@sap/cds 7.1.2 → 7.2.1

package/libx/_runtime/auth/strategies/ias-auth.js

@@ -1,77 +1 @@
-const cds = require('../../../../lib')
-const _require = require('../../common/utils/require')
-// _require for better error message
-const express = _require('express')
-const passport = _require('passport')
-const { JWTStrategy } = _require('@sap/xssec')
-const LOG = cds.log('auth')
-
-const RESERVED_ATTRIBUTES = new Set([
-  'aud',
-  'azp',
-  'exp',
-  'ext_attr',
-  'iat',
-  'ias_iss',
-  'iss',
-  'jti',
-  'sub',
-  'user_uuid',
-  'zone_uuid',
-  'zid'
-])
-
-module.exports = function ias_auth(config) {
-  // warn if no credentials
-  if (!config.credentials) {
-    LOG._warn &&
-      LOG.warn(`
-       No IAS instance bound to application, but "${config.kind}" configured.
-       This is NOT recommended in production!
-       `)
-
-    return (req, res, next) => next()
-  }
-
-  passport.use('IAS', new JWTStrategy(config.credentials))
-  return express
-    .Router()
-    .use(passport.authenticate('IAS', { session: false, failWithError: true }))
-    .use((req, res, next) => {
-      // grant_type === client_credentials or x509
-      if (req.tokenInfo.getClientId() === req.tokenInfo.getSubject()) {
-        req.user = new cds.User({
-          id: 'system',
-          roles: ['authenticated-user'],
-          attr: {}
-        })
-        req.user._is_system = true
-      } else {
-        // add all unknown attributes to req.user.attr in order to keep public API small
-        const payload = req.tokenInfo.getPayload()
-        const attributes = Object.keys(payload)
-          .filter(k => !RESERVED_ATTRIBUTES.has(k))
-          .reduce((attrs, k) => {
-            attrs[k] = payload[k]
-            return attrs
-          }, {})
-
-        req.user = new cds.User({
-          id: req.user.id,
-          roles: ['authenticated-user'],
-          attr: attributes
-        })
-      }
-
-      req.tenant = req.tokenInfo.getZoneId()
-      next()
-    })
-    .use((err, req, res, _next) => {
-      if (req.tokenInfo) {
-        LOG?.debug('error during token validation', req.tokenInfo.getErrorObject())
-      }
-      // REVISIT: reject request immediately as our other auth strategies do
-      // should we call next(err)? -> I don't think so; it's not an error, is it?
-      res.status(401).json({ code: '401', message: 'Unauthorized' }) // REVISIT: this is OData style?
-    })
-}
+module.exports = require('../../../../lib/auth/ias-auth')

package/libx/_runtime/auth/strategies/mock.js

@@ -21,17 +21,6 @@ class MockStrategy {
     if (user.password && user.password !== password) return this.fail(CHALLENGE)
 
     const { features } = req.headers
-    // Only in the mock strategy the pseudo roles are kept in the role list.
-    // In all other cases pseudo roles are filtered out.
-    if (user.roles) {
-      if (Array.isArray(user.roles)) {
-        if (user.roles.includes('system-user')) user._is_system = true
-        if (user.roles.includes('internal-user')) user._is_internal = true
-      } else {
-        if ('system-user' in user.roles) user._is_system = true
-        if ('internal-user' in user.roles) user._is_internal = true
-      }
-    }
     this.success(new cds.User(features ? { ...user, features } : user))
   }
 }
@@ -55,7 +44,7 @@ const _init_users = (users, tenants = {}) => {
           Array.isArray(user.roles) ? user.roles.push(...scopes) : (user.roles = scopes)
         }
         if (user.jwt.grant_type === 'client_credentials' || user.jwt.grant_type === 'client_x509') {
-          user._is_system = true
+          Array.isArray(user.roles) ? user.roles.push('system-user') : (user.roles = ['system-user'])
         }
         if (!user.tenant && user.jwt.zid) user.tenant = user.jwt.zid
       }

