@sap/cds 7.1.1 → 7.2.0

package/lib/dbs/cds-deploy.js

@@ -1,6 +1,6 @@
 #!/usr/bin/env node
 const cds = require('../index'), { local } = cds.utils
-const COLORS = !!process.stdout.isTTY && !!process.stderr.isTTY
+const COLORS = !!process.stdout.isTTY && !!process.stderr.isTTY && !process.env.NO_COLOR
 const GREY = COLORS ? '\x1b[2m' : ''
 const RESET = COLORS ? '\x1b[0m' : ''
 let DEBUG // IMPORTANT: initialized later after await cds.plugins
@@ -80,7 +80,7 @@ exports.create = async function cds_deploy_create (db, csn=db.model, o) {
   let schevo = o.schema_evolution === 'auto' || o['with-auto-schema-evolution'] || o['model-only'] || o['delta-from'] || (o.kind === 'postgres' && o.schema_evolution !== false);
   if (schevo) {
     const { prior, table_exists } = await get_prior_model()
-    const { afterImage, drops: d, createsAndAlters } = cds.compile.to.sql.delta(csn, o, prior && JSON.parse(prior))
+    const { afterImage, drops: d, createsAndAlters } = cds.compile.to.sql.delta(csn, o, prior);
     const after = JSON.stringify(afterImage)
     if (!o.dry && after != prior) {
       if (!table_exists) {
@@ -135,7 +135,7 @@ exports.create = async function cds_deploy_create (db, csn=db.model, o) {
     let file = o['delta-from']
     if (file) {
       let prior = await cds.utils.read(file)
-      return { prior }
+      return { prior: typeof prior === 'string' ? JSON.parse(prior) : prior }
     }
     if (o.dry) return {}
 
@@ -153,7 +153,7 @@ exports.create = async function cds_deploy_create (db, csn=db.model, o) {
 
     if (table_exists) {
       let [{ csn }] = await db.run('SELECT csn from cds_model')
-      return { prior: csn, table_exists }
+      return { prior: csn && JSON.parse(csn), table_exists }
     }
     return { table_exists } // no prior csn
   }

package/lib/env/cds-env.js

@@ -33,6 +33,7 @@ class Config {
     if (NODE_ENV) profiles.push (NODE_ENV)
     if (CDS_ENV) profiles.push (...CDS_ENV.split(/\s*,\s*/))
     if (_home) _add_static_profiles (_home, profiles);
+    if (_home && this['project-nature'] === 'java') profiles.push('java')
     if (!profiles.includes('production')) profiles.push('development')
     this._profiles = new Set (profiles)
     this._profiles._defined = new Set
@@ -173,8 +174,8 @@ class Config {
    * For BAS only: to find out whether this is a Java or Node.js project
    */
   get "project-nature" () {
-    const has_pom_xml = [this.folders.srv,'.'] .some (
-      f => isfile (path.join (this._home, f, 'pom.xml'))
+    const has_pom_xml = [this.folders?.srv,'.'] .some (
+      f => f && isfile (path.join (this._home, f, 'pom.xml'))
     )
     return has_pom_xml ? 'java' : 'nodejs'
   }
@@ -193,7 +194,6 @@ class Config {
   //    The following are internal APIs which can always change!
   //
 
-
   _add_to_process_env (cwd, filename) {
     const file = path.resolve (cwd,filename)
     try {

package/lib/env/cds-requires.js

@@ -46,6 +46,7 @@ const _authentication_strategies = {
     tenants: {}
   },
   "mocked-auth": {
+    _kind: 'mocked', // REVISIT: workaround to distinguish from 'basic-auth' (cf. restrict_all_services)
     kind: 'basic-auth',
     users: {
       alice: { tenant: 't1', roles: [ ...admin ] },

package/lib/env/defaults.js

@@ -149,7 +149,10 @@ const defaults = module.exports = {
   },
 
   build: {
-    target: 'gen'
+    target: 'gen',
+    '[java]': {
+      target: '.'
+    }
   },
 
