@sap/cds 7.1.2 → 7.2.1

package/libx/_runtime/common/utils/restrictions.js

@@ -0,0 +1,47 @@
+const cds = require('../../cds')
+
+const containsAnyRestrictions = srv => {
+  const accessRestrictions = getAccessRestrictions(srv)
+  if (accessRestrictions.length > 1 || accessRestrictions[0] !== 'any') return true
+
+  const entities = srv.entities
+  const entitiesKeys = Object.keys(entities)
+
+  return !!(
+    entitiesKeys.some(entity => entities[entity]['@requires'] || entities[entity]['@restrict']) ||
+    entitiesKeys.some(entity => {
+      const actions = entities[entity].actions
+      actions && Object.keys(actions).some(action => actions[action]['@requires'] || actions[action]['@restrict'])
+    }) ||
+    Object.keys(srv.operations).some(
+      operation => srv.operations[operation]['@requires'] || srv.operations[operation]['@restrict']
+    )
+  )
+}
+
+const getAccessRestrictions = srv => {
+  let restrictions = srv.definition['@restrict'] || srv.definition['@requires']
+  if (restrictions) {
+    if (typeof restrictions === 'string') restrictions = [restrictions]
+    else
+      restrictions = restrictions
+        .map(r => (typeof r === 'string' ? r : r.to))
+        .reduce((acc, cur) => {
+          Array.isArray(cur) ? acc.push(...cur) : acc.push(cur)
+          return acc
+        }, [])
+  } else {
+    const { restrict_all_services } = cds.env.requires.auth
+    const in_prod = process.env.NODE_ENV === 'production'
+    // REVISIT: cleanup during streamlined auth
+    const is_mocked_auth = cds.env.requires.auth._kind === 'mocked'
+    if (restrict_all_services === false || !in_prod || is_mocked_auth) restrictions = ['any']
+    else restrictions = ['authenticated-user']
+  }
+  return restrictions
+}
+
+module.exports = {
+  containsAnyRestrictions,
+  getAccessRestrictions
+}

package/libx/_runtime/db/data-conversion/post-processing.js

@@ -132,9 +132,9 @@ const _getMapperForListedElements = (conversionMap, csn, cqn) => {
  * @returns {Map<any, any>}
  * @private
  */
-const getPostProcessMapper = (conversionMap, csn = {}, cqn = {}) => {
-  // No mapper defined or irrelevant as no READ request
-  if (!Object.prototype.hasOwnProperty.call(cqn, 'SELECT')) {
+const getPostProcessMapper = (conversionMap, csn, cqn) => {
+  // No mapper defined or irrelevant as no CSN, CQN or READ request
+  if (!csn || !cqn || !Object.prototype.hasOwnProperty.call(cqn, 'SELECT')) {
     return new Map()
   }
 

package/libx/_runtime/db/generic/input.js

@@ -138,7 +138,7 @@ const _pickCRUD = element => {
     categories.push('!default')
   }
 
-  if (element.default && !DRAFT_COLUMNS_MAP[element.name]) {
+  if (element.default && !DRAFT_COLUMNS_MAP[element.name] && !element.isAssociation) {
     categories.push({ category: 'default', args: element })
   }
 

package/libx/_runtime/db/sql-builder/ExpressionBuilder.js

@@ -157,23 +157,6 @@ class ExpressionBuilder extends BaseBuilder {
       objects[i + 1].func = `not ${objects[i + 1].func}`
       return 1
     }
-    if (objects[i].func || (objects[i + 2] && objects[i + 2].func)) {
-      // sqlite requires leading 0 for numbers in datetime functions
-      const f = objects[i].func ? i : OPERATORS.has(objects[i + 1]) ? i + 2 : i - 2
-      const v = objects[i].val ? i : OPERATORS.has(objects[i + 1]) ? i + 2 : i - 2
-      if (
-        objects[f] &&
-        cds.db &&
-        ((SQLITE_DATETIME_FUNCTIONS.has(objects[f].func) && cds.db.kind === 'sqlite') ||
-          (HANA_DATETIME_FUNCTIONS.has(objects[f].func) && cds.db.kind === 'hana'))
-      ) {
-        if (objects[v] && objects[v].val !== undefined && typeof objects[v].val === 'number') {
-          objects[v] = { val: `${objects[v].val < 10 ? 0 : ''}${objects[v].val}` }
-          if (objects[f].func === 'second') objects[v].val = _fillAfterDot(objects[v].val)
-        }
-      }
-      return 0
-    }
 
