareJson(combinedData, revertedPersistent, req.target, { ignoreDraftColumns: true })
@@ -85,6 +88,8 @@ module.exports = class Differ {
         ? req.query.INSERT.entries[0]
         : req.query.INSERT.entries
 
+    enrichDataWithKeysFromWhere(originalData, req, this._srv)
+
     return compareJson(originalData, undefined, req.target, { ignoreDraftColumns: true })
   }
 

package/libx/_runtime/cds-services/util/assert.js

@@ -263,11 +263,70 @@ const _checkFormatElement = (element, value, errors, key, pathSegments) => {
   }
 }
 
+const getNormalizedDecimal = value => {
+  let val = `${value}`
+  const cgs = val.match(/^(\d*\.*\d*)e([+|-]*)(\d*)$/)
+  if (cgs) {
+    let [l, r = ''] = cgs[1].split('.')
+    const dir = cgs[2] || '+'
+    const exp = Number(cgs[3])
+    if (dir === '+') {
+      // move decimal point to the right
+      r = r.padEnd(exp, '0')
+      l += r.substring(0, exp)
+      r = r.slice(exp)
+      val = `${l}${r ? '.' + r : ''}`
+    } else {
+      // move decimal point to the left
+      l = l.padStart(exp, '0')
+      r = l.substring(0, exp) + r
+      l = l.slice(exp)
+      val = `${l ? l : '0'}.${r}`
+    }
+  }
+  return val
+}
+
+const _checkDecimalElement = (element, value, errors, key, path) => {
+  const { precision, scale } = element
+  let val = getNormalizedDecimal(value)
+  if (precision != null && scale != null) {
+    let isValid = true
+    if (!val.match(/\./)) val += '.0'
+
+    if (precision === scale) {
+      if (!val.match(new RegExp(`^-?0\\.\\d{0,${scale}}$`, 'g'))) isValid = false
+    } else if (scale === 0) {
+      if (!val.match(new RegExp(`^-?\\d{1,${precision - scale}}\\.0{0,1}$`, 'g'))) isValid = false
+    } else if (!val.match(new RegExp(`^-?\\d{1,${precision - scale}}\\.\\d{0,${scale}}$`, 'g'))) {
+      isValid = false
+    }
+
+    if (!isValid)
+      errors.push(
+        assertError(
+          { code: ASSERT_DATA_TYPE, args: [value, `Decimal(${precision},${scale})`] },
+          element,
+          value,
+          key,
+          path
+        )
+      )
+  } else if (precision != null) {
+    if (!val.match(new RegExp(`^-?\\d{1,${precision}}$`, 'g'))) {
+      errors.push(
+        assertError({ code: ASSERT_DATA_TYPE, args: [value, `Decimal(${precision})`] }, element, value, key, path)
+      )
+    }
+  }
+}
+
 /**
  * @param {import('../../types/api').InputConstraints} constraints
  */
 const checkInputConstraints = ({ element, value, errors, key, pathSegmentsInfo }) => {
   if (!element) return errors
+
   let path
 
   if (pathSegmentsInfo?.length) path = templatePathSerializer(element.name || key, pathSegmentsInfo)
@@ -278,6 +337,9 @@ const checkInputConstraints = ({ element, value, errors, key, pathSegmentsInfo }
   _checkEnumElement(element, value, errors, key, path)
   _checkRangeElement(element, value, errors, key, path)
   _checkFormatElement(element, value, errors, key, path)
+
+  if (element.type === 'cds.Decimal') _checkDecimalElement(element, value, errors, key, path)
+
   return errors
 }
 
@@ -336,7 +398,7 @@ const assertTargets = async (assertMap, errors) => {
 
   targetsExistsResults.forEach((txPromise, index) => {
     const isPromiseRejected = txPromise.status === 'rejected'
-    const shouldAssertError = (txPromise.status === 'fulfilled' && txPromise.value === null) || isPromiseRejected
+    const shouldAssertError = (txPromise.status === 'fulfilled' && txPromise.value == null) || isPromiseRejected
     if (!shouldAssertError) return
 
     const target = targets[index]
@@ -374,5 +436,6 @@ module.exports = {
   assertError,
   checkStaticElementByKey,
   assertNotNullError,
-  assertTargets
+  assertTargets,
+  getNormalizedDecimal
 }

package/libx/_runtime/common/composition/data.js

@@ -135,6 +135,7 @@ const _getWhereObj = (row, links) => {
   return links.reduce((res, currentLink) => {
     if (Object.prototype.hasOwnProperty.call(row, currentLink.targetKey) && row[currentLink.targetKey] !== null)
       res[currentLink.entityKey] = row[currentLink.targetKey]
+    else if (currentLink.targetVal !== undefined) res[currentLink.entityKey] = currentLink.targetVal
     return res
   }, {})
 }