   mtx: {
@@ -163,6 +166,10 @@ const defaults = module.exports = {
   },
 
   cdsc: {
+    moduleLookupDirectories: ['node_modules/'],
+    '[java]': {
+      moduleLookupDirectories: ['node_modules/', 'target/cds/'],
+    }
     // cv2: {
     //   _localized_entries: true,
     //   _texts_entries: true,

package/lib/env/schemas/cds-rc.json

@@ -11,7 +11,7 @@
     "profile": {
       "description": "A single static profile",
       "anyOf": [
-        { "enum": [ "mtx-sidecar", "with-mtx-sidecar" ] },
+        { "enum": [ "mtx-sidecar", "with-mtx-sidecar", "java" ] },
         { "type": "string" }
       ]
     },
@@ -257,8 +257,32 @@
           "description": "Enables new middlewares support (experimental)."
         },
         "multitenancy": {
-          "type": "boolean",
-          "description": "Shortcut to enable multitenancy."
+          "oneOf": [
+            {
+              "type": "boolean",
+              "description": "Shortcut to enable multitenancy."
+            },
+            {
+              "type": "object",
+              "description": "Multitenancy configuration options.",
+              "properties": {
+                "jobs": {
+                  "type": "object",
+                  "description": "Configuration options for the built-in async job executor.",
+                  "properties": {
+                    "workerSize": {
+                      "type": "number",
+                      "description": "Number of workers running in parallel per database."
+                    },
+                    "clusterSize": {
+                      "type": "number",
+                      "description": "Number of databases executing parallel tasks."
+                    }
+                  }
+                }
+              }
+            }
+          ]
         },
         "extensibility": {
           "oneOf": [

package/lib/i18n/localize.js

@@ -3,7 +3,7 @@ const {existsSync, readdirSync} = require ('fs')
 const {join,dirname,resolve,parse,sep} = require ('path')
 
 const DEBUG = cds.debug('i18n')
-const _node_modules = sep + 'node_modules'
+const _node_modules = cds.env.cdsc.moduleLookupDirectories.map(d => sep+d.slice(0, -1))
 
 module.exports = Object.assign (localize, {
   bundles4, folders4, folder4, bundle4
@@ -182,8 +182,8 @@ function folder4 (loc) {
   }
   //> no --> search up the folder hierarchy up to cds.root, cds.home, or some .../node_modules/<package>
   let next = dirname(loc)
-  if (next.includes(_node_modules)) {
-    if (next.endsWith(_node_modules)) return folder4[loc] = null
+  if (_node_modules.some(m => next.includes(m))) {
+    if (_node_modules.some(m => next.endsWith(m))) return folder4[loc] = null
   } else {
     if (!(
       next.startsWith(cds.root) ||

package/lib/index.js

@@ -139,3 +139,7 @@ global.cds = cds // REVISIT: using global.cds seems wrong
 
 // install jest util if jest is defined
 if (process.env.CDS_JEST_MEM_FIX && typeof jest !== 'undefined') require('./utils/jest.js')
+
+// Allow for import cds from '@sap/cds' without esModuleInterop
+Object.defineProperty(module.exports, "__esModule", { value: true });
+module.exports.default = module.exports

package/lib/log/cds-log.js

@@ -1,5 +1,6 @@
 const cds = require ('../index'), conf = cds.env.log
 const log = module.exports = exports = cds_log
+const path = require('path')
 
 /**
  * Cache used for all constructed loggers.
@@ -167,7 +168,15 @@ const { ERROR, WARN, INFO, DEBUG, TRACE } = exports.levels = {
 
 ;(function _init() {
   const conf = cds.env.log
-  if (conf.Logger) exports.Logger = require (conf.Logger) // Use configured logger in case of cds serve
+  if (conf.Logger) {
+    let resolvedPath
+    try { resolvedPath = require.resolve(conf.Logger) } catch { 
+      try { resolvedPath = require.resolve(path.join(cds.root, conf.Logger)) } catch {
+        throw new Error(`Cannot find logger at "${conf.Logger}"`)
+      }
+    }
+    exports.Logger = require (resolvedPath) // Use configured logger in case of cds serve
+  }
   if (conf.service) {
     const {app} = cds, serveIn = app => require('./service').serveIn(app)
     app ? setImmediate(() => serveIn(app)) : cds.on('bootstrap', app => serveIn(app))