     if ((objects[i + 1] === '=' || objects[i + 1] in NOT_EQUAL) && objects[i + 2] && objects[i + 2].val === null) {
       this._addNullOrNotNull(objects[i], objects[i + 1])

package/libx/_runtime/fiori/lean-draft.js

@@ -48,6 +48,10 @@ const _promiseAll = async array => {
 
 const _isCount = query => query.SELECT.columns?.length === 1 && query.SELECT.columns[0].func === 'count'
 
+const entity_keys = e => {
+  return Object_keys(e.keys).filter(k => k !== 'IsActiveEntity' && !e.keys[k].isAssociation)
+}
+
 const _inProcessByUserXpr = lockShiftedNow => ({
   xpr: [
     'case',
@@ -87,6 +91,7 @@ const _redirectRefToActives = (ref, model) => {
 }
 
 const h = cds.ApplicationService.prototype.handle
+
 /* eslint-disable complexity */
 cds.ApplicationService.prototype.handle = async function (req) {
   const handle = h.bind(this)
@@ -256,7 +261,7 @@ cds.ApplicationService.prototype.handle = async function (req) {
           { ref: ['DraftAdministrativeData'], expand: [{ ref: ['InProcessByUser'] }] }
         ])
     )
-    if (!res) req.reject(_etagValidationType ? 412 : 404)
+    if (!res) req.reject(_etagValidationType ? 412 : { code: 'DRAFT_NOT_EXISTING', status: 404 })
     if (res.DraftAdministrativeData?.InProcessByUser !== cds.context.user.id)
       req.reject(403, 'DRAFT_LOCKED_BY_ANOTHER_USER', [res.DraftAdministrativeData?.InProcessByUser])
     const DraftAdministrativeData_DraftUUID = res.DraftAdministrativeData_DraftUUID
@@ -286,9 +291,7 @@ cds.ApplicationService.prototype.handle = async function (req) {
   if (req.target.actions?.[req.event] && draftParams.IsActiveEntity === false) {
     if (query.SELECT?.from?.ref) query.SELECT.from.ref = _redirectRefToDrafts(query.SELECT.from.ref, this.model)
     const rootQuery = query.clone()
-    const columns = Object_keys(query._target.keys)
-      .filter(k => k !== 'IsActiveEntity')
-      .map(k => ({ ref: [k] }))
+    const columns = entity_keys(query._target).map(k => ({ ref: [k] }))
     columns.push({ ref: ['DraftAdministrativeData'], expand: [{ ref: ['InProcessByUser'] }] })
     rootQuery.SELECT.columns = columns
     rootQuery.SELECT.one = true
@@ -338,8 +341,8 @@ cds.ApplicationService.prototype.handle = async function (req) {
   }
 
   req.query = query
-  const result = await handle(req)
-  return result
+
+  return handle(req)
 }
 
 // REVISIT: It's not optimal to first calculate the whole result array and only later
@@ -376,7 +379,7 @@ const Read = {
     if (query._target.name.endsWith('.DraftAdministrativeData')) return run(query._drafts)
     if (!query._target._isDraftEnabled) return run(query)
     if (!query.SELECT.groupBy && query.SELECT.columns && !query.SELECT.columns.some(c => c === '*')) {
-      const keys = Object_keys(query._target.keys).filter(k => k !== 'IsActiveEntity')
+      const keys = entity_keys(query._target)
       for (const key of keys) {
         if (!query.SELECT.columns.some(c => c.ref?.[0] === key)) query.SELECT.columns.push({ ref: [key] })
       }
@@ -408,13 +411,12 @@ const Read = {
   unchanged: async function (run, query) {
     LOG.debug('List Editing Status: Unchanged')
     const draftsQuery = query._drafts
-    const keys = Object_keys(query._target.keys).filter(k => k !== 'IsActiveEntity')
     draftsQuery.SELECT.count = undefined
-    draftsQuery.SELECT.limit = undefined
     draftsQuery.SELECT.orderBy = undefined
-    draftsQuery.SELECT.columns = keys.map(k => ({ ref: [k] }))
+    draftsQuery.SELECT.limit = false
+    draftsQuery.SELECT.columns = entity_keys(query._target).map(k => ({ ref: [k] }))
 
