@sap/cds 7.1.1 → 7.2.0

package/libx/_runtime/cds-services/adapter/odata-v4/odata-to-cqn/ExpressionToCQN.js

@@ -1,3 +1,5 @@
+const cds = require('../../../../cds')
+
 const odata = require('../okra/odata-server')
 const ExpressionKind = odata.uri.Expression.ExpressionKind
 const BinaryOperatorKind = odata.uri.BinaryExpression.OperatorKind
@@ -41,7 +43,10 @@ class ExpressionToCQN {
       case EdmPrimitiveTypeKind.Int16:
       case EdmPrimitiveTypeKind.Int32:
         return { val: parseInt(value) }
+      case EdmPrimitiveTypeKind.Int64:
+        return { val: value.toString() }
       case EdmPrimitiveTypeKind.Decimal:
+        return cds.env.features.compat_decimal ? { val: parseFloat(value) } : { val: value.toString() }
       case EdmPrimitiveTypeKind.Single:
       case EdmPrimitiveTypeKind.Double:
         return { val: parseFloat(value) }

package/libx/_runtime/cds-services/adapter/odata-v4/odata-to-cqn/applyToCQN.js

@@ -225,8 +225,11 @@ const applyToCQN = (transformations, entity, model) => {
       case TransformationKind.BOTTOM_TOP:
         _addBottomTopTransformation(transformation, res)
         break
-      default:
-        throw getFeatureNotSupportedError(`Transformation "${transformation.getKind()}" with query option $apply`)
+      default: {
+        const numericKind = transformation.getKind()
+        const stringKind = Object.entries(TransformationKind).find(([_, v]) => v === numericKind)?.[0]
+        throw getFeatureNotSupportedError(`Transformation "${stringKind || numericKind}" with query option $apply`)
+      }
     }
   }
 

package/libx/_runtime/cds-services/adapter/odata-v4/okra/odata-commons/uri/UriParser.js

@@ -175,6 +175,10 @@ class UriParser {
    * @param {UriInfo} uriInfo the result of parsing
    */
   parseQueryOptions (queryOptions, uriInfo) {
+    // EXPERIMENTAL FEATURE FLAGS!
+    const { okra_skip_query_options, odata_new_parser } = global.cds.env.features
+    if (okra_skip_query_options && odata_new_parser) return
+
     const lastSegment = uriInfo.getLastSegment()
     const crossjoinEntitySets = lastSegment.getCrossjoinEntitySets()
     const aliases = uriInfo.getAliases()

package/libx/_runtime/cds-services/services/utils/compareJson.js

@@ -133,11 +133,6 @@ const _addToBeDeletedEntriesToResult = (results, entity, keys, newValues, oldVal
 
 const _normalizeToArray = value => (Array.isArray(value) ? value : value === null ? [] : [value])
 
-const _addKeysToEntryIfNotExists = (keys, newEntry) => {
-  if (!newEntry) return
-  for (const key of keys) if (!(key in newEntry)) newEntry[key] = undefined
-}
-
 const _isUnManaged = element => {
   return element.on && !element._isSelfManaged
 }
@@ -207,11 +202,7 @@ const compareJsonDeep = (entity, newValue = [], oldValue = [], opts) => {
   for (const newEntry of newValues) {
     const result = {}
     const oldEntry = _getCorrespondingEntryWithSameKeys(oldValues, newEntry, keys)
-
-    _addKeysToEntryIfNotExists(keys, newEntry)
-
     _iteratePropsInNewEntry(newEntry, keys, result, oldEntry, entity, opts)
-
     resultsArray.push(result)
   }
 

package/libx/_runtime/cds-services/services/utils/differ.js

@@ -37,16 +37,14 @@ module.exports = class Differ {
     return columns
   }
 
-  _diffDelete(req) {
+  async _diffDelete(req) {
     const { DELETE } = cds.env.fiori.lean_draft ? req.query : (req._ && req._.query) || req.query
     const target = DELETE._transitions?.[DELETE._transitions.length - 1]?.target || req.target
     const query = SELECT.from(DELETE.from).columns(this._createSelectColumnsForDelete(target))
     if (DELETE.where) query.where(DELETE.where)
-
-    return cds
-      .tx(req)
-      .run(query)
-      .then(dbState => compareJson(undefined, dbState, req.target, { ignoreDraftColumns: true }))
+    const dbState = await cds.tx(req).run(query)
+    const diff = compareJson(undefined, dbState, req.target, { ignoreDraftColumns: true })
+    return diff
   }
 