package/lib/ql/Whereable.js

@@ -78,12 +78,16 @@ const _object_predicate = ([arg], _clause) => { // e.g. .where ({ID:4711, stock:
       pred.push('or', ...predicate4([x],_clause))
       continue
     }
+    if (k === 'not') {
+      pred.push('not', {xpr:predicate4([x],_clause)})
+      continue
+    }
     if (k === 'exists') {
-      pred.push(pred.length && 'and', 'exists', typeof x === 'object' ? x : { ref: x.split('.') })
+      pred.push('and', 'exists', typeof x === 'object' ? x : { ref: x.split('.') })
       continue
     }
     if (k === 'not exists') {
-      pred.push(pred.length && 'and', 'not', 'exists', typeof x === 'object' ? x : { ref: x.split('.') })
+      pred.push('and', 'not', 'exists', typeof x === 'object' ? x : { ref: x.split('.') })
       continue
     }
     else pred.push('and', parse.expr(k))
@@ -97,7 +101,7 @@ const _object_predicate = ([arg], _clause) => { // e.g. .where ({ID:4711, stock:
     else if (_clause === 'on' && typeof x === 'string') pred.push('=', { ref: x.split('.') })
     else pred.push('=', {val:x})
   }
-  return pred.slice(1)
+  return pred[0] === 'and' ? pred.slice(1) : pred
 }
 
 const _fluid_predicate = (args) => { // e.g. .where ('ID=',4711, 'and stock >=',1)

package/lib/req/user.js

@@ -1,5 +1,3 @@
-const PSEUDO_ROLES = ['system-user', 'internal-user']
-
 class User {
 
   constructor (_) {
@@ -8,27 +6,31 @@ class User {
       if (new.target === Anonymous) return
       else return new User.default
     }
-    if (typeof _ === 'string') { this.id = _; return }
-    for (let each in _) super[each === '_roles' ? 'roles' : each] = _[each] // overrides getters
-    const roles = this.hasOwnProperty('roles') && this.roles // eslint-disable-line no-prototype-builtins
-    if (Array.isArray(roles)) this.roles = roles.filter(r => !PSEUDO_ROLES.includes(r)).reduce ((p,n)=>{p[n]=1; return p},{})
-    else PSEUDO_ROLES.forEach(r => delete this.roles[r])
+    else if (typeof _ === 'string') this.id = _
+    else Object.assign(this,_)
   }
 
   get attr() { return super.attr = {} }
+  set attr(a) { super.attr = a }
+
   get roles(){ return super.roles = {} }
-  get _roles(){ return this.roles } // compatibility
-
-  is (role) { 
-    return role === 'any' || 
-      role === 'identified-user' || 
-      role === 'system-user' && this._is_system || 
-      role === 'internal-user' && this._is_internal || 
-      role === 'authenticated-user' || 
-      !!this.roles[role] 
+  set roles(r) {
+    super.roles = !Array.isArray(r) ? r : r.reduce((p,n)=>{ p[n]=1; return p },{})
+  }
+
+  is (role) {
+    return (
+      role === 'authenticated-user' ||
+      role === 'identified-user' ||
+      role === 'any' ||
+      !!this.roles[role]
+    )
   }
   valueOf() { return this.id }
 
+  // compatibility
+  get _roles(){ return this.roles }
+  set _roles(r){ this.roles = r }
 }
 
 /**

package/lib/srv/middlewares/sap-statistics.js

@@ -1,10 +1,10 @@
-const { performance:{now} } = require ('perf_hooks')
+const { performance } = require ('perf_hooks')
 
 module.exports = (prec = 1000) => function sap_statistics (req, res, next) {
   if (req.query['sap-statistics'] || req.headers['sap-statistics']) {
-    const { writeHead } = res, t0 = now()
+    const { writeHead } = res, t0 = performance.now()
     res.writeHead = function (...args) {
-      const total = ((now() - t0) / prec).toFixed(2)
+      const total = ((performance.now() - t0) / prec).toFixed(2)
       if (res.statusCode < 400) res.setHeader('sap-statistics', `total=${total}`)
       writeHead.call(this, ...args)
     }

