@sap/cds 7.1.2 → 7.2.0

package/libx/_runtime/cds-services/adapter/odata-v4/okra/odata-commons/uri/UriParser.js

@@ -175,6 +175,10 @@ class UriParser {
    * @param {UriInfo} uriInfo the result of parsing
    */
   parseQueryOptions (queryOptions, uriInfo) {
+    // EXPERIMENTAL FEATURE FLAGS!
+    const { okra_skip_query_options, odata_new_parser } = global.cds.env.features
+    if (okra_skip_query_options && odata_new_parser) return
+
     const lastSegment = uriInfo.getLastSegment()
     const crossjoinEntitySets = lastSegment.getCrossjoinEntitySets()
     const aliases = uriInfo.getAliases()

package/libx/_runtime/common/composition/data.js

@@ -29,6 +29,7 @@ const _isSameEntityInWhere = (where, target, persistentObj) => {
     const key = where[i].ref
     const val = where[i + 2].val
     const sign = where[i + 1]
+
     // eslint-disable-next-line
     if (target.elements[key].key && key in persistentObj && sign === '=' && val !== persistentObj[key]) {
       return false
@@ -255,6 +256,7 @@ const _select = ({
 const _selectDeepUpdateData = async args => {
   const { model, compositionTree, entityName, data, root, selectData, tx, selectAllColumns, where, parentKeys } = args
   let result = []
+
   if (!where && parentKeys && parentKeys.length && Object.keys(parentKeys[0]).length) {
     const keys0 = Object.keys(parentKeys[0])
     const keys = { list: keys0.map(pk => ({ ref: [pk] })) }
@@ -296,9 +298,7 @@ const _selectDeepUpdateData = async args => {
         root: false
       }
 
-      // REVISIT: remove null elements
-      subs.data = subs.data.filter(d => d)
-
+      subs.data = subs.data.filter(d => d) // REVISIT: remove null elements
       return _selectDeepUpdateData({ ...args, ...subs })
     })
   )
@@ -310,6 +310,7 @@ const _selectDeepUpdateData = async args => {
 const _resolveOrderBy = (orderBy, transitions) => {
   // no resolved entity found
   if (!transitions?.length) return
+
   // if there are no renamed fields, no need to resolve
   if (!transitions[0].mapping.size) return
   if (orderBy) orderBy.map(el => (el.ref[0] = transitions[0].mapping.get(el.ref[0]).ref[0]))
@@ -321,6 +322,7 @@ const _resolveOrderBy = (orderBy, transitions) => {
 
 const selectDeepUpdateData = (service, model, req, selectAllColumns = false) => {
   const query = req.query
+
   // REVISIT this should be done somewhere before, so it is not done twice for deep updates
   const sqlQuery = cqn2cqn4sql(query, model)
 

package/libx/_runtime/common/composition/insert.js

@@ -17,9 +17,8 @@ function _hasCompOrAssoc(entity, k) {
 
 const _addSubDeepInsertCQN = (model, compositionTree, data, cqns, draft) => {
   compositionTree.compositionElements.forEach(element => {
-    if (element.skipPersistence) {
-      return
-    }
+    if (element.skipPersistence) return
+
     // element source must be changed in comp tree
     const subEntity = model.definitions[element.source]
     const into = ctUtils.addDraftSuffix(draft, subEntity.name)
@@ -38,15 +37,19 @@ const _addSubDeepInsertCQN = (model, compositionTree, data, cqns, draft) => {
           }
         }
       }
+
       return result
     }, [])
+
     if (insertCQN.INSERT.entries.length > 0) {
       cqns.push(insertCQN)
     }
+
     if (subData.length > 0) {
       _addSubDeepInsertCQN(model, element, subData, cqns, draft)
     }
   })
+
   return cqns
 }
 

package/libx/_runtime/common/composition/update.js

@@ -1,13 +1,10 @@
 const cds = require('../../cds')
-
 const { getCompositionTree } = require('./tree')
 const { getDeepInsertCQNs } = require('./insert')
 const { getDeepDeleteCQNs } = require('./delete')
 const ctUtils = require('./utils')
-
 const { ensureNoDraftsSuffix } = require('../utils/draft')
 const { deepCopyObject } = require('../utils/copy')
-
 const getError = require('../../common/error')
 const { getEntityNameFromUpdateCQN } = require('../utils/cqn')
 