   async _addPartialPersistentState(req) {
@@ -62,7 +60,8 @@ module.exports = class Differ {
     enrichDataWithKeysFromWhere(combinedData, req, this._srv)
     const lastTransition = newQuery.UPDATE._transitions[newQuery.UPDATE._transitions.length - 1]
     const revertedPersistent = revertData(req._.partialPersistentState, lastTransition, this._srv)
-    return compareJson(combinedData, revertedPersistent, req.target, { ignoreDraftColumns: true })
+    const diff = compareJson(combinedData, revertedPersistent, req.target, { ignoreDraftColumns: true })
+    return diff
   }
 
   async _diffPatch(req, providedData) {
@@ -87,10 +86,9 @@ module.exports = class Differ {
       providedData || (req.query.INSERT.entries && req.query.INSERT.entries.length === 1)
         ? req.query.INSERT.entries[0]
         : req.query.INSERT.entries
-
     enrichDataWithKeysFromWhere(originalData, req, this._srv)
-
-    return compareJson(originalData, undefined, req.target, { ignoreDraftColumns: true })
+    const diff = compareJson(originalData, undefined, req.target, { ignoreDraftColumns: true })
+    return diff
   }
 
   async calculate(req, providedData) {

package/libx/_runtime/common/composition/data.js

@@ -29,6 +29,7 @@ const _isSameEntityInWhere = (where, target, persistentObj) => {
     const key = where[i].ref
     const val = where[i + 2].val
     const sign = where[i + 1]
+
     // eslint-disable-next-line
     if (target.elements[key].key && key in persistentObj && sign === '=' && val !== persistentObj[key]) {
       return false
@@ -133,7 +134,7 @@ const _subData = (data, prop) =>
   data.reduce((result, entry) => {
     if (prop in entry) {
       const elementValue = ctUtils.val(entry[prop])
-      result.push(...ctUtils.array(elementValue))
+      for (const val of ctUtils.array(elementValue)) result.push(val)
     }
     return result
   }, [])
@@ -196,7 +197,8 @@ const _mergeResults = (result, selectData, root, model, compositionTree, entityN
       if (newData[0]) selectEntry[compositionTree.name] = Object.assign(selectEntry[compositionTree.name], newData[0])
       else selectEntry[compositionTree.name] = null
     } else if (assoc.is2many) {
-      selectEntry[compositionTree.name].push(...newData)
+      const entry = selectEntry[compositionTree.name]
+      for (const val of newData) entry.push(val)
     }
 
     return selectEntry
@@ -254,6 +256,7 @@ const _select = ({
 const _selectDeepUpdateData = async args => {
   const { model, compositionTree, entityName, data, root, selectData, tx, selectAllColumns, where, parentKeys } = args
   let result = []
+
   if (!where && parentKeys && parentKeys.length && Object.keys(parentKeys[0]).length) {
     const keys0 = Object.keys(parentKeys[0])
     const keys = { list: keys0.map(pk => ({ ref: [pk] })) }
@@ -263,13 +266,13 @@ const _selectDeepUpdateData = async args => {
       }
       const _args = { ...args, where: [keys, 'in', values], parentKeys: undefined }
       const selectCQN = _select(_args)
-      result.push(...(await tx.run(selectCQN)))
+      result = result.concat(await tx.run(selectCQN))
     }
   } else if (where && !Array.isArray(where)) {
     for (let w of Object.values(where)) {
       const _args = { ...args, where: w }
       const selectCQN = _select(_args)
-      result.push(...(await tx.run(selectCQN)))
+      result = result.concat(await tx.run(selectCQN))
     }
   } else {
     const selectCQN = _select(args)
@@ -295,9 +298,7 @@ const _selectDeepUpdateData = async args => {
         root: false
       }
 