package/lib/srv/middlewares/trace.js

@@ -24,19 +24,20 @@ if (!LOG._debug) module.exports = ()=>[]; else {
     }
   }
 
-  const { performance:{now} } = require ('perf_hooks')
+  const { performance } = require ('perf_hooks')
   const { format } = require ('util')
 
   class PerfTrace extends Array {
     log (...details) {
-      const e = { details, start:now() }
+      const e = { details, start:performance.now() }
+      console.log(e)
       return this.push(e), e
     }
     done (e) {
-      return e.stop = now()
+      return e.stop = performance.now()
     }
     toString ({truncate}) {
-      const t0 = this[0].start; if (!this[0].stop) this[0].stop = now()
+      const t0 = this[0].start; if (!this[0].stop) this[0].stop = performance.now()
       return '\n'+ this.map (e => truncate (format (
         (e.start - t0).toFixed(2).padStart(6), '→',
         (e.stop  - t0).toFixed(2).padEnd(6), '= ',

package/lib/srv/srv-dispatch.js

@@ -114,16 +114,17 @@ const _ensure_target = (srv,req) => {
   req.target = typeof q === 'object' ? cds.infer(q,defs) : defs[req.path]
 }
 
-const _ensure_fqn = (x,p,srv, name = x[p]) => {
-  if (typeof name === 'string') {
+const _ensure_fqn = (x,p,srv, from = x[p]) => {
+  if (!from) return
+  if (typeof from === 'string') {
     if (srv.isDatabaseService) return
-    if (srv.model && name in srv.model.definitions) return
-    if (name.startsWith(srv.namespace)) return
-    if (name.endsWith('_drafts')) return // REVISIT: rather fix test/fiori/localized-draft.test.js ?
-    else x[p] = `${srv.namespace}.${name}`
-  } else if (name.ref) {
-    const [head] = name.ref
-    head.id ? _ensure_fqn(head,'id',srv) : _ensure_fqn(name.ref,0,srv)
+    if (srv.model && from in srv.model.definitions) return
+    if (from.startsWith(srv.namespace)) return
+    if (from.endsWith('_drafts')) return // REVISIT: rather fix test/fiori/localized-draft.test.js ?
+    else x[p] = `${srv.namespace}.${from}`
+  } else if (from.ref) {
+    const [head] = from.ref
+    head.id ? _ensure_fqn(head,'id',srv) : _ensure_fqn(from.ref,0,srv)
     if (x.where) for (let y of x.where) if (y.SELECT) _ensure_fqn(y.SELECT,'from',srv)
   }
 }

package/lib/utils/axios.js

@@ -44,6 +44,9 @@ const _error = (e) => {
   })
   const { code, message } = e.response && e.response.data && e.response.data.error || {}
   if (message) e.message = code && code !== 'null' ? `${code} - ${message}` : message
+  // Promote toJSON from prototype to own property to make it iterable
+  // eslint-disable-next-line no-self-assign
+  if (typeof jest !== 'undefined') e.toJSON = e.toJSON
   throw e
 }
 

package/lib/utils/cds-test.js

@@ -23,6 +23,9 @@ class Test extends require('./axios') {
 
     // launch cds server...
     before (`launching ${cmd} ${args.join(' ')}...`, async () => {
+      // cds.plugins is filling cds.env before cds serve -> profile must be parsed here
+      const profile = args.indexOf('--profile')
+      if (profile !== -1) process.env.CDS_ENV = [...process.env.CDS_ENV?.split(',') ?? [], ...args[profile+1].split(',')]
       await cds.plugins
       cds.once ('listening', ({server,url}) => {
         const axp = Reflect.getOwnPropertyDescriptor(this,'axios')

package/lib/utils/cds-utils.js

@@ -5,6 +5,8 @@ const ux = module.exports = exports = new class {
   get inflect() { return super.inflect = require('./inflect') }
   get inspect() { return super.inspect = require('util').inspect }
   get uuid() { return super.uuid = require('@sap/cds-foss').uuid }
+  get yaml() { return super.yaml = require('@sap/cds-foss').yaml }
+  get pool() { return super.pool = require('@sap/cds-foss').pool }
   get tar() { return super.tar = require('./tar') }
 }
 