@@ -31,28 +28,35 @@ const _serializedKey = (entity, data) => {
 
 const _dataByKey = (entity, data) => {
   const dataByKey = new Map()
+
   for (const entry of data) {
     dataByKey.set(_serializedKey(entity, entry), entry)
   }
+
   return dataByKey
 }
 
 function _addSubDeepUpdateCQNForDelete({ entity, data, selectData, entityName, deleteCQNs }) {
   const dataByKey = _dataByKey(entity, data)
+
   if (selectData.length && selectData[0] && Object.keys(selectData[0]).length) {
     for (let j = 0; j < selectData.length; j += CHUNK_SIZE) {
       const deleteCQN = { DELETE: { from: entityName, where: [] } }
+
       for (let i = j; i < j + CHUNK_SIZE && i < selectData.length; i++) {
         const selectEntry = selectData[i]
         if (!selectEntry) continue
+
         const dataEntry = dataByKey.get(_serializedKey(entity, selectEntry))
         if (!dataEntry) {
           if (deleteCQN.DELETE.where.length > 0) {
             deleteCQN.DELETE.where.push('or')
           }
+
           deleteCQN.DELETE.where.push({ xpr: [...ctUtils.whereKey(ctUtils.key(entity, selectEntry))] })
         }
       }
+
       if (deleteCQN.DELETE.where.length) deleteCQNs.push(deleteCQN)
     }
   }
@@ -63,6 +67,7 @@ const _unwrapVal = obj => {
     const value = obj[key]
     if (value && value.val) obj[key] = value.val
   }
+
   return obj
 }
 
@@ -120,6 +125,7 @@ const _diffData = (newData, oldData, entity, newEntry, oldEntry, model) => {
 function _addSubDeepUpdateCQNForUpdateInsert({ entity, entityName, data, selectData, updateCQNs, insertCQN, model }) {
   const selectDataByKey = _dataByKey(entity, selectData)
   const deepUpdateData = []
+
   for (const entry of data) {
     if (entry === null) continue
 
@@ -138,6 +144,7 @@ function _addSubDeepUpdateCQNForUpdateInsert({ entity, entityName, data, selectD
       // inserts are handled deep so they must not be put into deepUpdateData
     }
   }
+
   return deepUpdateData
 }
 
@@ -152,9 +159,7 @@ async function _addSubDeepUpdateCQNCollect(model, cqns, updateCQNs, insertCQN, d
     cqns[0] = cqns[0] || []
     const deepInsertCQNs = getDeepInsertCQNs(model, insertCQN)
     deepInsertCQNs.forEach(insertCQN => {
-      const intoCQN = cqns[0].find(cqn => {
-        return cqn.INSERT && cqn.INSERT.into === insertCQN.INSERT.into
-      })
+      const intoCQN = cqns[0].find(cqn => cqn.INSERT?.into === insertCQN.INSERT.into)
       if (!intoCQN) {
         cqns[0].push(insertCQN)
       } else {
@@ -202,6 +207,7 @@ async function _addSubDeepUpdateCQNRecursion({ model, compositionTree, entity, d
           if (selectEntry[element.name] === null && entry[element.name] === null) {
             continue
           }
+
           _addToData(selectSubData, entity, element, selectEntry)
         }
 
@@ -246,7 +252,6 @@ const _addSubDeepUpdateCQN = async ({ model, compositionTree, data, selectData,
   })
 
   await _addSubDeepUpdateCQNCollect(model, cqns, updateCQNs, insertCQN, deleteCQNs, req)
-
   if (deepUpdateData.length === 0) return Promise.resolve()
 
   return _addSubDeepUpdateCQNRecursion({
@@ -282,7 +287,6 @@ const hasDeepUpdate = (model, cqn) => {
 const getDeepUpdateCQNs = async (model, req, selectData) => {
   const { query } = req
   if (!Array.isArray(selectData)) selectData = [selectData]
-
   if (selectData.length === 0) return []
   if (selectData.length > 1) throw getError('Deep update can only be performed on a single instance')
 