package/libx/_runtime/auth/strategies/xssecUtils.js

@@ -11,8 +11,8 @@ const addRolesFromGrantType = (user, info, credentials) => {
     // > not "weak"
     user.roles['authenticated-user'] = true
     if (grantType in CLIENT) {
-      user._is_system = true
-      if (info.getClientId() === credentials.clientid) user._is_internal = true
+      user.roles['system-user'] = true
+      if (info.getClientId() === credentials.clientid) user.roles['internal-user'] = true
     }
   }
 }

package/libx/_runtime/cds-services/adapter/odata-v4/handlers/request.js

@@ -1,11 +1,13 @@
 const cds = require('../../../../cds')
 
-const { UNAUTHORIZED, FORBIDDEN, getRequiresAsArray, isRestricted } = require('../../../../auth/utils')
+const { containsAnyRestrictions, getAccessRestrictions } = require('../../../../common/utils/restrictions')
+const { ODATA_UNAUTHORIZED, ODATA_FORBIDDEN } = require('../../../../common/error/constants')
 
 module.exports = srv => {
-  const requires = getRequiresAsArray(srv.definition)
-  const restricted = isRestricted(srv)
+  const containsRestrictions = containsAnyRestrictions(srv)
+  const accessRestrictions = getAccessRestrictions(srv)
 
+  // eslint-disable-next-line complexity
   return function ODataRequestHandler(odataReq, odataRes, next) {
     const req = odataReq.getBatchApplicationData()
       ? odataReq.getBatchApplicationData().req
@@ -24,23 +26,23 @@ module.exports = srv => {
     }
 
     // in case of $batch we need to challenge directly, as the header is not processed if in $batch response body
-    if (restricted && path.endsWith('/$batch') && req.user._is_anonymous) {
+    if (containsRestrictions && path.endsWith('/$batch') && req.user._is_anonymous) {
       // NOTE: "return req._login()" would not invoke custom error handlers
       if (req._login) res.set('WWW-Authenticate', `Basic realm="Users"`)
       else if (user._challenges) res.set('WWW-Authenticate', user._challenges.join(';'))
-      return next(UNAUTHORIZED)
+      return next(ODATA_UNAUTHORIZED)
     }
 
-    // check @requires as soon as possible (DoS)
-    if (requires && !requires.some(r => user.is(r))) {
+    // check @restrict and @requires as soon as possible (DoS)
+    if (!accessRestrictions.some(r => user.is(r))) {
       // > unauthorized or forbidden?
       if (req.user._is_anonymous) {
         // NOTE: "return req._login()" would not invoke custom error handlers
         if (req._login) res.set('WWW-Authenticate', `Basic realm="Users"`)
         else if (user._challenges) res.set('WWW-Authenticate', user._challenges.join(';'))
-        return next(UNAUTHORIZED)
+        return next(ODATA_UNAUTHORIZED)
       }
-      return next(FORBIDDEN)
+      return next(ODATA_FORBIDDEN)
     }
 
     /*

package/libx/_runtime/cds-services/adapter/odata-v4/odata-to-cqn/ExpressionToCQN.js

@@ -1,3 +1,5 @@
+const cds = require('../../../../cds')
+
 const odata = require('../okra/odata-server')
 const ExpressionKind = odata.uri.Expression.ExpressionKind
 const BinaryOperatorKind = odata.uri.BinaryExpression.OperatorKind
@@ -41,7 +43,10 @@ class ExpressionToCQN {
       case EdmPrimitiveTypeKind.Int16:
       case EdmPrimitiveTypeKind.Int32:
         return { val: parseInt(value) }
+      case EdmPrimitiveTypeKind.Int64:
+        return { val: value.toString() }
       case EdmPrimitiveTypeKind.Decimal:
+        return cds.env.features.compat_decimal ? { val: parseFloat(value) } : { val: value.toString() }
       case EdmPrimitiveTypeKind.Single:
       case EdmPrimitiveTypeKind.Double:
         return { val: parseFloat(value) }