-      // REVISIT: remove null elements
-      subs.data = subs.data.filter(d => d)
-
+      subs.data = subs.data.filter(d => d) // REVISIT: remove null elements
       return _selectDeepUpdateData({ ...args, ...subs })
     })
   )
@@ -309,6 +310,7 @@ const _selectDeepUpdateData = async args => {
 const _resolveOrderBy = (orderBy, transitions) => {
   // no resolved entity found
   if (!transitions?.length) return
+
   // if there are no renamed fields, no need to resolve
   if (!transitions[0].mapping.size) return
   if (orderBy) orderBy.map(el => (el.ref[0] = transitions[0].mapping.get(el.ref[0]).ref[0]))
@@ -320,6 +322,7 @@ const _resolveOrderBy = (orderBy, transitions) => {
 
 const selectDeepUpdateData = (service, model, req, selectAllColumns = false) => {
   const query = req.query
+
   // REVISIT this should be done somewhere before, so it is not done twice for deep updates
   const sqlQuery = cqn2cqn4sql(query, model)
 

package/libx/_runtime/common/composition/insert.js

@@ -17,9 +17,8 @@ function _hasCompOrAssoc(entity, k) {
 
 const _addSubDeepInsertCQN = (model, compositionTree, data, cqns, draft) => {
   compositionTree.compositionElements.forEach(element => {
-    if (element.skipPersistence) {
-      return
-    }
+    if (element.skipPersistence) return
+
     // element source must be changed in comp tree
     const subEntity = model.definitions[element.source]
     const into = ctUtils.addDraftSuffix(draft, subEntity.name)
@@ -32,20 +31,25 @@ const _addSubDeepInsertCQN = (model, compositionTree, data, cqns, draft) => {
           const subData = ctUtils.array(elementValue).filter(ele => Object.keys(ele).length > 0)
           if (subData.length > 0) {
             // REVISIT: this can make problems
-            insertCQN.INSERT.entries.push(...ctUtils.cleanDeepData(subEntity, subData))
-            result.push(...subData)
+            const entries = insertCQN.INSERT.entries
+            for (const data of ctUtils.cleanDeepData(subEntity, subData)) entries.push(data)
+            for (const data of subData) result.push(data)
           }
         }
       }
+
       return result
     }, [])
+
     if (insertCQN.INSERT.entries.length > 0) {
       cqns.push(insertCQN)
     }
+
     if (subData.length > 0) {
       _addSubDeepInsertCQN(model, element, subData, cqns, draft)
     }
   })
+
   return cqns
 }
 

package/libx/_runtime/common/composition/update.js

@@ -1,13 +1,10 @@
 const cds = require('../../cds')
-
 const { getCompositionTree } = require('./tree')
 const { getDeepInsertCQNs } = require('./insert')
 const { getDeepDeleteCQNs } = require('./delete')
 const ctUtils = require('./utils')
-
 const { ensureNoDraftsSuffix } = require('../utils/draft')
 const { deepCopyObject } = require('../utils/copy')
-
 const getError = require('../../common/error')
 const { getEntityNameFromUpdateCQN } = require('../utils/cqn')
 
@@ -31,28 +28,35 @@ const _serializedKey = (entity, data) => {
 
 const _dataByKey = (entity, data) => {
   const dataByKey = new Map()
+
   for (const entry of data) {
     dataByKey.set(_serializedKey(entity, entry), entry)
   }
+
   return dataByKey
 }
 
 function _addSubDeepUpdateCQNForDelete({ entity, data, selectData, entityName, deleteCQNs }) {
   const dataByKey = _dataByKey(entity, data)
+
   if (selectData.length && selectData[0] && Object.keys(selectData[0]).length) {
     for (let j = 0; j < selectData.length; j += CHUNK_SIZE) {
       const deleteCQN = { DELETE: { from: entityName, where: [] } }
+
       for (let i = j; i < j + CHUNK_SIZE && i < selectData.length; i++) {
         const selectEntry = selectData[i]
         if (!selectEntry) continue
+
         const dataEntry = dataByKey.get(_serializedKey(entity, selectEntry))
         if (!dataEntry) {
           if (deleteCQN.DELETE.where.length > 0) {
             deleteCQN.DELETE.where.push('or')
           }
+
           deleteCQN.DELETE.where.push({ xpr: [...ctUtils.whereKey(ctUtils.key(entity, selectEntry))] })
         }
       }
+
       if (deleteCQN.DELETE.where.length) deleteCQNs.push(deleteCQN)
     }
   }
@@ -63,6 +67,7 @@ const _unwrapVal = obj => {
     const value = obj[key]
     if (value && value.val) obj[key] = value.val
   }
+
   return obj
 }
 
@@ -120,6 +125,7 @@ const _diffData = (newData, oldData, entity, newEntry, oldEntry, model) => {
 function _addSubDeepUpdateCQNForUpdateInsert({ entity, entityName, data, selectData, updateCQNs, insertCQN, model }) {
   const selectDataByKey = _dataByKey(entity, selectData)
   const deepUpdateData = []
+
   for (const entry of data) {
     if (entry === null) continue
 