package/libx/_runtime/common/error/constants.js

@@ -11,5 +11,10 @@ module.exports = {
   DEFAULT_SEVERITY: 2,
   MIN_SEVERITY: 1,
   MAX_SEVERITY: 4,
-  MULTIPLE_ERRORS: 'MULTIPLE_ERRORS'
+  MULTIPLE_ERRORS: 'MULTIPLE_ERRORS',
+  /*
+   * OData
+   */
+  ODATA_UNAUTHORIZED: { statusCode: 401, code: '401', message: 'Unauthorized' },
+  ODATA_FORBIDDEN: { statusCode: 403, code: '403', message: 'Forbidden' }
 }

package/libx/_runtime/common/generic/auth/requires.js

@@ -1,7 +1,12 @@
 const { reject, getRejectReason, getAuthRelevantEntity } = require('./utils')
 const { CRUD_EVENTS } = require('./constants')
 
-const { getRequiresAsArray } = require('../../../auth/utils')
+const _getRequiresAsArray = definition =>
+  definition['@requires']
+    ? Array.isArray(definition['@requires'])
+      ? definition['@requires']
+      : [definition['@requires']]
+    : false
 
 function handler(req) {
   if (req.user._is_privileged) {
@@ -13,7 +18,7 @@ function handler(req) {
   if (req.event in CRUD_EVENTS) {
     // > CRUD
     definition = getAuthRelevantEntity(req, this.model, ['@requires', '@restrict'])
-  } else if (req.target && req.target.actions) {
+  } else if (req.target?.actions) {
     // > bound
     definition = req.target.actions[req.event]
   } else {
@@ -23,7 +28,10 @@ function handler(req) {
 
   if (!definition) return
 
-  const requires = getRequiresAsArray(definition)
+  // also check target entity for bound operations
+  const requires =
+    _getRequiresAsArray(definition) ||
+    (['action', 'function'].includes(definition.kind) && req.target && _getRequiresAsArray(req.target))
   if (!requires || requires.some(role => req.user.is(role))) return
 
   reject(req, getRejectReason(req, '@requires', definition))

package/libx/_runtime/common/generic/auth/restrict.js

@@ -37,11 +37,9 @@ const _getResolvedApplicables = (applicables, req) => {
   return resolvedApplicables
 }
 
-const _isStaticAuth = resolvedApplicables => {
-  return (
-    resolvedApplicables.length === 1 &&
-    resolvedApplicables[0]._xpr.length === 3 &&
-    resolvedApplicables[0]._xpr.every(ele => typeof ele !== 'object' || ele.val)
+const _getStaticAuthRestrictions = resolvedApplicables => {
+  return resolvedApplicables.filter(
+    resolved => resolved && resolved._xpr.length === 3 && resolved._xpr.every(ele => typeof ele !== 'object' || ele.val)
   )
 }
 
@@ -68,14 +66,14 @@ const _evalStatic = (op, vals) => {
   }
 }
 
-const _handleStaticAuth = (resolvedApplicables, req) => {
-  const op = resolvedApplicables[0]._xpr.find(ele => typeof ele === 'string')
-  const vals = resolvedApplicables[0]._xpr.filter(ele => typeof ele === 'object' && ele.val).map(ele => ele.val)
-
-  if (_evalStatic(op, vals)) {
-    // static clause grants access => done
-    return
-  }
+const _handleStaticAuthRestrictions = (resolvedApplicables, req) => {
+  const isAllowed = resolvedApplicables.some(restriction => {
+    const op = restriction._xpr.find(ele => typeof ele === 'string')
+    const vals = restriction._xpr.filter(ele => typeof ele === 'object' && ele.val).map(ele => ele.val)
+    return _evalStatic(op, vals)
+  })
+  // static clause grants access => done
+  if (isAllowed) return
 
   // static clause forbids access => forbidden
   return reject(req)
@@ -224,8 +222,15 @@ async function handler(req) {
     return
   }
 
