@sap/cds 7.1.1 → 7.2.0

package/apis/services.d.ts

@@ -9,6 +9,9 @@ import { ref } from './cqn'
 // import { Service } from './cds'
 
 export class QueryAPI {
+
+  entities : LinkedModel['entities']
+
   /**
    * @see [docs](https://cap.cloud.sap/docs/node.js/services#srv-run)
    */
@@ -57,7 +60,7 @@ export class QueryAPI {
     (query: Query): Promise<ResultSet | any>
     (query: string, args?: any[] | object): Promise<ResultSet | any>
   }
- 
+
   /**
    * @see [docs](https://cap.cloud.sap/docs/node.js/cds-facade?q=cds.delete)
    */
@@ -86,7 +89,7 @@ export class QueryAPI {
    */
   tx(context?: object): Transaction
   transaction(context?: object): Transaction
-  
+
   /**
    * @see [docs](https://pages.github.tools.sap/cap/docs/node.js/cds-context-tx?q=spawn#cds-spawn)
    */
@@ -166,8 +169,8 @@ export class Service extends QueryAPI {
    * @see [capire docs](https://cap.cloud.sap/docs/node.js/services#srv-emit)
    */
   emit: {
-    <T = any>(details: { event: Events; data?: object; headers?: object }): Promise<T>
-    <T = any>(event: Events, data?: object, headers?: object): Promise<T>
+    <T = any>(details: { event: EventArg; data?: object; headers?: object }): Promise<T>
+    <T = any>(event: EventArg, data?: object, headers?: object): Promise<T>
   }
 
   /**
@@ -175,12 +178,12 @@ export class Service extends QueryAPI {
    * @see [capire docs](https://cap.cloud.sap/docs/node.js/services#srvsend--method-path-data-headers--results-)
    */
   send: {
-    <T = any>(event: Events, path: string, data?: object, headers?: object): Promise<T>
-    <T = any>(event: Events, data?: object, headers?: object): Promise<T>
-    <T = any>(details: { event: Events; data?: object; headers?: object }): Promise<T>
+    <T = any>(event: EventArg, path: string, data?: object, headers?: object): Promise<T>
+    <T = any>(event: EventArg, data?: object, headers?: object): Promise<T>
+    <T = any>(details: { event: EventArg; data?: object; headers?: object }): Promise<T>
     <T = any>(details: { query: ConstructedQuery; data?: object; headers?: object }): Promise<T>
-    <T = any>(details: { method: Event; path: string; data?: object; headers?: object }): Promise<T>
-    <T = any>(details: { event: Event; entity: Definition | string; data?: object; params?: object }): Promise<T>
+    <T = any>(details: { method: EventName; path: string; data?: object; headers?: object }): Promise<T>
+    <T = any>(details: { event: EventName; entity: Definition | string; data?: object; params?: object }): Promise<T>
   }
 
   /**
@@ -213,28 +216,28 @@ export class Service extends QueryAPI {
   }
 
   // The central method to dispatch events
-  dispatch(msg: EventMessage): Promise<any>
+  dispatch(msg: Event): Promise<any>
 
   // Provider API
   prepend(fn: ServiceImpl): Promise<this>
-  on<T extends Constructable>(eve: Events, entity: T, handler: CRUDEventHandler.On<InstanceType<T>, InstanceType<T> | void | Error>): this
+  on<T extends Constructable>(eve: EventArg, entity: T, handler: CRUDEventHandler.On<InstanceType<T>, InstanceType<T> | void | Error>): this
   on<P,R>(boundAction: (args: P) => R, service: string, handler: ActionEventHandler<P, void | Error | R>): this
   on<P,R>(action: (args: P) => R, handler: ActionEventHandler<P, void | Error | R>): this
-  on(eve: Events, entity: Target, handler: OnEventHandler): this
-  on(eve: Events, handler: OnEventHandler): this
+  on(eve: EventArg, entity: Target, handler: OnEventHandler): this
+  on(eve: EventArg, handler: OnEventHandler): this
 