@@ -138,26 +144,27 @@ function _addSubDeepUpdateCQNForUpdateInsert({ entity, entityName, data, selectD
       // inserts are handled deep so they must not be put into deepUpdateData
     }
   }
+
   return deepUpdateData
 }
 
 async function _addSubDeepUpdateCQNCollect(model, cqns, updateCQNs, insertCQN, deleteCQNs, req) {
   if (updateCQNs.length > 0) {
     cqns[0] = cqns[0] || []
-    cqns[0].push(...updateCQNs)
+    const cqn = cqns[0]
+    for (const updateCQN of updateCQNs) cqn.push(updateCQN)
   }
 
   if (insertCQN.INSERT.entries.length > 0) {
     cqns[0] = cqns[0] || []
     const deepInsertCQNs = getDeepInsertCQNs(model, insertCQN)
     deepInsertCQNs.forEach(insertCQN => {
-      const intoCQN = cqns[0].find(cqn => {
-        return cqn.INSERT && cqn.INSERT.into === insertCQN.INSERT.into
-      })
+      const intoCQN = cqns[0].find(cqn => cqn.INSERT?.into === insertCQN.INSERT.into)
       if (!intoCQN) {
         cqns[0].push(insertCQN)
       } else {
-        intoCQN.INSERT.entries.push(...insertCQN.INSERT.entries)
+        const intoCQNEntries = intoCQN.INSERT.entries
+        for (const entry of insertCQN.INSERT.entries) intoCQNEntries.push(entry)
       }
     })
   }
@@ -182,7 +189,7 @@ const _addToData = (subData, entity, element, entry) => {
   const value = ctUtils.val(entry[element.name])
   const subDataEntries = ctUtils.array(value)
   const unwrappedSubData = subDataEntries.map(entry => _unwrapIfNotArray(entry))
-  subData.push(...unwrappedSubData)
+  for (const val of unwrappedSubData) subData.push(val)
 }
 
 async function _addSubDeepUpdateCQNRecursion({ model, compositionTree, entity, data, selectData, cqns, draft, req }) {
@@ -200,6 +207,7 @@ async function _addSubDeepUpdateCQNRecursion({ model, compositionTree, entity, d
           if (selectEntry[element.name] === null && entry[element.name] === null) {
             continue
           }
+
           _addToData(selectSubData, entity, element, selectEntry)
         }
 
@@ -244,7 +252,6 @@ const _addSubDeepUpdateCQN = async ({ model, compositionTree, data, selectData,
   })
 
   await _addSubDeepUpdateCQNCollect(model, cqns, updateCQNs, insertCQN, deleteCQNs, req)
-
   if (deepUpdateData.length === 0) return Promise.resolve()
 
   return _addSubDeepUpdateCQNRecursion({
@@ -280,7 +287,6 @@ const hasDeepUpdate = (model, cqn) => {
 const getDeepUpdateCQNs = async (model, req, selectData) => {
   const { query } = req
   if (!Array.isArray(selectData)) selectData = [selectData]
-
   if (selectData.length === 0) return []
   if (selectData.length > 1) throw getError('Deep update can only be performed on a single instance')
 
@@ -310,7 +316,7 @@ const getDeepUpdateCQNs = async (model, req, selectData) => {
   })
   subCQNs.forEach((subCQNs, index) => {
     cqns[index] = cqns[index] || []
-    cqns[index].push(...subCQNs)
+    for (const cqn of subCQNs) cqns[index].push(cqn)
   })
 
   // remove empty updates and inserts

package/libx/_runtime/common/error/constants.js

@@ -11,5 +11,10 @@ module.exports = {
   DEFAULT_SEVERITY: 2,
   MIN_SEVERITY: 1,
   MAX_SEVERITY: 4,
-  MULTIPLE_ERRORS: 'MULTIPLE_ERRORS'
+  MULTIPLE_ERRORS: 'MULTIPLE_ERRORS',
+  /*
+   * OData
+   */
+  ODATA_UNAUTHORIZED: { statusCode: 401, code: '401', message: 'Unauthorized' },
+  ODATA_FORBIDDEN: { statusCode: 403, code: '403', message: 'Forbidden' }
 }

package/libx/_runtime/common/generic/auth/requires.js

@@ -1,7 +1,12 @@
 const { reject, getRejectReason, getAuthRelevantEntity } = require('./utils')
 const { CRUD_EVENTS } = require('./constants')
 