-    const drafts = await draftsQuery
+    const drafts = await draftsQuery.where({ HasActiveEntity: true })
     const res = await Read.onlyActives(run, query.where(Read.whereNotIn(query._target, drafts)), {
       ignoreDrafts: true
     })
@@ -456,11 +458,10 @@ const Read = {
     LOG.debug('List Editing Status: All')
     if (!query._drafts) return []
     query._drafts.SELECT.count = false
-    query._drafts.SELECT.limit = undefined // We need all entries for the keys to properly select actives (count)
+    query._drafts.SELECT.limit = false // We need all entries for the keys to properly select actives (count)
     const isCount = _isCount(query._drafts)
     if (isCount) {
-      const keys = Object_keys(query._target.keys).filter(k => k !== 'IsActiveEntity')
-      query._drafts.SELECT.columns = keys.map(k => ({ ref: [k] }))
+      query._drafts.SELECT.columns = entity_keys(query._target).map(k => ({ ref: [k] }))
     }
     if (!query._drafts.SELECT.columns) query._drafts.SELECT.columns = ['*']
     if (!query._drafts.SELECT.columns.some(c => c.ref?.[0] === 'HasActiveEntity'))
@@ -524,13 +525,14 @@ const Read = {
   },
   activesFromDrafts: async function (run, query, { isLocked = true }) {
     const draftsQuery = query._drafts
-    const keys = Object_keys(query._target.keys).filter(k => k !== 'IsActiveEntity')
     const additionalCols = draftsQuery.SELECT.columns
       ? draftsQuery.SELECT.columns.filter(
           c => c.ref && ['DraftAdministrativeData', 'DraftAdministrativeData_DraftUUID'].includes(c.ref[0])
         )
       : [{ ref: ['DraftAdministrativeData_DraftUUID'] }]
-    draftsQuery.SELECT.columns = keys.map(k => ({ ref: [k] })).concat(additionalCols)
+    draftsQuery.SELECT.columns = entity_keys(query._target)
+      .map(k => ({ ref: [k] }))
+      .concat(additionalCols)
     draftsQuery.where({
       HasActiveEntity: true,
       'DraftAdministrativeData.InProcessByUser': { '!=': cds.context.user.id },
@@ -559,7 +561,7 @@ const Read = {
   },
   whereNotIn: (target, data) => Read.whereIn(target, data, true),
   whereIn: (target, data, not = false) => {
-    const keys = Object_keys(target.keys).filter(k => k !== 'IsActiveEntity')
+    const keys = entity_keys(target)
     const dataArray = data ? (Array.isArray(data) ? data : [data]) : []
     if (not && !dataArray.length) return []
     const left = { list: keys.map(k => ({ ref: [k] })) }
@@ -572,9 +574,7 @@ const Read = {
     if (!actives.length) return []
     const drafts = cds.ql.clone(query._drafts)
     drafts.SELECT.where = Read.whereIn(query._target, actives)
-    const newColumns = Object_keys(query._target.keys)
-      .filter(k => k !== 'IsActiveEntity')
-      .map(k => ({ ref: [k] }))
+    const newColumns = entity_keys(query._target).map(k => ({ ref: [k] }))
     if (
       !drafts.SELECT.columns ||
       drafts.SELECT.columns.some(c => c === '*' || c.ref?.[0] === 'DraftAdministrativeData_DraftUUID')
@@ -593,8 +593,10 @@ const Read = {
     // Indexes the data for fast key access
     const dataArray = Read._makeArray(data)
     if (!dataArray.length) return
-    const _keys = Object_keys(target.keys).filter(k => k !== 'IsActiveEntity')
-    const hash = row => _keys.map(k => row[k]).reduce((res, curr) => res + '|$|' + curr, '')
+    const hash = row =>
+      entity_keys(target)
+        .map(k => row[k])
+        .reduce((res, curr) => res + '|$|' + curr, '')
     const hashMap = new Map()
     for (const row of dataArray) hashMap.set(hash(row), row)
     return { hashMap, hash }
@@ -1073,12 +1075,11 @@ async function onPrepare(req) {
   }
   const where = req.query.SELECT.from.ref[0].where
 