 
   // onSucceeded (eve: Events, entity: Target, handler: EventHandler): this
   // onSucceeded (eve: Events, handler: EventHandler): this
   // onFailed (eve: Events, entity: Target, handler: EventHandler): this
   // onFailed (eve: Events, handler: EventHandler): this
-  before<T extends Constructable>(eve: Events, entity: T, handler: CRUDEventHandler.Before<InstanceType<T>, InstanceType<T> | void | Error>): this
-  before(eve: Events, entity: Target, handler: EventHandler): this
-  before(eve: Events, handler: EventHandler): this
-  after<T extends Constructable>(eve: Events, entity: T, handler: CRUDEventHandler.After<InstanceType<T>, InstanceType<T> | void | Error>): this
-  after(eve: Events, entity: Target, handler: ResultsHandler): this
-  after(eve: Events, handler: ResultsHandler): this
-  reject(eves: Events, ...entity: Target[]): this
+  before<T extends Constructable>(eve: EventArg, entity: T, handler: CRUDEventHandler.Before<InstanceType<T>, InstanceType<T> | void | Error>): this
+  before(eve: EventArg, entity: Target, handler: EventHandler): this
+  before(eve: EventArg, handler: EventHandler): this
+  after<T extends Constructable>(eve: EventArg, entity: T, handler: CRUDEventHandler.After<InstanceType<T>, InstanceType<T> | void | Error>): this
+  after(eve: EventArg, entity: Target, handler: ResultsHandler): this
+  after(eve: EventArg, handler: ResultsHandler): this
+  reject(eves: EventArg, ...entity: Target[]): this
 }
 
 export interface Transaction extends Service {
@@ -242,6 +245,9 @@ export interface Transaction extends Service {
   rollback(): Promise<void>
 }
 
+export class ApplicationService extends Service {}
+export class MessagingService extends Service {}
+export class RemoteService extends Service {}
 export class DatabaseService extends Service {
   deploy(model?: csn | string): Promise<csn>
   begin(): Promise<void>
@@ -251,26 +257,29 @@ export class DatabaseService extends Service {
 
 export interface ResultSet extends Array<{}> {}
 
-export class cds {
+declare class cds {
   /**
    * @see [capire docs](https://cap.cloud.sap/docs/node.js/services)
    */
   Service: typeof Service
+  Request: typeof Request
+  Event: typeof Event
+  EventContext: typeof EventContext
 
   /**
    * @see [capire docs](https://cap.cloud.sap/docs/node.js/app-services)
    */
-  ApplicationService: typeof Service
+  ApplicationService: typeof ApplicationService
 
   /**
    * @see [capire docs](https://cap.cloud.sap/docs/node.js/remote-services)
    */
-  RemoteService: typeof Service
+  RemoteService: typeof RemoteService
 
   /**
    * @see [capire docs](https://cap.cloud.sap/docs/node.js/messaging)
    */
-  MessagingService: typeof Service
+  MessagingService: typeof MessagingService
 
   /**
    * @see [capire docs](https://cap.cloud.sap/docs/node.js/databases)
@@ -336,7 +345,7 @@ interface ResultsHandler {
  * Represents the invocation context of incoming request and event messages.
  * @see [capire docs](https://cap.cloud.sap/docs/node.js/requests)
  */
-interface EventContext {
+export class EventContext {
   timestamp: Date
   locale: string
   id: string
@@ -347,7 +356,7 @@ interface EventContext {
 /**
  * @see [capire docs](https://cap.cloud.sap/docs/node.js/requests)
  */
-interface EventMessage extends EventContext {
+export class Event extends EventContext {
   event: string
   data: any
   headers: {}
@@ -379,7 +388,7 @@ interface Options {
 /**
  * @see [capire docs](https://cap.cloud.sap/docs/node.js/requests)
  */
-interface Request extends EventMessage {
+export class Request extends Event {
   params: (string | {})[]
   method: string
   path: string
@@ -414,8 +423,10 @@ interface Request extends EventMessage {
   reject(message: { code?: number | string; message: string; target?: string; args?: {}, status?: number }): Error
 }
 
-type Events = Event | Event[]
-type Event = (CRUD | TX | HTTP | DRAFT) | (CustomOp & {})
+export default cds
+
+type EventArg = EventName | EventName[]
+type EventName = (CRUD | TX | HTTP | DRAFT) | (CustomOp & {})
 type CRUD = 'CREATE' | 'READ' | 'UPDATE' | 'DELETE'
 type DRAFT = 'NEW' | 'EDIT' | 'PATCH' | 'SAVE'
 type HTTP = 'GET' | 'PUT' | 'POST' | 'PATCH' | 'DELETE'

package/apis/test.d.ts

@@ -1,6 +1,5 @@
 import { AxiosInstance } from 'axios';
 import chai from 'chai';
-import * as main_cds from './cds';
 import * as http from 'http';
 import { Service } from './services';
 