package/libx/_runtime/auth/index.js

@@ -2,7 +2,8 @@ const cds = require('../cds')
 const LOG = cds.log()
 
 const _require = require('../common/utils/require')
-const { UNAUTHORIZED, FORBIDDEN, isRestricted } = require('./utils')
+const { containsAnyRestrictions } = require('../common/utils/restrictions')
+const { ODATA_UNAUTHORIZED } = require('../common/error/constants')
 
 let passport, logged
 
@@ -60,7 +61,7 @@ const _log = (req, challenges) => {
 const cap_auth_callback = (req, res, next, internalError, user, arg) => {
   // An internal error occurs during the authentication process
   if (internalError) {
-    return res.status(401).json({ error: UNAUTHORIZED }) // no details to client
+    return res.status(401).json({ error: ODATA_UNAUTHORIZED }) // no details to client
   }
 
   let challenges
@@ -106,10 +107,9 @@ const _mountMockAuth = (srv, app, strategy, config) => {
 
 const _mountPassportAuth = (srv, app, strategy, config) => {
   if (strategy in { jwt: 1, xsuaa: 1 } && !config.credentials) {
-    LOG._warn &&
-      LOG.warn(`Authentication kind "${config.kind}" configured, but no XSUAA instance bound to application.
-        This is NOT recommended in production!`)
-    return
+    let msg = `Authentication kind "${config.kind}" configured, but no XSUAA instance bound to application.`
+    msg += ' Either bind an XSUAA instance, or switch to an authentication kind that does not require a binding.'
+    throw new Error(msg)
   }
 
   if (!passport) passport = _require('passport')
@@ -140,11 +140,12 @@ module.exports = (srv, options = srv.options) => {
   // NOTE: options.auth is not an official API
   let config = 'auth' in options ? options.auth : cds.env.requires.auth
   if (!config) {
+    // REVISIT: can config be falsy? req.user would be undefined!
     if (cds.requires.db && cds.requires.multitenancy) {
       process.exitCode = 1 // REVISIT: why exitCode needed?
       throw new Error('Authentication required for multitenancy')
     }
-    if (isRestricted(srv)) {
+    if (containsAnyRestrictions(srv)) {
       process.exitCode = 1 // REVISIT: why exitCode needed?
       throw new Error('Authentication required for authorization checks')
     }
@@ -161,12 +162,6 @@ module.exports = (srv, options = srv.options) => {
   // mount authentication middleware or strategy
   if (!logged) LOG._debug && LOG.debug(`Using authentication`, { kind: config.kind })
 
-  // Security by default: set restrict_all_services if not disabled
-  // this is done dynamically to also cover custom auth impl
-  if (process.env.NODE_ENV === 'production' && config.restrict_all_services !== false) {
-    config.restrict_all_services = true
-  }
-
   if (config.impl) {
     // mount custom authentication middleware
     _mountCustomAuth(srv, app, config)
@@ -184,15 +179,6 @@ module.exports = (srv, options = srv.options) => {
     }
   }
 
-  // Security by default: enforce authenticated users in production if auth service bound
-  if (
-    cds.requires.multitenancy ||
-    (process.env.NODE_ENV === 'production' && config.credentials && config.restrict_all_services)
-  ) {
-    if (!logged) LOG._debug && LOG.debug(`Enforcing authenticated users for all services`)
-    app.use(cap_enforce_login)
-  }
-
   // so we don't log the same stuff multiple times
   logged = true
 