-const { getRequiresAsArray } = require('../../../auth/utils')
+const _getRequiresAsArray = definition =>
+  definition['@requires']
+    ? Array.isArray(definition['@requires'])
+      ? definition['@requires']
+      : [definition['@requires']]
+    : false
 
 function handler(req) {
   if (req.user._is_privileged) {
@@ -13,7 +18,7 @@ function handler(req) {
   if (req.event in CRUD_EVENTS) {
     // > CRUD
     definition = getAuthRelevantEntity(req, this.model, ['@requires', '@restrict'])
-  } else if (req.target && req.target.actions) {
+  } else if (req.target?.actions) {
     // > bound
     definition = req.target.actions[req.event]
   } else {
@@ -23,7 +28,10 @@ function handler(req) {
 
   if (!definition) return
 
-  const requires = getRequiresAsArray(definition)
+  // also check target entity for bound operations
+  const requires =
+    _getRequiresAsArray(definition) ||
+    (['action', 'function'].includes(definition.kind) && req.target && _getRequiresAsArray(req.target))
   if (!requires || requires.some(role => req.user.is(role))) return
 
   reject(req, getRejectReason(req, '@requires', definition))

package/libx/_runtime/common/generic/auth/restrict.js

@@ -37,11 +37,9 @@ const _getResolvedApplicables = (applicables, req) => {
   return resolvedApplicables
 }
 
-const _isStaticAuth = resolvedApplicables => {
-  return (
-    resolvedApplicables.length === 1 &&
-    resolvedApplicables[0]._xpr.length === 3 &&
-    resolvedApplicables[0]._xpr.every(ele => typeof ele !== 'object' || ele.val)
+const _getStaticAuthRestrictions = resolvedApplicables => {
+  return resolvedApplicables.filter(
+    resolved => resolved && resolved._xpr.length === 3 && resolved._xpr.every(ele => typeof ele !== 'object' || ele.val)
   )
 }
 
@@ -68,14 +66,14 @@ const _evalStatic = (op, vals) => {
   }
 }
 
-const _handleStaticAuth = (resolvedApplicables, req) => {
-  const op = resolvedApplicables[0]._xpr.find(ele => typeof ele === 'string')
-  const vals = resolvedApplicables[0]._xpr.filter(ele => typeof ele === 'object' && ele.val).map(ele => ele.val)
-
-  if (_evalStatic(op, vals)) {
-    // static clause grants access => done
-    return
-  }
+const _handleStaticAuthRestrictions = (resolvedApplicables, req) => {
+  const isAllowed = resolvedApplicables.some(restriction => {
+    const op = restriction._xpr.find(ele => typeof ele === 'string')
+    const vals = restriction._xpr.filter(ele => typeof ele === 'object' && ele.val).map(ele => ele.val)
+    return _evalStatic(op, vals)
+  })
+  // static clause grants access => done
+  if (isAllowed) return
 
   // static clause forbids access => forbidden
   return reject(req)
@@ -121,7 +119,7 @@ const _addWheresToRef = (ref, model, resolvedApplicables) => {
         newIdentifier.where = [{ xpr: newIdentifier.where }, 'and']
       }
 
-      newIdentifier.where.push(..._getMergedWhere(applicablesForEntity))
+      for (const val of _getMergedWhere(applicablesForEntity)) newIdentifier.where.push(val)
     }
 
     newRef.push(newIdentifier)
@@ -224,8 +222,15 @@ async function handler(req) {
     return
   }
 
+  // READ UPDATE DELETE on draft enabled entities are unrestricted, because only the owner can access them
+  const draftUnRestrictedEvents = ['READ', 'UPDATE', 'DELETE', 'CREATE']
+  if (definition.isDraft && draftUnRestrictedEvents.includes(req.event)) {
+    return
+  }
+
   let restrictions = this.getRestrictions.call(this, definition, req.event, req.user)
   if (restrictions instanceof Promise) restrictions = await restrictions
+
   if (!restrictions) {
     // > unrestricted
     return
@@ -243,8 +248,9 @@ async function handler(req) {
   const resolvedApplicables = _getResolvedApplicables(restrictions, req)
 