@@ -37,7 +36,7 @@ declare class Test extends Axios {
   get expect(): typeof chai.expect;
   get assert(): typeof chai.assert;
   get data(): DataUtil;
-  get cds(): typeof main_cds;
+  get cds(): typeof import('./cds').default;
 
   then(r: (args: { server: http.Server, url: string }) => void): void;
 

package/bin/serve.js

@@ -111,7 +111,7 @@ module.exports = Object.assign ( serve, {
         database, if any, and only adds an in-memory database if no
         persistent one is configured.
 
-        Requires an sqlite driver to be installed. For example: _npm i sqlite3_.
+        Requires an SQLite driver to be installed. For example: _npm i @cap-js/sqlite_.
 
 # EXAMPLES
 
@@ -168,7 +168,7 @@ async function serve (all=[], o={}) {
   const cds_server = await _local_server_js() || cds.server
   if (!o.silent) _prepare_logging ()
 
-  // The following things are meant for dev mode, which can be overruled by feature flagse...
+  // The following things are meant for dev mode, which can be overruled by feature flags...
   const {features} = cds.env
   {
     // handle --with-mocks resp. --mocked
@@ -206,8 +206,8 @@ async function serve (all=[], o={}) {
 
     const LOG = cds.log('cli|server')
     cds.shutdown = _shutdown //> for programmatic invocation
-    process.on('unhandledRejection', e => _shutdown (e, cds.log('cds').error('❗️Uncaught',e)))
-    process.on('uncaughtException', e => _shutdown (e, cds.log('cds').error('❗️Uncaught',e)))
+    process.on('unhandledRejection', e => _shutdown (e, cds.log().error('❗️Uncaught',e))) //> using std logger to have it labelled with [cds] - instead of [cli] -
+    process.on('uncaughtException', e => _shutdown (e, cds.log().error('❗️Uncaught',e)))  //> using std logger to have it labelled with [cds] - instead of [cli] -
     process.on('SIGINT', cds.watched ? _shutdown : (s,n)=>_shutdown(s,n,console.log())) //> newline after ^C
     process.on('SIGHUP', _shutdown)
     process.on('SIGHUP2', _shutdown)

package/lib/auth/basic-auth.js

@@ -12,7 +12,7 @@ module.exports = function basic_auth (options) {
     // get basic authorization header
     let auth = req.headers.authorization
     // enforce login if requested
-    if (!auth || !auth.match(/^basic/i)) return login_required ? req._login('Logged in user required!') : next()
+    if (!auth || !auth.match(/^basic/i)) return login_required ? req._login('Logged in user required!') : req.user = new cds.User.default, next()
     // decode user credentials from autorization header
     let [id,pwd] = Buffer.from(auth.slice(6),'base64').toString().split(':')
     // verify user credentials and set req.user

package/lib/auth/dummy-auth.js

@@ -1,4 +1,5 @@
-const { User: { privileged }} = require ('../index')
+const { User: { privileged } } = require ('../index')
+
 module.exports = function dummy_auth() {
   return function dummy_auth (req, res, next) {
     req.user = privileged