package/libx/_runtime/common/generic/auth/expand.js

@@ -10,7 +10,7 @@ const _getTarget = (ref, target, definitions) => {
     if (ref.length === 1) return definitions[ensureNoDraftsSuffix(target_.target)]
     return _getTarget(ref.slice(1), target_, definitions)
   }
-  const target_ = target.elements[ref.join('_')]
+  const target_ = target.elements[ref.map(x => x.id || x).join('_')]
   return definitions[ensureNoDraftsSuffix(target_.target)]
 }
 

package/libx/_runtime/common/generic/auth/restrict.js

@@ -146,20 +146,15 @@ const _addRestrictionsToRead = async (req, model, resolvedApplicables) => {
     req.query._draftRestrictions = resolvedApplicables
     return
   }
+  // in case of $apply take a query from sub SELECT//
+  const query = req.query.SELECT.from.SELECT?.from?.ref ? req.query.SELECT.from : req.query
 
-  if (typeof req.query.SELECT.from === 'object')
-    // in case of $apply take a ref from sub SELECT//
-    req.query.SELECT.from.ref = _addWheresToRef(
-      req.query.SELECT.from.ref || req.query.SELECT.from.SELECT?.from?.ref,
-      model,
-      resolvedApplicables
-    )
+  query.SELECT.from.ref = _addWheresToRef(query.SELECT.from.ref, model, resolvedApplicables)
 
   const restrictionForTarget = _getRestrictionForTarget(resolvedApplicables, req.target)
   if (!restrictionForTarget) return
 
-  // apply restriction
-  req.query.where(restrictionForTarget)
+  query.where(restrictionForTarget)
 }
 
 const _getFromWithIsActiveEntityRemoved = from => {
@@ -229,7 +224,7 @@ async function handler(req) {
     return
   }
 
-  let restrictions = this.getRestrictions(definition, req.event, req.user)
+  let restrictions = this.getRestrictions.call(this, definition, req.event, req.user)
   if (restrictions instanceof Promise) restrictions = await restrictions
   if (!restrictions) {
     // > unrestricted

package/libx/_runtime/common/generic/auth/restrictions.js

@@ -1,3 +1,42 @@
+const WRITE_EVENTS = { CREATE: 1, NEW: 1, UPDATE: 1, PATCH: 1, DELETE: 1, CANCEL: 1, EDIT: 1 }
+const CRUD = Object.assign({ READ: 1 }, WRITE_EVENTS)
+
+/**
+ * Returns the applicable restrictions for the current request as follows:
+ * - null: unrestricted access
+ * - []: no access
+ * - [{ grant: '...', to: ['...'], where: '...' }, ...]: applicable restrictions with grant normalized to strings,
+ *     i.e., grant: ['CREATE', 'UPDATE'] in model becomes [{ grant: 'CREATE' }, { grant: 'UPDATE' }]
+ * - Promise resovling to any of the above (needed for CAS overrides)
+ *
+ * @param {object} definition - then csn definition of an entity or an (un)bound action or function
+ * @param {string} event - the event name
+ * @param {import('../../../../lib/req/user')} user - the current user
+ * @returns {Promise | Array | null}
+ */
+function getRestrictions(definition, event, user) {
+  const { model } = this
+  let restrictions = getNormalizedRestrictions(definition, model.definitions, event)
+  if (!restrictions && (event in CRUD || !definition.parent)) {
+    // > unrestricted entity or unbound
+    return null
+  }
+  if (event in CRUD && restrictions.length && restrictions.every(r => r.grant !== '*' && !(r.grant in CRUD))) {
+    // > only bounds are restricted
+    return null
+  }
+  if (!(event in CRUD) && !restrictions && definition.parent) {
+    // > bound without own restrictions -> get from parent
+    restrictions = getNormalizedRestrictions(definition.parent, model.definitions, event)
+    if (!restrictions) {
+      // > unrestricted bound
+      return null
+    }
+  }
+  // return the applicable restrictions (grant and to fit to request and user)
+  return getApplicableRestrictions(restrictions, event, user)
+}
+
 const _getLocalName = definition => {
   return definition._service ? definition.name.replace(`${definition._service.name}.`, '') : definition.name
 }
@@ -87,6 +126,7 @@ const getNormalizedPlainRestrictions = (restrictions, definition) => {
 }
 
 module.exports = {
+  getRestrictions,
   getNormalizedRestrictions,
   getApplicableRestrictions,
   getNormalizedPlainRestrictions

package/libx/_runtime/common/generic/auth/utils.js

@@ -10,11 +10,10 @@ const reject = (req, reason = null) => {
   if (req.user._is_anonymous) {
     // REVISIT: challenges handling should be done in protocol adapter (i.e., express error middleware)
     // REVISIT: improve `req.http.req` check if this is an HTTP request
-    if (req.http?.req && req.user._challenges && req.user._challenges.length > 0) {
+    if (req.http?.res && req.user._challenges && req.user._challenges.length > 0) {
       req.http.res.set('WWW-Authenticate', req.user._challenges.join(';'))
     }
 
-    // REVISIT: security log in else case?
     return req.reject(401)
   }