   // REVISIT: support more complex statics
-  if (_isStaticAuth(resolvedApplicables)) {
-    return _handleStaticAuth(resolvedApplicables, req)
+  const staticAuthRestriction = _getStaticAuthRestrictions(resolvedApplicables)
+  if (staticAuthRestriction.length > 0) {
+    return _handleStaticAuthRestrictions(staticAuthRestriction, req)
   }
 
   if (req.event === 'READ') {

package/libx/_runtime/common/generic/auth/restrictions.js

@@ -1,5 +1,6 @@
 const WRITE_EVENTS = { CREATE: 1, NEW: 1, UPDATE: 1, PATCH: 1, DELETE: 1, CANCEL: 1, EDIT: 1 }
 const CRUD = Object.assign({ READ: 1 }, WRITE_EVENTS)
+const cds = require('../../../cds')
 
 /**
  * Returns the applicable restrictions for the current request as follows:
@@ -109,12 +110,14 @@ const getNormalizedRestrictions = (definition, definitions) => {
   return isRestricted ? restricts : null
 }
 
-const _isGrantAccessAllowed = (eventName, restrict) => restrict.grant === '*' || restrict.grant === eventName
+const _isGrantAccessAllowed = (eventName, restrict) =>
+  restrict.grant === '*' || (eventName === 'EDIT' && restrict.grant === 'UPDATE') || restrict.grant === eventName
+
 const _isToAccessAllowed = (user, restrict) => restrict.to.some(role => user.is(role))
 
 const getApplicableRestrictions = (restrictions, event, user) => {
   return restrictions.filter(restrict => {
-    const eventName = { NEW: 'CREATE', EDIT: 'UPDATE' }[event] || event
+    const eventName = cds.env.fiori.lean_draft ? event : { NEW: 'CREATE' }[event] || event
     return _isGrantAccessAllowed(eventName, restrict) && _isToAccessAllowed(user, restrict)
   })
 }

package/libx/_runtime/common/generic/crud.js

@@ -14,6 +14,12 @@ const _targetEntityDoesNotExist = async req => {
 exports.impl = cds.service.impl(function () {
   // eslint-disable-next-line complexity
   this.on(['CREATE', 'READ', 'UPDATE', 'DELETE', 'UPSERT'], '*', async function (req) {
+    if (!req.query) {
+      throw getError({
+        code: 501,
+        message: 'The request has no query and cannot be served generically.'
+      })
+    }
     if (typeof req.query !== 'string' && req.target && req.target._hasPersistenceSkip) {
       throw getError({
         code: 501,

package/libx/_runtime/common/generic/paging.js

@@ -10,7 +10,8 @@ const MAX = cds.env.query?.limit?.max || 1000
 const _cached = Symbol('@cds.query.limit')
 
 const getPageSize = def => {
-  if (_cached in def) return def[_cached]
+  // do not look at prototypes re cached settings
+  if (Object.hasOwn(def, _cached)) return def[_cached]
   let max = def['@cds.query.limit.max'] ?? def._service?.['@cds.query.limit.max'] ?? MAX
   let _default =
     def['@cds.query.limit.default'] ??

package/libx/_runtime/common/utils/cqn2cqn4sql.js

@@ -3,7 +3,6 @@
 const cds = require('../../cds')
 const { SELECT, INSERT, DELETE, UPDATE } = cds.ql
 const Query = require('../../../../lib/ql/Query')
-
 const { resolveView } = require('./resolveView')
 const { ensureNoDraftsSuffix, getDraftColumnsCQNForDraft, ensureDraftsSuffix } = require('./draft')
 const { flattenStructuredSelect, OPERATIONS_MAP } = require('./structured')
@@ -807,8 +806,7 @@ const _convertSelect = (query, model, _options) => {
       const cols = getColumns(target, { onlyNames: true, filterVirtual: true })
       query.columns(cols)
       if (target._isDraftEnabled && query._target._unresolved) {
-        query.SELECT.columns.push(...getDraftColumnsCQNForDraft(target))
-        query.SELECT.columns.push({ ref: ['DraftAdministrativeData_DraftUUID'] })
+        query.SELECT.columns.push(...getDraftColumnsCQNForDraft(target), { ref: ['DraftAdministrativeData_DraftUUID'] })
       }
     }
   }
@@ -822,7 +820,8 @@ const _convertUpsert = (query, model) => {
 
   const target = model.definitions[resolvedIntoClause]
   if (!target) {
-    // if there is no target, just return original query, as a copy is not deep anyways and all the sub items of query.UPSERT are referenced only anyways
+    // if there is no target, just return original query, as a copy is not deep anyways
+    // and all the sub items of query.UPSERT are referenced only anyways
     return query
   }
 