-  const keys = Object_keys(req.target.keys).filter(k => k !== 'IsActiveEntity')
   const draftQuery = SELECT.one
     .from(req.target, d => {
       d.DraftAdministrativeData(a => a.InProcessByUser)
     })
-    .columns(keys)
+    .columns(entity_keys(req.target))
     .where(where)
   draftQuery[DRAFT_PARAMS] = draftParams
   const data = await draftQuery
@@ -1092,6 +1093,7 @@ async function onPrepare(req) {
 module.exports = {
   impl() {
     if (!this._datasource) this._datasource = cds.db
+
     function _wrapped(handler, isActiveEntity) {
       const fn = function (req, next) {
         if (!req.target?.drafts || (isActiveEntity && req.target.isDraft) || (!isActiveEntity && !req.target.isDraft))
@@ -1100,6 +1102,7 @@ module.exports = {
       }
       return fn
     }
+
     // Also runs those handlers if they're annotated with @odata.draft.enabled through extensibility
     this.on('NEW', '*', _wrapped(onNew, false))
     this.on('EDIT', '*', _wrapped(onEdit, true))

package/libx/_runtime/hana/driver.js

@@ -195,11 +195,9 @@ const _getHanaDriver = name => {
       LOG._debug && LOG.debug(`Failed to require "hdb" with error "${e.message}". Trying "@sap/hana-client" next.`)
       return _getHanaDriver('@sap/hana-client')
     } else if (isConfigured) {
-      throw new Error(`"${name}" could not be required. Please make sure it is installed.`)
+      throw new Error(`"${name}" could not be found. Please make sure it is installed.`)
     } else {
-      throw new Error(
-        'Neither "hdb" nor "@sap/hana-client" could be required. Please make sure one of them is installed.'
-      )
+      throw new Error('Neither "hdb" nor "@sap/hana-client" could be found. Please make sure one of them is installed.')
     }
   }
 }

package/libx/_runtime/hana/pool.js

@@ -1,7 +1,7 @@
 const cds = require('../cds')
 const LOG = cds.log('pool|db')
 
-const { pool } = require('@sap/cds-foss')
+const { pool } = cds.utils
 const hana = require('./driver')
 const getError = require('../common/error')
 

package/libx/_runtime/messaging/enterprise-messaging-utils/registerEndpoints.js

@@ -4,7 +4,7 @@ const express = require('express')
 const getTenantInfo = require('./getTenantInfo.js')
 const isSecured = () => cds.requires.auth && (cds.requires.auth.impl || cds.requires.auth.credentials)
 const _require = require('../../common/utils/require')
-const { UNAUTHORIZED } = require('../../auth/utils')
+const { ODATA_UNAUTHORIZED } = require('../../common/error/constants')
 
 const _isAll = a => a && a.includes('all')
 