package/lib/auth/ias-auth.js

@@ -1,2 +1,68 @@
-module.exports = require('../../libx/_runtime/auth/strategies/ias-auth')
-// TODO: could move that implementation over here and link from libx/_runtime
+const cds = require('../')
+const LOG = cds.log('auth')
+
+// _require for better error message
+const _require = require('../../libx/_runtime/common/utils/require')
+const express = _require('express')
+const passport = _require('passport')
+const { JWTStrategy } = _require('@sap/xssec')
+
+const RESERVED_ATTRIBUTES = new Set(['aud', 'azp', 'exp', 'ext_attr', 'iat', 'ias_iss', 'iss', 'jti', 'sub', 'user_uuid', 'zone_uuid', 'zid'])
+
+module.exports = function ias_auth(config) {
+  if (!config.credentials) {
+    let msg = `Authentication kind "${config.kind}" configured, but no IAS instance bound to application.`
+    msg += ' Either bind an IAS instance, or switch to an authentication kind that does not require a binding.'
+    throw new Error(msg)
+  }
+
+  passport.use('IAS', new JWTStrategy(config.credentials))
+
+  return express
+    .Router()
+    .use((req, res, next) => {
+      // callback needed in order to suppress 401 and continue with anonymous to allow @requires: 'any'/ restrict_all_services=false
+      const callback = (err, user, info, _status) => {
+        if (err) return next(err)
+
+        if (user) {
+          req.user = user
+          req.authInfo = info
+        } else {
+          req.user = new cds.User.default
+          if (LOG._debug && req.tokenInfo)
+            LOG.debug('Error during token validation:', req.tokenInfo.getErrorObject().message)
+        }
+
+        next()
+      }
+      passport.authenticate('IAS', { session: false }, callback)(req, res, next)
+    })
+    .use((req, res, next) => {
+      if (!('authInfo' in req)) return next()
+
+      if (req.tokenInfo.getClientId() === req.tokenInfo.getSubject()) //> grant_type === client_credentials or x509
+        req.user = new cds.User({
+          id: 'system',
+          roles: ['authenticated-user', 'system-user'],
+          attr: {}
+        })
+      else {
+        // add all unknown attributes to req.user.attr in order to keep public API small
+        const payload = req.tokenInfo.getPayload()
+        const attributes = Object.keys(payload)
+          .filter(k => !RESERVED_ATTRIBUTES.has(k))
+          .reduce((attrs, k) => { attrs[k] = payload[k]; return attrs }, {})
+
+        req.user = new cds.User({
+          id: req.user.id,
+          roles: ['authenticated-user'],
+          attr: attributes
+        })
+      }
+
+      req.tenant = req.tokenInfo.getZoneId()
+
+      next()
+    })
+}

package/lib/auth/index.js

@@ -1,4 +1,3 @@
-
 const cds = require ('../index'), { path, local } = cds.utils
 
 const _require = require; require = cds.lazified (module) // eslint-disable-line no-global-assign
@@ -12,23 +11,24 @@ module.exports = Object.assign (auth_factory, {
 })
 require = _require // eslint-disable-line no-global-assign
 
-
 /**
  * Constructs one of the above middlewares as configured
  */
 function auth_factory (options) {
   const o = { ...options, ...cds.requires.auth }
   let kind = o.impl ? 'custom' : o.kind || o.strategy
-  let middleware = cds.auth[kind]
+  let middleware = cds.auth[kind] || cds.auth[kind?.replace(/-auth$/, '')]
   if (middleware) {
-    cds.log().info ('using auth strategy:', { kind }, '\n')
+    // REVISIT: here, kind may be misleading, e.g., "basic-auth" instead of "mocked" -> _kind workaround
+    const _kind = (o._kind || kind).replace(/-auth$/, '') //> official auth kinds are NOT postfixed with "-auth"
+    cds.log().info ('using authentication:', { kind: _kind }, '\n')
   } else {
     let impl = kind === 'custom' ? cds.resolve (o.impl)?.[0] : path.resolve (__dirname, kind)
     try { impl = require.resolve (impl) }  catch {
       const e = o.impl ? `Cannot find custom impl at: ${o.impl}` : `Cannot find unknown auth kind: ${o.kind}`
       throw cds.error(e)
     }
-    cds.log().info ('using auth strategy:', { kind, impl: local(impl) }, '\n')
+    cds.log().info ('using authentication:', { kind, impl: local(impl) }, '\n')
     middleware = require(impl)
   }
   if ((typeof middleware === 'function' && middleware.length === 3) || Array.isArray(middleware)) {

package/lib/auth/jwt-auth.js

@@ -1,41 +1,64 @@
 const cds = require('../')
-const _require = require('../../libx/_runtime/common/utils/require')
+const LOG = cds.log('auth')
+
 // _require for better error message
+const _require = require('../../libx/_runtime/common/utils/require')
 const express = _require('express')
 const passport = _require('passport')
 const { JWTStrategy } = _require('@sap/xssec')
-const LOG = cds.log('auth')
 
 module.exports = function jwt_auth(config) {
-  // warn if no credentials
   if (!config.credentials) {
-    LOG._warn &&
-      LOG.warn(`Authentication kind "${config.kind}" configured, but no XSUAA instance bound to application.
-        This is NOT recommended in production!`)
-    return (req,res,next) => next()
+    let msg = `Authentication kind "${config.kind}" configured, but no XSUAA instance bound to application.`
+    msg += ' Either bind an IAS instance, or switch to an authentication kind that does not require a binding.'
+    throw new Error(msg)
   }
 