@@ -206,13 +192,3 @@ const _strategy4 = config => {
   process.exitCode = 1 // REVISIT: why exitCode needed?
   throw new Error(`Authentication kind "${config.kind}" is not supported`)
 }
-
-const cap_enforce_login = (req, res, next) => {
-  if (req.user && req.user.is('authenticated-user')) return next() // pass if user is authenticated
-  if (!req.user || req.user._is_anonymous) {
-    if (req.user && req.user._challenges) res.set('WWW-Authenticate', req.user._challenges.join(';'))
-    return res.status(401).json({ error: UNAUTHORIZED }) // no details to client
-  } else {
-    return res.status(403).json({ error: FORBIDDEN }) // no details to client
-  }
-}

package/libx/_runtime/auth/strategies/ias-auth.js

@@ -1,77 +1 @@
-const cds = require('../../../../lib')
-const _require = require('../../common/utils/require')
-// _require for better error message
-const express = _require('express')
-const passport = _require('passport')
-const { JWTStrategy } = _require('@sap/xssec')
-const LOG = cds.log('auth')
-
-const RESERVED_ATTRIBUTES = new Set([
-  'aud',
-  'azp',
-  'exp',
-  'ext_attr',
-  'iat',
-  'ias_iss',
-  'iss',
-  'jti',
-  'sub',
-  'user_uuid',
-  'zone_uuid',
-  'zid'
-])
-
-module.exports = function ias_auth(config) {
-  // warn if no credentials
-  if (!config.credentials) {
-    LOG._warn &&
-      LOG.warn(`
-       No IAS instance bound to application, but "${config.kind}" configured.
-       This is NOT recommended in production!
-       `)
-
-    return (req, res, next) => next()
-  }
-
-  passport.use('IAS', new JWTStrategy(config.credentials))
-  return express
-    .Router()
-    .use(passport.authenticate('IAS', { session: false, failWithError: true }))
-    .use((req, res, next) => {
-      // grant_type === client_credentials or x509
-      if (req.tokenInfo.getClientId() === req.tokenInfo.getSubject()) {
-        req.user = new cds.User({
-          id: 'system',
-          roles: ['authenticated-user'],
-          attr: {}
-        })
-        req.user._is_system = true
-      } else {
-        // add all unknown attributes to req.user.attr in order to keep public API small
-        const payload = req.tokenInfo.getPayload()
-        const attributes = Object.keys(payload)
-          .filter(k => !RESERVED_ATTRIBUTES.has(k))
-          .reduce((attrs, k) => {
-            attrs[k] = payload[k]
-            return attrs
-          }, {})
-
-        req.user = new cds.User({
-          id: req.user.id,
-          roles: ['authenticated-user'],
-          attr: attributes
-        })
-      }
-
-      req.tenant = req.tokenInfo.getZoneId()
-      next()
-    })
-    .use((err, req, res, _next) => {
-      if (req.tokenInfo) {
-        LOG?.debug('error during token validation', req.tokenInfo.getErrorObject())
-      }
-      // REVISIT: reject request immediately as our other auth strategies do
-      // should we call next(err)? -> I don't think so; it's not an error, is it?
-      res.status(401).json({ code: '401', message: 'Unauthorized' }) // REVISIT: this is OData style?
-    })
-}
+module.exports = require('../../../../lib/auth/ias-auth')

package/libx/_runtime/auth/strategies/mock.js

@@ -21,17 +21,6 @@ class MockStrategy {
     if (user.password && user.password !== password) return this.fail(CHALLENGE)
 
     const { features } = req.headers
-    // Only in the mock strategy the pseudo roles are kept in the role list.
-    // In all other cases pseudo roles are filtered out.
-    if (user.roles) {
-      if (Array.isArray(user.roles)) {
-        if (user.roles.includes('system-user')) user._is_system = true
-        if (user.roles.includes('internal-user')) user._is_internal = true
-      } else {
-        if ('system-user' in user.roles) user._is_system = true
-        if ('internal-user' in user.roles) user._is_internal = true
-      }
-    }
     this.success(new cds.User(features ? { ...user, features } : user))
   }
 }
@@ -55,7 +44,7 @@ const _init_users = (users, tenants = {}) => {
           Array.isArray(user.roles) ? user.roles.push(...scopes) : (user.roles = scopes)
         }
         if (user.jwt.grant_type === 'client_credentials' || user.jwt.grant_type === 'client_x509') {
-          user._is_system = true
+          Array.isArray(user.roles) ? user.roles.push('system-user') : (user.roles = ['system-user'])
         }
         if (!user.tenant && user.jwt.zid) user.tenant = user.jwt.zid
       }