+  // READ UPDATE DELETE on draft enabled entities are unrestricted, because only the owner can access them
+  const draftUnRestrictedEvents = ['READ', 'UPDATE', 'DELETE', 'CREATE']
+  if (definition.isDraft && draftUnRestrictedEvents.includes(req.event)) {
+    return
+  }
+
   let restrictions = this.getRestrictions.call(this, definition, req.event, req.user)
   if (restrictions instanceof Promise) restrictions = await restrictions
+
   if (!restrictions) {
     // > unrestricted
     return
@@ -243,8 +248,9 @@ async function handler(req) {
   const resolvedApplicables = _getResolvedApplicables(restrictions, req)
 
   // REVISIT: support more complex statics
-  if (_isStaticAuth(resolvedApplicables)) {
-    return _handleStaticAuth(resolvedApplicables, req)
+  const staticAuthRestriction = _getStaticAuthRestrictions(resolvedApplicables)
+  if (staticAuthRestriction.length > 0) {
+    return _handleStaticAuthRestrictions(staticAuthRestriction, req)
   }
 
   if (req.event === 'READ') {

package/libx/_runtime/common/generic/auth/restrictions.js

@@ -1,5 +1,6 @@
 const WRITE_EVENTS = { CREATE: 1, NEW: 1, UPDATE: 1, PATCH: 1, DELETE: 1, CANCEL: 1, EDIT: 1 }
 const CRUD = Object.assign({ READ: 1 }, WRITE_EVENTS)
+const cds = require('../../../cds')
 
 /**
  * Returns the applicable restrictions for the current request as follows:
@@ -109,12 +110,14 @@ const getNormalizedRestrictions = (definition, definitions) => {
   return isRestricted ? restricts : null
 }
 
-const _isGrantAccessAllowed = (eventName, restrict) => restrict.grant === '*' || restrict.grant === eventName
+const _isGrantAccessAllowed = (eventName, restrict) =>
+  restrict.grant === '*' || (eventName === 'EDIT' && restrict.grant === 'UPDATE') || restrict.grant === eventName
+
 const _isToAccessAllowed = (user, restrict) => restrict.to.some(role => user.is(role))
 
 const getApplicableRestrictions = (restrictions, event, user) => {
   return restrictions.filter(restrict => {
-    const eventName = { NEW: 'CREATE', EDIT: 'UPDATE' }[event] || event
+    const eventName = cds.env.fiori.lean_draft ? event : { NEW: 'CREATE' }[event] || event
     return _isGrantAccessAllowed(eventName, restrict) && _isToAccessAllowed(user, restrict)
   })
 }

package/libx/_runtime/common/generic/crud.js

@@ -14,6 +14,12 @@ const _targetEntityDoesNotExist = async req => {
 exports.impl = cds.service.impl(function () {
   // eslint-disable-next-line complexity
   this.on(['CREATE', 'READ', 'UPDATE', 'DELETE', 'UPSERT'], '*', async function (req) {
+    if (!req.query) {
+      throw getError({
+        code: 501,
+        message: 'The request has no query and cannot be served generically.'
+      })
+    }
     if (typeof req.query !== 'string' && req.target && req.target._hasPersistenceSkip) {
       throw getError({
         code: 501,

package/libx/_runtime/common/generic/paging.js

@@ -10,7 +10,8 @@ const MAX = cds.env.query?.limit?.max || 1000
 const _cached = Symbol('@cds.query.limit')
 
 const getPageSize = def => {
-  if (_cached in def) return def[_cached]
+  // do not look at prototypes re cached settings
+  if (Object.hasOwn(def, _cached)) return def[_cached]
   let max = def['@cds.query.limit.max'] ?? def._service?.['@cds.query.limit.max'] ?? MAX
   let _default =
     def['@cds.query.limit.default'] ??

package/libx/_runtime/common/utils/cqn2cqn4sql.js

@@ -3,7 +3,6 @@
 const cds = require('../../cds')
 const { SELECT, INSERT, DELETE, UPDATE } = cds.ql
 const Query = require('../../../../lib/ql/Query')
-
 const { resolveView } = require('./resolveView')
 const { ensureNoDraftsSuffix, getDraftColumnsCQNForDraft, ensureDraftsSuffix } = require('./draft')
 const { flattenStructuredSelect, OPERATIONS_MAP } = require('./structured')
@@ -807,8 +806,7 @@ const _convertSelect = (query, model, _options) => {
       const cols = getColumns(target, { onlyNames: true, filterVirtual: true })
       query.columns(cols)
       if (target._isDraftEnabled && query._target._unresolved) {
-        query.SELECT.columns.push(...getDraftColumnsCQNForDraft(target))
-        query.SELECT.columns.push({ ref: ['DraftAdministrativeData_DraftUUID'] })
+        query.SELECT.columns.push(...getDraftColumnsCQNForDraft(target), { ref: ['DraftAdministrativeData_DraftUUID'] })
       }
     }
   }
@@ -822,7 +820,8 @@ const _convertUpsert = (query, model) => {
 