-  passport.use(config.kind, new JWTStrategy(config.credentials))
+  passport.use('JWT', new JWTStrategy(config.credentials))
+
   return express
     .Router()
-    .use(passport.authenticate(config.kind, { session: false }))
     .use((req, res, next) => {
+      // callback needed in order to suppress 401 and continue with anonymous to allow @requires: 'any'/ restrict_all_services=false
+      const callback = (err, user, info, _status) => {
+        if (err) return next(err)
+
+        if (user) {
+          req.user = user
+          req.authInfo = info
+        } else {
+          req.user = new cds.User.default
+          if (LOG._debug && req.tokenInfo)
+            LOG.debug('Error during token validation:', req.tokenInfo.getErrorObject().message)
+        }
+
+        next()
+      }
+      passport.authenticate('JWT', { session: false }, callback)(req, res, next)
+    })
+    .use((req, res, next) => {
+      if (!('authInfo' in req)) return next()
+
       const payload = req.tokenInfo.getPayload()
 
       let id = req.user.id
-      let _is_system, _is_internal
 
-      let roles = payload.scope.map(s => s.replace(new RegExp(`^(${config.credentials.xsappname + '.'})`), ''))
+      // Roles = scope names w/o xsappname
+      let xsappname = new RegExp(`^${config.credentials.xsappname}\\.`)
+      let roles = payload.scope.map(s => s.replace(xsappname, ''))
+
+      // Disallow setting system roles from external
+      roles = roles.filter(r => !(r in { 'internal-user': 1, 'system-user': 1 }))
+
       roles.push('identified-user')
       if (payload.grant_type) {
         // > not "weak"
         roles.push('authenticated-user')
 
-        const CLIENT = { client_credentials: 1, client_x509: 1 }
-        if (payload.grant_type in CLIENT) {
+        if (payload.grant_type in { client_credentials: 1, client_x509: 1 }) {
           id = 'system'
-          _is_system = true
-          if (req.tokenInfo.getClientId() === config.credentials.clientid) _is_internal = true
+          roles.push('system-user')
+          if (req.tokenInfo.getClientId() === config.credentials.clientid) roles.push('internal-user')
         }
       }
 
@@ -47,16 +70,9 @@ module.exports = function jwt_auth(config) {
         attr.email = req.authInfo.getEmail()
       }
 
-      req.user = new cds.User({ id, roles, attr, _is_system, _is_internal })
+      req.user = new cds.User({ id, roles, attr })
       req.tenant = req.tokenInfo.getZoneId?.()
+
       next()
     })
-    .use((err, req, res, _next) => {
-      if (req.tokenInfo) {
-        LOG?.debug('error during token validation', req.tokenInfo.getErrorObject())
-      }
-      // REVISIT: reject request immediately as our other auth strategies do
-      // should we call next(err)? -> I don't think so; it's not an error, is it?
-      res.status(401).json({ code: '401', message: 'Unauthorized' }) // REVISIT: this is OData style?
-    })
 }

package/lib/auth/mocked-users.js

@@ -10,19 +10,6 @@ class MockedUsers {
       if (typeof v === 'boolean') continue
       if (typeof v === 'string') v = { password:v }
       let id = _configured(v).id || k
-
-      // Only for mock users the pseudo roles are kept in the role list.
-      // In all other cases pseudo roles are filtered out.
-      if (v.roles) {
-        if (Array.isArray(v.roles)) {
-          if (v.roles.includes('system-user')) v._is_system = true
-          if (v.roles.includes('internal-user')) v._is_internal = true
-        } else {
-          if ('system-user' in v.roles) v._is_system = true
-          if ('internal-user' in v.roles) v._is_internal = true
-        }
-      } else v.roles = []
-
       let u = users[id] = new User ({ id, ...v })
       let fts = tenants[u.tenant]?.features
       if (fts && !u.features) u.features = fts