package/libx/_runtime/auth/strategies/xssecUtils.js

@@ -11,8 +11,8 @@ const addRolesFromGrantType = (user, info, credentials) => {
     // > not "weak"
     user.roles['authenticated-user'] = true
     if (grantType in CLIENT) {
-      user._is_system = true
-      if (info.getClientId() === credentials.clientid) user._is_internal = true
+      user.roles['system-user'] = true
+      if (info.getClientId() === credentials.clientid) user.roles['internal-user'] = true
     }
   }
 }

package/libx/_runtime/cds-services/adapter/odata-v4/ODataRequest.js

@@ -90,6 +90,7 @@ class ODataRequest extends cds.Request {
       // REVISIT needed in case of $batch, replace after removing okra
       const method = odataReq.getIncomingRequest().method
       const { user } = req
+      const tenant = req.tenant || user?.tenant
       const info = metaInfo(query, type, service, data, req, upsert)
       const { event, unbound } = info
       if (event === 'READ') {
@@ -98,7 +99,8 @@ class ODataRequest extends cds.Request {
         if (!isStreaming(segments)) handleStreamProperties(target, query, service.model, true)
       }
       const _queryOptions = odataReq.getQueryOptions()
-      super({ event, target, data, query: unbound ? {} : query, user, method, headers, req, res, _queryOptions })
+      // prettier-ignore
+      super({ event, target, data, query: unbound ? {} : query, user, tenant, method, headers, req, res, _queryOptions })
       this._metaInfo = info.metadata
     } else {
       /*

package/libx/_runtime/cds-services/adapter/odata-v4/handlers/request.js

@@ -1,11 +1,13 @@
 const cds = require('../../../../cds')
 
-const { UNAUTHORIZED, FORBIDDEN, getRequiresAsArray, isRestricted } = require('../../../../auth/utils')
+const { containsAnyRestrictions, getAccessRestrictions } = require('../../../../common/utils/restrictions')
+const { ODATA_UNAUTHORIZED, ODATA_FORBIDDEN } = require('../../../../common/error/constants')
 
 module.exports = srv => {
-  const requires = getRequiresAsArray(srv.definition)
-  const restricted = isRestricted(srv)
+  const containsRestrictions = containsAnyRestrictions(srv)
+  const accessRestrictions = getAccessRestrictions(srv)
 
+  // eslint-disable-next-line complexity
   return function ODataRequestHandler(odataReq, odataRes, next) {
     const req = odataReq.getBatchApplicationData()
       ? odataReq.getBatchApplicationData().req
@@ -24,23 +26,23 @@ module.exports = srv => {
     }
 
     // in case of $batch we need to challenge directly, as the header is not processed if in $batch response body
-    if (restricted && path.endsWith('/$batch') && req.user._is_anonymous) {
+    if (containsRestrictions && path.endsWith('/$batch') && req.user._is_anonymous) {
       // NOTE: "return req._login()" would not invoke custom error handlers
       if (req._login) res.set('WWW-Authenticate', `Basic realm="Users"`)
       else if (user._challenges) res.set('WWW-Authenticate', user._challenges.join(';'))
-      return next(UNAUTHORIZED)
+      return next(ODATA_UNAUTHORIZED)
     }
 
-    // check @requires as soon as possible (DoS)
-    if (requires && !requires.some(r => user.is(r))) {
+    // check @restrict and @requires as soon as possible (DoS)
+    if (!accessRestrictions.some(r => user.is(r))) {
       // > unauthorized or forbidden?
       if (req.user._is_anonymous) {
         // NOTE: "return req._login()" would not invoke custom error handlers
         if (req._login) res.set('WWW-Authenticate', `Basic realm="Users"`)
         else if (user._challenges) res.set('WWW-Authenticate', user._challenges.join(';'))
-        return next(UNAUTHORIZED)
+        return next(ODATA_UNAUTHORIZED)
       }
-      return next(FORBIDDEN)
+      return next(ODATA_FORBIDDEN)
     }
 
     /*