   const target = model.definitions[resolvedIntoClause]
   if (!target) {
-    // if there is no target, just return original query, as a copy is not deep anyways and all the sub items of query.UPSERT are referenced only anyways
+    // if there is no target, just return original query, as a copy is not deep anyways
+    // and all the sub items of query.UPSERT are referenced only anyways
     return query
   }
 
@@ -867,7 +866,6 @@ const _convertInsert = (query, model) => {
 
   const target = model.definitions[resolvedIntoClause]
   if (!target) return insert
-
   return resolveView(insert, model, cds.db)
 }
 

package/libx/_runtime/common/utils/resolveView.js

@@ -246,7 +246,8 @@ const _newWhereRef = (newWhereElement, transition, alias, tableName, isSubSelect
     if (mapped) newRef[1] = mapped.ref[0]
   } else {
     const mapped = transition.mapping.get(newRef[0])
-    if (isSubSelect && mapped) {
+    if (isSubSelect && mapped && newRef.length === 1) {
+      // Add a table alias prefix only for not-yet-qualified refs
       newRef.unshift(transition.target.name)
       newRef[1] = mapped.ref[0]
     } else {
@@ -734,6 +735,7 @@ const resolveView = (query, model, service) => {
   // restore logger and clear _event
   LOG = _LOG
   _event = undefined
+
   return newQuery
 }
 

package/libx/_runtime/common/utils/restrictions.js

@@ -0,0 +1,47 @@
+const cds = require('../../cds')
+
+const containsAnyRestrictions = srv => {
+  const accessRestrictions = getAccessRestrictions(srv)
+  if (accessRestrictions.length > 1 || accessRestrictions[0] !== 'any') return true
+
+  const entities = srv.entities
+  const entitiesKeys = Object.keys(entities)
+
+  return !!(
+    entitiesKeys.some(entity => entities[entity]['@requires'] || entities[entity]['@restrict']) ||
+    entitiesKeys.some(entity => {
+      const actions = entities[entity].actions
+      actions && Object.keys(actions).some(action => actions[action]['@requires'] || actions[action]['@restrict'])
+    }) ||
+    Object.keys(srv.operations).some(
+      operation => srv.operations[operation]['@requires'] || srv.operations[operation]['@restrict']
+    )
+  )
+}
+
+const getAccessRestrictions = srv => {
+  let restrictions = srv.definition['@restrict'] || srv.definition['@requires']
+  if (restrictions) {
+    if (typeof restrictions === 'string') restrictions = [restrictions]
+    else
+      restrictions = restrictions
+        .map(r => (typeof r === 'string' ? r : r.to))
+        .reduce((acc, cur) => {
+          Array.isArray(cur) ? acc.push(...cur) : acc.push(cur)
+          return acc
+        }, [])
+  } else {
+    const { restrict_all_services } = cds.env.requires.auth
+    const in_prod = process.env.NODE_ENV === 'production'
+    // REVISIT: cleanup during streamlined auth
+    const is_mocked_auth = cds.env.requires.auth._kind === 'mocked'
+    if (restrict_all_services === false || !in_prod || is_mocked_auth) restrictions = ['any']
+    else restrictions = ['authenticated-user']
+  }
+  return restrictions
+}
+
+module.exports = {
+  containsAnyRestrictions,
+  getAccessRestrictions
+}

package/libx/_runtime/db/data-conversion/post-processing.js

@@ -132,9 +132,9 @@ const _getMapperForListedElements = (conversionMap, csn, cqn) => {
  * @returns {Map<any, any>}
  * @private
  */
-const getPostProcessMapper = (conversionMap, csn = {}, cqn = {}) => {
-  // No mapper defined or irrelevant as no READ request
-  if (!Object.prototype.hasOwnProperty.call(cqn, 'SELECT')) {
+const getPostProcessMapper = (conversionMap, csn, cqn) => {
+  // No mapper defined or irrelevant as no CSN, CQN or READ request
+  if (!csn || !cqn || !Object.prototype.hasOwnProperty.call(cqn, 'SELECT')) {
     return new Map()
   }
 

package/libx/_runtime/db/generic/input.js

@@ -138,7 +138,7 @@ const _pickCRUD = element => {
     categories.push('!default')
   }
 