package/lib/auth/passport-basic.js

@@ -1,3 +1,5 @@
+// REVISIT: either document passport basic auth or remove it
+
 /* eslint-disable cds/no-missing-dependencies */
 module.exports = function passport_basic_auth (options) {
   // const session = require('express-session')({ secret:'secret', resave:false, saveUninitialized:true, })

package/lib/auth/passport-digest.js

@@ -1,3 +1,5 @@
+// REVISIT: either document passport digest auth or remove it
+
 /* eslint-disable cds/no-missing-dependencies */
 module.exports = function passport_digest_auth (options) {
   // const session = require('express-session')({ secret:'secret', resave:false, saveUninitialized:true, })

package/lib/compile/etc/_localized.js

@@ -2,7 +2,6 @@ const cds = require('../..'), {env} = cds
 const DEBUG = cds.debug('alpha|_localized')
 const _locales_4sql = {
 	sqlite : env.i18n.for_sqlite || env.i18n.for_sql || [],
-	h2 :     env.i18n.for_sql || [],
 	plain  : env.i18n.for_sql || [],
 }
 

package/lib/compile/extend.js

@@ -3,15 +3,31 @@ const { extend } = require ('../lazy')
 
 module.exports = o => o.definitions ? { with(...csns) {
 
+  // merge all extension csns
   const csn=o, merged = { definitions: {}, extensions: [] }
   for (const { definitions, extensions } of csns) {
     if (definitions) Object.assign(merged.definitions, definitions)
     if (extensions) merged.extensions.push(...extensions)
   }
+
+  // extend given base csn with merged extensions
   const extended = compile({
     'base.csn': compile.to.json(csn),
     'ext.csn': compile.to.json(merged)
   })
+
+  // handle localized extension elements
+  for (let ext of merged.extensions) {
+    for (let name in ext.elements) {
+      const e = ext.elements[name]
+      if (e.localized) {
+        // add localized element also to respective .texts entity
+        const texts = extended.definitions[ext.extend+'.texts']
+        texts.elements[name] ??= { ...e, localized:null }
+      }
+    }
+  }
+
   extended.$sources = csn.$sources // required to load resources like i18n later on
   return extended
 

package/lib/compile/for/lean_drafts.js

@@ -72,17 +72,49 @@ module.exports = function cds_compile_for_lean_drafts(csn) {
     // Positive list would be bigger (search, requires, fiori, ...)
     if (draft['@readonly']) draft['@readonly'] = undefined
     if (draft['@insertonly']) draft['@insertonly'] = undefined
-    if (draft['@restrict']) draft['@restrict'] = undefined
-    if ('@Capabilities.DeleteRestrictions.Deletable' in draft) draft['@Capabilities.DeleteRestrictions.Deletable'] = undefined
-    if ('@Capabilities.InsertRestrictions.Insertable' in draft) draft['@Capabilities.InsertRestrictions.Insertable'] = undefined
-    if ('@Capabilities.UpdateRestrictions.Updatable' in draft) draft['@Capabilities.UpdateRestrictions.Updatable'] = undefined
-    if ('@Capabilities.NavigationRestrictions.RestrictedProperties' in draft) draft['@Capabilities.NavigationRestrictions.RestrictedProperties'] = undefined
+    if (draft['@restrict']) {
+      const restrictions = ['CREATE', 'WRITE', '*']
+      draft['@restrict'] = draft['@restrict']
+        .map(d => ({
+          ...d,
+          grant:
+            d.grant && Array.isArray(d.grant)
+              ? d.grant.filter(g => restrictions.includes(g))
+              : typeof d.grant === 'string' && restrictions.includes(d.grant)
+              ? [d.grant]
+              : []
+        }))
+        .filter(r => r.grant.length > 0)
+      if (draft['@restrict'].length > 0) {
+        // Change WRITE & CREATE to NEW
+        draft['@restrict'] = draft['@restrict'].map(d => {
+          if (d.grant.includes('WRITE') || d.grant.includes('CREATE')) {
+            return { ...d, grant: 'NEW' }
+          }
+          return d
+        })
+      } else {
+        draft['@restrict'] = undefined
+      }
+    }
+    if ('@Capabilities.DeleteRestrictions.Deletable' in draft)
+      draft['@Capabilities.DeleteRestrictions.Deletable'] = undefined
+    if ('@Capabilities.InsertRestrictions.Insertable' in draft)
+      draft['@Capabilities.InsertRestrictions.Insertable'] = undefined
+    if ('@Capabilities.UpdateRestrictions.Updatable' in draft)
+      draft['@Capabilities.UpdateRestrictions.Updatable'] = undefined
+    if ('@Capabilities.NavigationRestrictions.RestrictedProperties' in draft)
+      draft['@Capabilities.NavigationRestrictions.RestrictedProperties'] = undefined
 