package/libx/_runtime/cds-services/adapter/odata-v4/odata-to-cqn/applyToCQN.js

@@ -225,8 +225,11 @@ const applyToCQN = (transformations, entity, model) => {
       case TransformationKind.BOTTOM_TOP:
         _addBottomTopTransformation(transformation, res)
         break
-      default:
-        throw getFeatureNotSupportedError(`Transformation "${transformation.getKind()}" with query option $apply`)
+      default: {
+        const numericKind = transformation.getKind()
+        const stringKind = Object.entries(TransformationKind).find(([_, v]) => v === numericKind)?.[0]
+        throw getFeatureNotSupportedError(`Transformation "${stringKind || numericKind}" with query option $apply`)
+      }
     }
   }
 

package/libx/_runtime/cds-services/adapter/odata-v4/okra/odata-commons/uri/UriParser.js

@@ -175,6 +175,10 @@ class UriParser {
    * @param {UriInfo} uriInfo the result of parsing
    */
   parseQueryOptions (queryOptions, uriInfo) {
+    // EXPERIMENTAL FEATURE FLAGS!
+    const { okra_skip_query_options, odata_new_parser } = global.cds.env.features
+    if (okra_skip_query_options && odata_new_parser) return
+
     const lastSegment = uriInfo.getLastSegment()
     const crossjoinEntitySets = lastSegment.getCrossjoinEntitySets()
     const aliases = uriInfo.getAliases()

package/libx/_runtime/common/composition/data.js

@@ -29,6 +29,7 @@ const _isSameEntityInWhere = (where, target, persistentObj) => {
     const key = where[i].ref
     const val = where[i + 2].val
     const sign = where[i + 1]
+
     // eslint-disable-next-line
     if (target.elements[key].key && key in persistentObj && sign === '=' && val !== persistentObj[key]) {
       return false
@@ -255,6 +256,7 @@ const _select = ({
 const _selectDeepUpdateData = async args => {
   const { model, compositionTree, entityName, data, root, selectData, tx, selectAllColumns, where, parentKeys } = args
   let result = []
+
   if (!where && parentKeys && parentKeys.length && Object.keys(parentKeys[0]).length) {
     const keys0 = Object.keys(parentKeys[0])
     const keys = { list: keys0.map(pk => ({ ref: [pk] })) }
@@ -296,9 +298,7 @@ const _selectDeepUpdateData = async args => {
         root: false
       }
 
-      // REVISIT: remove null elements
-      subs.data = subs.data.filter(d => d)
-
+      subs.data = subs.data.filter(d => d) // REVISIT: remove null elements
       return _selectDeepUpdateData({ ...args, ...subs })
     })
   )
@@ -310,6 +310,7 @@ const _selectDeepUpdateData = async args => {
 const _resolveOrderBy = (orderBy, transitions) => {
   // no resolved entity found
   if (!transitions?.length) return
+
   // if there are no renamed fields, no need to resolve
   if (!transitions[0].mapping.size) return
   if (orderBy) orderBy.map(el => (el.ref[0] = transitions[0].mapping.get(el.ref[0]).ref[0]))
@@ -321,6 +322,7 @@ const _resolveOrderBy = (orderBy, transitions) => {
 
 const selectDeepUpdateData = (service, model, req, selectAllColumns = false) => {
   const query = req.query
+
   // REVISIT this should be done somewhere before, so it is not done twice for deep updates
   const sqlQuery = cqn2cqn4sql(query, model)
 

package/libx/_runtime/common/composition/insert.js

@@ -17,9 +17,8 @@ function _hasCompOrAssoc(entity, k) {
 
 const _addSubDeepInsertCQN = (model, compositionTree, data, cqns, draft) => {
   compositionTree.compositionElements.forEach(element => {
-    if (element.skipPersistence) {
-      return
-    }
+    if (element.skipPersistence) return
+
     // element source must be changed in comp tree
     const subEntity = model.definitions[element.source]
     const into = ctUtils.addDraftSuffix(draft, subEntity.name)
@@ -38,15 +37,19 @@ const _addSubDeepInsertCQN = (model, compositionTree, data, cqns, draft) => {
           }
         }
       }
+
       return result
     }, [])
+
     if (insertCQN.INSERT.entries.length > 0) {
       cqns.push(insertCQN)
     }
+
     if (subData.length > 0) {
       _addSubDeepInsertCQN(model, element, subData, cqns, draft)
     }
   })
+
   return cqns
 }
 