-  if (element.default && !DRAFT_COLUMNS_MAP[element.name]) {
+  if (element.default && !DRAFT_COLUMNS_MAP[element.name] && !element.isAssociation) {
     categories.push({ category: 'default', args: element })
   }
 

package/libx/_runtime/db/sql-builder/ExpressionBuilder.js

@@ -157,23 +157,6 @@ class ExpressionBuilder extends BaseBuilder {
       objects[i + 1].func = `not ${objects[i + 1].func}`
       return 1
     }
-    if (objects[i].func || (objects[i + 2] && objects[i + 2].func)) {
-      // sqlite requires leading 0 for numbers in datetime functions
-      const f = objects[i].func ? i : OPERATORS.has(objects[i + 1]) ? i + 2 : i - 2
-      const v = objects[i].val ? i : OPERATORS.has(objects[i + 1]) ? i + 2 : i - 2
-      if (
-        objects[f] &&
-        cds.db &&
-        ((SQLITE_DATETIME_FUNCTIONS.has(objects[f].func) && cds.db.kind === 'sqlite') ||
-          (HANA_DATETIME_FUNCTIONS.has(objects[f].func) && cds.db.kind === 'hana'))
-      ) {
-        if (objects[v] && objects[v].val !== undefined && typeof objects[v].val === 'number') {
-          objects[v] = { val: `${objects[v].val < 10 ? 0 : ''}${objects[v].val}` }
-          if (objects[f].func === 'second') objects[v].val = _fillAfterDot(objects[v].val)
-        }
-      }
-      return 0
-    }
 
     if ((objects[i + 1] === '=' || objects[i + 1] in NOT_EQUAL) && objects[i + 2] && objects[i + 2].val === null) {
       this._addNullOrNotNull(objects[i], objects[i + 1])

package/libx/_runtime/fiori/lean-draft.js

@@ -87,6 +87,7 @@ const _redirectRefToActives = (ref, model) => {
 }
 
 const h = cds.ApplicationService.prototype.handle
+
 /* eslint-disable complexity */
 cds.ApplicationService.prototype.handle = async function (req) {
   const handle = h.bind(this)
@@ -338,8 +339,8 @@ cds.ApplicationService.prototype.handle = async function (req) {
   }
 
   req.query = query
-  const result = await handle(req)
-  return result
+
+  return handle(req)
 }
 
 // REVISIT: It's not optimal to first calculate the whole result array and only later
@@ -414,7 +415,7 @@ const Read = {
     draftsQuery.SELECT.orderBy = undefined
     draftsQuery.SELECT.columns = keys.map(k => ({ ref: [k] }))
 
-    const drafts = await draftsQuery
+    const drafts = await draftsQuery.where({ HasActiveEntity: true })
     const res = await Read.onlyActives(run, query.where(Read.whereNotIn(query._target, drafts)), {
       ignoreDrafts: true
     })
@@ -1092,6 +1093,7 @@ async function onPrepare(req) {
 module.exports = {
   impl() {
     if (!this._datasource) this._datasource = cds.db
+
     function _wrapped(handler, isActiveEntity) {
       const fn = function (req, next) {
         if (!req.target?.drafts || (isActiveEntity && req.target.isDraft) || (!isActiveEntity && !req.target.isDraft))
@@ -1100,6 +1102,7 @@ module.exports = {
       }
       return fn
     }
+
     // Also runs those handlers if they're annotated with @odata.draft.enabled through extensibility
     this.on('NEW', '*', _wrapped(onNew, false))
     this.on('EDIT', '*', _wrapped(onEdit, true))