     // Recursively add drafts for compositions
     for (const each in draft.elements) {
       const e = draft.elements[each]
       const newEl = Object.create(e)
-      if (e.isComposition || (e.isAssociation && e['@odata.draft.enclosed']) || ((!active['@Common.DraftRoot.ActivationAction'] || e._target === active) && _isCompositionBacklink(e))) {
+      if (
+        e.isComposition ||
+        (e.isAssociation && e['@odata.draft.enclosed']) ||
+        ((!active['@Common.DraftRoot.ActivationAction'] || e._target === active) && _isCompositionBacklink(e) && _isDraft(e._target))
+      ) {
         if (e._target['@odata.draft.enabled'] === false) continue // happens for texts if @fiori.draft.enabled is not set
         _redirect(newEl, addDraftEntity(e._target, model))
       }

package/lib/compile/resolve.js

@@ -14,7 +14,6 @@ const suffixes = [ '.csn', '.cds', sep+'index.csn', sep+'index.cds', sep+'csn.js
 * @returns and array of absolute filenames
 */
 module.exports = exports = function cds_resolve (model, o={}) { // NOSONAR
-
   if (!model || model === '--') return
   if (model._resolved) return model
   if (model === '*') return _resolve_all(o,this)
@@ -25,7 +24,7 @@ module.exports = exports = function cds_resolve (model, o={}) { // NOSONAR
   if (model.endsWith('/*')) return _resolve_subdirs_in(model,o,this)
 
   const cwd = o.root || this.root, local = resolve (cwd,model)
-  const context = _paths(cwd,o), {cached} = context
+  const context = _paths(cwd,o,this), {cached} = context
   let id = model.startsWith('.') ? local : model
   if (id in cached)  return cached[id]
 
@@ -93,11 +92,14 @@ function _resolve_subdirs_in (pattern='fts/*',o,cds) {
   }
 }
 
-function _paths (dir,o) {
+function _paths (dir,o,cds) {
   const cache = o.cache || exports.cache
   const cached = cache[dir]; if (cached)  return cached
-  const a = dir.split(sep), n = a.length, nm = sep+'node_modules'
-  const paths = [ dir, ...a.map ((_,i,a)=> a.slice(0,n-i).join(sep)+nm) ]
+  const a = dir.split(sep), n = a.length, paths = [ dir ]
+  const { cdsc: { moduleLookupDirectories }} = o.env ?? cds.env
+  for (const mld of moduleLookupDirectories) { // node_modules/ usually, more for Java
+    paths.push(...a.map ((_,i,a)=> a.slice(0,n-i).join(sep)+sep+mld))
+  }
   return cache[dir] = { paths, cached:{} }
 }
 

package/lib/compile/to/json.js

@@ -4,6 +4,7 @@ const path = require('path')
 module.exports = (csn,o={}) => {
   const relative = filename => (o.src !== o.cwd) ? path.relative(o.src, path.join(o.cwd, filename)) : filename
   const relative_cds_home = RegExp ('^' + path.relative (o.src || o.cwd || cds.root, cds.home) + '/')
+  const { moduleLookupDirectories } = cds.env.cdsc
 
   const resolver = (_,v) => {
 
@@ -20,9 +21,12 @@ module.exports = (csn,o={}) => {
       // Preserve original sources for services so we can use them for finding
       // sibling implementation files when reloaded from csn.json.
       let file = relative(v.$location.file)
-        .replace(relative_cds_home,'@sap/cds/')
-        .replace('node_modules/','')
         .replace(/\\/g,'/')
+        .replace(relative_cds_home,'@sap/cds/')
+      for (const mld of moduleLookupDirectories) { // node_modules/ usually, more for Java
+        file = file.replace(mld, '')
+      }
+
       // If there is still a relative path pointing outside of cwd, convert it to a module path
       // e.g. ../bookshop/srv/cat-service.cds -> @capire/bookshop/srv/cat-service.cds
       if (file.startsWith('../')) {