package/libx/_runtime/common/composition/update.js

@@ -1,13 +1,10 @@
 const cds = require('../../cds')
-
 const { getCompositionTree } = require('./tree')
 const { getDeepInsertCQNs } = require('./insert')
 const { getDeepDeleteCQNs } = require('./delete')
 const ctUtils = require('./utils')
-
 const { ensureNoDraftsSuffix } = require('../utils/draft')
 const { deepCopyObject } = require('../utils/copy')
-
 const getError = require('../../common/error')
 const { getEntityNameFromUpdateCQN } = require('../utils/cqn')
 
@@ -31,28 +28,35 @@ const _serializedKey = (entity, data) => {
 
 const _dataByKey = (entity, data) => {
   const dataByKey = new Map()
+
   for (const entry of data) {
     dataByKey.set(_serializedKey(entity, entry), entry)
   }
+
   return dataByKey
 }
 
 function _addSubDeepUpdateCQNForDelete({ entity, data, selectData, entityName, deleteCQNs }) {
   const dataByKey = _dataByKey(entity, data)
+
   if (selectData.length && selectData[0] && Object.keys(selectData[0]).length) {
     for (let j = 0; j < selectData.length; j += CHUNK_SIZE) {
       const deleteCQN = { DELETE: { from: entityName, where: [] } }
+
       for (let i = j; i < j + CHUNK_SIZE && i < selectData.length; i++) {
         const selectEntry = selectData[i]
         if (!selectEntry) continue
+
         const dataEntry = dataByKey.get(_serializedKey(entity, selectEntry))
         if (!dataEntry) {
           if (deleteCQN.DELETE.where.length > 0) {
             deleteCQN.DELETE.where.push('or')
           }
+
           deleteCQN.DELETE.where.push({ xpr: [...ctUtils.whereKey(ctUtils.key(entity, selectEntry))] })
         }
       }
+
       if (deleteCQN.DELETE.where.length) deleteCQNs.push(deleteCQN)
     }
   }
@@ -63,6 +67,7 @@ const _unwrapVal = obj => {
     const value = obj[key]
     if (value && value.val) obj[key] = value.val
   }
+
   return obj
 }
 
@@ -120,6 +125,7 @@ const _diffData = (newData, oldData, entity, newEntry, oldEntry, model) => {
 function _addSubDeepUpdateCQNForUpdateInsert({ entity, entityName, data, selectData, updateCQNs, insertCQN, model }) {
   const selectDataByKey = _dataByKey(entity, selectData)
   const deepUpdateData = []
+
   for (const entry of data) {
     if (entry === null) continue
 
@@ -138,6 +144,7 @@ function _addSubDeepUpdateCQNForUpdateInsert({ entity, entityName, data, selectD
       // inserts are handled deep so they must not be put into deepUpdateData
     }
   }
+
   return deepUpdateData
 }
 
@@ -152,9 +159,7 @@ async function _addSubDeepUpdateCQNCollect(model, cqns, updateCQNs, insertCQN, d
     cqns[0] = cqns[0] || []
     const deepInsertCQNs = getDeepInsertCQNs(model, insertCQN)
     deepInsertCQNs.forEach(insertCQN => {
-      const intoCQN = cqns[0].find(cqn => {
-        return cqn.INSERT && cqn.INSERT.into === insertCQN.INSERT.into
-      })
+      const intoCQN = cqns[0].find(cqn => cqn.INSERT?.into === insertCQN.INSERT.into)
       if (!intoCQN) {
         cqns[0].push(insertCQN)
       } else {
@@ -202,6 +207,7 @@ async function _addSubDeepUpdateCQNRecursion({ model, compositionTree, entity, d
           if (selectEntry[element.name] === null && entry[element.name] === null) {
             continue
           }
+
           _addToData(selectSubData, entity, element, selectEntry)
         }
 