@@ -867,7 +866,6 @@ const _convertInsert = (query, model) => {
 
   const target = model.definitions[resolvedIntoClause]
   if (!target) return insert
-
   return resolveView(insert, model, cds.db)
 }
 

package/libx/_runtime/common/utils/resolveView.js

@@ -246,7 +246,8 @@ const _newWhereRef = (newWhereElement, transition, alias, tableName, isSubSelect
     if (mapped) newRef[1] = mapped.ref[0]
   } else {
     const mapped = transition.mapping.get(newRef[0])
-    if (isSubSelect && mapped) {
+    if (isSubSelect && mapped && newRef.length === 1) {
+      // Add a table alias prefix only for not-yet-qualified refs
       newRef.unshift(transition.target.name)
       newRef[1] = mapped.ref[0]
     } else {
@@ -734,6 +735,7 @@ const resolveView = (query, model, service) => {
   // restore logger and clear _event
   LOG = _LOG
   _event = undefined
+
   return newQuery
 }
 

package/libx/_runtime/common/utils/restrictions.js

@@ -0,0 +1,47 @@
+const cds = require('../../cds')
+
+const containsAnyRestrictions = srv => {
+  const accessRestrictions = getAccessRestrictions(srv)
+  if (accessRestrictions.length > 1 || accessRestrictions[0] !== 'any') return true
+
+  const entities = srv.entities
+  const entitiesKeys = Object.keys(entities)
+
+  return !!(
+    entitiesKeys.some(entity => entities[entity]['@requires'] || entities[entity]['@restrict']) ||
+    entitiesKeys.some(entity => {
+      const actions = entities[entity].actions
+      actions && Object.keys(actions).some(action => actions[action]['@requires'] || actions[action]['@restrict'])
+    }) ||
+    Object.keys(srv.operations).some(
+      operation => srv.operations[operation]['@requires'] || srv.operations[operation]['@restrict']
+    )
+  )
+}
+
+const getAccessRestrictions = srv => {
+  let restrictions = srv.definition['@restrict'] || srv.definition['@requires']
+  if (restrictions) {
+    if (typeof restrictions === 'string') restrictions = [restrictions]
+    else
+      restrictions = restrictions
+        .map(r => (typeof r === 'string' ? r : r.to))
+        .reduce((acc, cur) => {
+          Array.isArray(cur) ? acc.push(...cur) : acc.push(cur)
+          return acc
+        }, [])
+  } else {
+    const { restrict_all_services } = cds.env.requires.auth
+    const in_prod = process.env.NODE_ENV === 'production'
+    // REVISIT: cleanup during streamlined auth
+    const is_mocked_auth = cds.env.requires.auth._kind === 'mocked'
+    if (restrict_all_services === false || !in_prod || is_mocked_auth) restrictions = ['any']
+    else restrictions = ['authenticated-user']
+  }
+  return restrictions
+}
+
+module.exports = {
+  containsAnyRestrictions,
+  getAccessRestrictions
+}

package/libx/_runtime/db/data-conversion/post-processing.js

@@ -132,9 +132,9 @@ const _getMapperForListedElements = (conversionMap, csn, cqn) => {
  * @returns {Map<any, any>}
  * @private
  */
-const getPostProcessMapper = (conversionMap, csn = {}, cqn = {}) => {
-  // No mapper defined or irrelevant as no READ request
-  if (!Object.prototype.hasOwnProperty.call(cqn, 'SELECT')) {
+const getPostProcessMapper = (conversionMap, csn, cqn) => {
+  // No mapper defined or irrelevant as no CSN, CQN or READ request
+  if (!csn || !cqn || !Object.prototype.hasOwnProperty.call(cqn, 'SELECT')) {
     return new Map()
   }
 

package/libx/_runtime/db/generic/input.js

@@ -138,7 +138,7 @@ const _pickCRUD = element => {
     categories.push('!default')
   }
 
-  if (element.default && !DRAFT_COLUMNS_MAP[element.name]) {
+  if (element.default && !DRAFT_COLUMNS_MAP[element.name] && !element.isAssociation) {
     categories.push({ category: 'default', args: element })
   }