package/libx/_runtime/hana/driver.js

@@ -195,11 +195,9 @@ const _getHanaDriver = name => {
       LOG._debug && LOG.debug(`Failed to require "hdb" with error "${e.message}". Trying "@sap/hana-client" next.`)
       return _getHanaDriver('@sap/hana-client')
     } else if (isConfigured) {
-      throw new Error(`"${name}" could not be required. Please make sure it is installed.`)
+      throw new Error(`"${name}" could not be found. Please make sure it is installed.`)
     } else {
-      throw new Error(
-        'Neither "hdb" nor "@sap/hana-client" could be required. Please make sure one of them is installed.'
-      )
+      throw new Error('Neither "hdb" nor "@sap/hana-client" could be found. Please make sure one of them is installed.')
     }
   }
 }

package/libx/_runtime/hana/pool.js

@@ -1,7 +1,7 @@
 const cds = require('../cds')
 const LOG = cds.log('pool|db')
 
-const { pool } = require('@sap/cds-foss')
+const { pool } = cds.utils
 const hana = require('./driver')
 const getError = require('../common/error')
 

package/libx/_runtime/messaging/enterprise-messaging-utils/registerEndpoints.js

@@ -4,7 +4,7 @@ const express = require('express')
 const getTenantInfo = require('./getTenantInfo.js')
 const isSecured = () => cds.requires.auth && (cds.requires.auth.impl || cds.requires.auth.credentials)
 const _require = require('../../common/utils/require')
-const { UNAUTHORIZED } = require('../../auth/utils')
+const { ODATA_UNAUTHORIZED } = require('../../common/error/constants')
 
 const _isAll = a => a && a.includes('all')
 
@@ -34,7 +34,7 @@ class EndpointRegistry {
       paths.forEach(path => {
         cds.app.use(path, (req, res, next) => {
           // REVISIT: we should probably pass an error into next so that a (custom) error middleware can handle it
-          if (!req.user) res.status(401).json({ error: UNAUTHORIZED })
+          if (!req.user) res.status(401).json({ error: ODATA_UNAUTHORIZED })
           next()
         })
       })

package/libx/_runtime/messaging/outbox/utils.js

@@ -135,8 +135,7 @@ const processMessages = async (service, tenant, _opts = {}) => {
           if (!msg) continue
           const res = {
             process: () =>
-              Promise.resolve().then(async () => {
-                if (userId) cds.context = { user }
+              cds._context.run({ user, tenant }, async () => {
                 try {
                   return service._emitImmediate && (await service._emitImmediate(msg))
                 } catch (e) {

package/libx/_runtime/remote/utils/client.js

@@ -416,7 +416,7 @@ const _stringToReqOptions = (query, data, target) => {
   const cleanQuery = query.trim()
   const blankIndex = cleanQuery.substring(0, 8).indexOf(' ')
   const reqOptions = {
-    method: cleanQuery.substring(0, blankIndex).toUpperCase(),
+    method: cleanQuery.substring(0, blankIndex).toUpperCase() || 'GET',
     url: encodeURI(formatPath(cleanQuery.substring(blankIndex, cleanQuery.length).trim()))
   }
 

package/libx/_runtime/sqlite/Service.js

@@ -98,10 +98,6 @@ module.exports = class SQLiteDatabase extends DatabaseService {
     }
   }
 
-  getDbUrl(tenant) {
-    return this.url4(tenant)
-  }
-
   url4(tenant) {
     const credentials = this.options.credentials || this.options || {}
     let dbUrl = credentials.database || credentials.url || credentials.host || ':memory:'

package/libx/_runtime/sqlite/customBuilder/CustomFunctionBuilder.js

@@ -87,7 +87,7 @@ class CustomFunctionBuilder extends FunctionBuilder {
   }
 
   _timeFunction(functionName, args) {
-    this._outputObj.sql.push('strftime(')
+    this._outputObj.sql.push('CAST(strftime(')
     this._outputObj.sql.push(dateTimeFunctions.get(functionName), ',')
     if (typeof args === 'string') {
       this._outputObj.sql.push(args, ')')
@@ -95,6 +95,7 @@ class CustomFunctionBuilder extends FunctionBuilder {
       this._addFunctionArgs(args)
       this._outputObj.sql.push(')')
     }
+    this._outputObj.sql.push(' as decimal)')
   }
 }