@@ -246,7 +252,6 @@ const _addSubDeepUpdateCQN = async ({ model, compositionTree, data, selectData,
   })
 
   await _addSubDeepUpdateCQNCollect(model, cqns, updateCQNs, insertCQN, deleteCQNs, req)
-
   if (deepUpdateData.length === 0) return Promise.resolve()
 
   return _addSubDeepUpdateCQNRecursion({
@@ -282,7 +287,6 @@ const hasDeepUpdate = (model, cqn) => {
 const getDeepUpdateCQNs = async (model, req, selectData) => {
   const { query } = req
   if (!Array.isArray(selectData)) selectData = [selectData]
-
   if (selectData.length === 0) return []
   if (selectData.length > 1) throw getError('Deep update can only be performed on a single instance')
 

package/libx/_runtime/common/error/constants.js

@@ -11,5 +11,10 @@ module.exports = {
   DEFAULT_SEVERITY: 2,
   MIN_SEVERITY: 1,
   MAX_SEVERITY: 4,
-  MULTIPLE_ERRORS: 'MULTIPLE_ERRORS'
+  MULTIPLE_ERRORS: 'MULTIPLE_ERRORS',
+  /*
+   * OData
+   */
+  ODATA_UNAUTHORIZED: { statusCode: 401, code: '401', message: 'Unauthorized' },
+  ODATA_FORBIDDEN: { statusCode: 403, code: '403', message: 'Forbidden' }
 }

package/libx/_runtime/common/generic/auth/requires.js

@@ -1,7 +1,12 @@
 const { reject, getRejectReason, getAuthRelevantEntity } = require('./utils')
 const { CRUD_EVENTS } = require('./constants')
 
-const { getRequiresAsArray } = require('../../../auth/utils')
+const _getRequiresAsArray = definition =>
+  definition['@requires']
+    ? Array.isArray(definition['@requires'])
+      ? definition['@requires']
+      : [definition['@requires']]
+    : false
 
 function handler(req) {
   if (req.user._is_privileged) {
@@ -13,7 +18,7 @@ function handler(req) {
   if (req.event in CRUD_EVENTS) {
     // > CRUD
     definition = getAuthRelevantEntity(req, this.model, ['@requires', '@restrict'])
-  } else if (req.target && req.target.actions) {
+  } else if (req.target?.actions) {
     // > bound
     definition = req.target.actions[req.event]
   } else {
@@ -23,7 +28,10 @@ function handler(req) {
 
   if (!definition) return
 
-  const requires = getRequiresAsArray(definition)
+  // also check target entity for bound operations
+  const requires =
+    _getRequiresAsArray(definition) ||
+    (['action', 'function'].includes(definition.kind) && req.target && _getRequiresAsArray(req.target))
   if (!requires || requires.some(role => req.user.is(role))) return
 
   reject(req, getRejectReason(req, '@requires', definition))

package/libx/_runtime/common/generic/auth/restrict.js

@@ -37,11 +37,9 @@ const _getResolvedApplicables = (applicables, req) => {
   return resolvedApplicables
 }
 
-const _isStaticAuth = resolvedApplicables => {
-  return (
-    resolvedApplicables.length === 1 &&
-    resolvedApplicables[0]._xpr.length === 3 &&
-    resolvedApplicables[0]._xpr.every(ele => typeof ele !== 'object' || ele.val)
+const _getStaticAuthRestrictions = resolvedApplicables => {
+  return resolvedApplicables.filter(
+    resolved => resolved && resolved._xpr.length === 3 && resolved._xpr.every(ele => typeof ele !== 'object' || ele.val)
   )
 }
 
@@ -68,14 +66,14 @@ const _evalStatic = (op, vals) => {
   }
 }
 
-const _handleStaticAuth = (resolvedApplicables, req) => {
-  const op = resolvedApplicables[0]._xpr.find(ele => typeof ele === 'string')
-  const vals = resolvedApplicables[0]._xpr.filter(ele => typeof ele === 'object' && ele.val).map(ele => ele.val)
-
-  if (_evalStatic(op, vals)) {
-    // static clause grants access => done
-    return
-  }
+const _handleStaticAuthRestrictions = (resolvedApplicables, req) => {
+  const isAllowed = resolvedApplicables.some(restriction => {
+    const op = restriction._xpr.find(ele => typeof ele === 'string')
+    const vals = restriction._xpr.filter(ele => typeof ele === 'object' && ele.val).map(ele => ele.val)
+    return _evalStatic(op, vals)
+  })
+  // static clause grants access => done
+  if (isAllowed) return
 
   // static clause forbids access => forbidden
   return reject(req)
@@ -224,8 +222,15 @@ async function handler(req) {
     return
   }
 
+  // READ UPDATE DELETE on draft enabled entities are unrestricted, because only the owner can access them
+  const draftUnRestrictedEvents = ['READ', 'UPDATE', 'DELETE', 'CREATE']
+  if (definition.isDraft && draftUnRestrictedEvents.includes(req.event)) {
+    return
+  }
+
   let restrictions = this.getRestrictions.call(this, definition, req.event, req.user)
   if (restrictions instanceof Promise) restrictions = await restrictions
+
   if (!restrictions) {
     // > unrestricted
     return
@@ -243,8 +248,9 @@ async function handler(req) {
   const resolvedApplicables = _getResolvedApplicables(restrictions, req)
 
   // REVISIT: support more complex statics
-  if (_isStaticAuth(resolvedApplicables)) {
-    return _handleStaticAuth(resolvedApplicables, req)
+  const staticAuthRestriction = _getStaticAuthRestrictions(resolvedApplicables)
+  if (staticAuthRestriction.length > 0) {
+    return _handleStaticAuthRestrictions(staticAuthRestriction, req)
   }
 
   if (req.event === 'READ') {

package/libx/_runtime/common/generic/auth/restrictions.js

@@ -1,5 +1,6 @@
 const WRITE_EVENTS = { CREATE: 1, NEW: 1, UPDATE: 1, PATCH: 1, DELETE: 1, CANCEL: 1, EDIT: 1 }
 const CRUD = Object.assign({ READ: 1 }, WRITE_EVENTS)
+const cds = require('../../../cds')
 
 /**
  * Returns the applicable restrictions for the current request as follows:
@@ -109,12 +110,14 @@ const getNormalizedRestrictions = (definition, definitions) => {
   return isRestricted ? restricts : null
 }
 
-const _isGrantAccessAllowed = (eventName, restrict) => restrict.grant === '*' || restrict.grant === eventName
+const _isGrantAccessAllowed = (eventName, restrict) =>
+  restrict.grant === '*' || (eventName === 'EDIT' && restrict.grant === 'UPDATE') || restrict.grant === eventName
+
 const _isToAccessAllowed = (user, restrict) => restrict.to.some(role => user.is(role))
 
 const getApplicableRestrictions = (restrictions, event, user) => {
   return restrictions.filter(restrict => {
-    const eventName = { NEW: 'CREATE', EDIT: 'UPDATE' }[event] || event
+    const eventName = cds.env.fiori.lean_draft ? event : { NEW: 'CREATE' }[event] || event
     return _isGrantAccessAllowed(eventName, restrict) && _isToAccessAllowed(user, restrict)
   })
 }

package/libx/_runtime/common/generic/crud.js

@@ -14,6 +14,12 @@ const _targetEntityDoesNotExist = async req => {
 exports.impl = cds.service.impl(function () {
   // eslint-disable-next-line complexity
   this.on(['CREATE', 'READ', 'UPDATE', 'DELETE', 'UPSERT'], '*', async function (req) {
+    if (!req.query) {
+      throw getError({
+        code: 501,
+        message: 'The request has no query and cannot be served generically.'
+      })
+    }
     if (typeof req.query !== 'string' && req.target && req.target._hasPersistenceSkip) {
       throw getError({
         code: 501,

package/libx/_runtime/common/generic/paging.js

@@ -10,7 +10,8 @@ const MAX = cds.env.query?.limit?.max || 1000
 const _cached = Symbol('@cds.query.limit')
 
 const getPageSize = def => {
-  if (_cached in def) return def[_cached]
+  // do not look at prototypes re cached settings
+  if (Object.hasOwn(def, _cached)) return def[_cached]
   let max = def['@cds.query.limit.max'] ?? def._service?.['@cds.query.limit.max'] ?? MAX
   let _default =
     def['@cds.query.limit.default'] ??
@@ -34,6 +35,7 @@ const commonGenericPaging = function (req) {
 }
 
 const _addPaging = function ({ SELECT }, target) {
+  if (SELECT.limit === false) return
   const { rows } = SELECT.limit || (SELECT.limit = {})
   const conf = getPageSize(target)
   SELECT.limit.rows = {

package/libx/_runtime/common/i18n/messages.properties

@@ -83,6 +83,7 @@ CRUD_VIA_NAVIGATION_NOT_SUPPORTED=CRUD via navigations is not yet supported
 
 # draft
 DRAFT_ALREADY_EXISTS=A draft for this entity already exists
+DRAFT_NOT_EXISTING=No draft for this entity exists
 DRAFT_LOCKED_BY_ANOTHER_USER=The entity is locked by user "{0}"
 DRAFT_MODIFICATION_ONLY_VIA_ROOT=A draft can only be modified via its root entity
 

package/libx/_runtime/common/utils/cqn2cqn4sql.js

@@ -3,7 +3,6 @@
 const cds = require('../../cds')
 const { SELECT, INSERT, DELETE, UPDATE } = cds.ql
 const Query = require('../../../../lib/ql/Query')
-
 const { resolveView } = require('./resolveView')
 const { ensureNoDraftsSuffix, getDraftColumnsCQNForDraft, ensureDraftsSuffix } = require('./draft')
 const { flattenStructuredSelect, OPERATIONS_MAP } = require('./structured')
@@ -807,8 +806,7 @@ const _convertSelect = (query, model, _options) => {
       const cols = getColumns(target, { onlyNames: true, filterVirtual: true })
       query.columns(cols)
       if (target._isDraftEnabled && query._target._unresolved) {
-        query.SELECT.columns.push(...getDraftColumnsCQNForDraft(target))
-        query.SELECT.columns.push({ ref: ['DraftAdministrativeData_DraftUUID'] })
+        query.SELECT.columns.push(...getDraftColumnsCQNForDraft(target), { ref: ['DraftAdministrativeData_DraftUUID'] })
       }
     }
   }
@@ -822,7 +820,8 @@ const _convertUpsert = (query, model) => {
 
   const target = model.definitions[resolvedIntoClause]
   if (!target) {
-    // if there is no target, just return original query, as a copy is not deep anyways and all the sub items of query.UPSERT are referenced only anyways
+    // if there is no target, just return original query, as a copy is not deep anyways
+    // and all the sub items of query.UPSERT are referenced only anyways
     return query
   }
 
@@ -867,7 +866,6 @@ const _convertInsert = (query, model) => {
 
   const target = model.definitions[resolvedIntoClause]
   if (!target) return insert
-
   return resolveView(insert, model, cds.db)
 }
 

package/libx/_runtime/common/utils/resolveView.js

@@ -246,7 +246,8 @@ const _newWhereRef = (newWhereElement, transition, alias, tableName, isSubSelect
     if (mapped) newRef[1] = mapped.ref[0]
   } else {
     const mapped = transition.mapping.get(newRef[0])
-    if (isSubSelect && mapped) {
+    if (isSubSelect && mapped && newRef.length === 1) {
+      // Add a table alias prefix only for not-yet-qualified refs
       newRef.unshift(transition.target.name)
       newRef[1] = mapped.ref[0]
     } else {
@@ -734,6 +735,7 @@ const resolveView = (query, model, service) => {
   // restore logger and clear _event
   LOG = _LOG
   _event = undefined
+
   return newQuery
 }