@@ -34,7 +34,7 @@ class EndpointRegistry {
       paths.forEach(path => {
         cds.app.use(path, (req, res, next) => {
           // REVISIT: we should probably pass an error into next so that a (custom) error middleware can handle it
-          if (!req.user) res.status(401).json({ error: UNAUTHORIZED })
+          if (!req.user) res.status(401).json({ error: ODATA_UNAUTHORIZED })
           next()
         })
       })

package/libx/_runtime/messaging/outbox/utils.js

@@ -135,8 +135,7 @@ const processMessages = async (service, tenant, _opts = {}) => {
           if (!msg) continue
           const res = {
             process: () =>
-              Promise.resolve().then(async () => {
-                if (userId) cds.context = { user }
+              cds._context.run({ user, tenant }, async () => {
                 try {
                   return service._emitImmediate && (await service._emitImmediate(msg))
                 } catch (e) {

package/libx/_runtime/remote/Service.js

@@ -109,8 +109,9 @@ const _handleUnboundActionFunction = (srv, def, req, event) => {
       def &&
       def.returns &&
       (def.returns.type === 'cds.LargeBinary' || def.returns.type === 'cds.Binary')
+    const { headers, data } = req
 
-    return srv.send({ method: 'POST', path: `/${event}`, data: req.data, _binary: isBinary })
+    return srv.send({ method: 'POST', path: `/${event}`, headers, data, _binary: isBinary })
   }
 
   const url =
@@ -118,16 +119,17 @@ const _handleUnboundActionFunction = (srv, def, req, event) => {
   return srv.get(url)
 }
 
-const _sendV2RequestActionFunction = (srv, def, url) => {
+const _sendV2RequestActionFunction = (srv, def, req, url) => {
+  const { headers } = req
   return def.kind === 'function'
-    ? srv.send({ method: 'GET', path: url, _returnType: def.returns })
-    : srv.send({ method: 'POST', path: url, data: {}, _returnType: def.returns })
+    ? srv.send({ method: 'GET', path: url, headers, _returnType: def.returns })
+    : srv.send({ method: 'POST', path: url, headers, data: {}, _returnType: def.returns })
 }
 
 const _handleV2ActionFunction = (srv, def, req, event, kind) => {
   const url =
     Object.keys(req.data).length > 0 ? _buildPartialUrlFunctions(`/${event}`, req.data, def.params, kind) : `/${event}`
-  return _sendV2RequestActionFunction(srv, def, url)
+  return _sendV2RequestActionFunction(srv, def, req, url)
 }
 
 const _handleV2BoundActionFunction = (srv, def, req, event, kind) => {
@@ -147,7 +149,7 @@ const _handleV2BoundActionFunction = (srv, def, req, event, kind) => {
   }
 
   const url = `${`/${event}`}?${params.join('&')}`
-  return _sendV2RequestActionFunction(srv, def, url)
+  return _sendV2RequestActionFunction(srv, def, req, url)
 }
 
 const _addHandlerActionFunction = (srv, def, target) => {
@@ -262,6 +264,8 @@ class RemoteService extends cds.Service {
     }
 
     this.on('*', async (req, next) => {
+      const { query } = req
+      if (!query && !(typeof req.path === 'string')) return next()
       // early validation on first request for use case without remote API
       // ideally, that's done on bootstrap of the remote service
       if (typeof this.destination === 'object' && !this.destination.url)
@@ -269,9 +273,6 @@ class RemoteService extends cds.Service {
       if (this._resilienceMiddlewares && !this._resilienceMiddlewares.timeout)
         this._resilienceMiddlewares.timeout = cloudSdkResilience().timeout(this.requestTimeout)
 
-      const { query } = req
-      if (!query && !(typeof req.path === 'string')) return next()
-
       const resolvedTarget = resolvedTargetOfQuery(query) || getTransition(req.target, this).target
       const reqOptions = getReqOptions(req, query, this)
       reqOptions.headers = _setHeaders(reqOptions.headers, req)

package/libx/_runtime/remote/utils/client.js

@@ -416,7 +416,7 @@ const _stringToReqOptions = (query, data, target) => {
   const cleanQuery = query.trim()
   const blankIndex = cleanQuery.substring(0, 8).indexOf(' ')
   const reqOptions = {
-    method: cleanQuery.substring(0, blankIndex).toUpperCase(),
+    method: cleanQuery.substring(0, blankIndex).toUpperCase() || 'GET',
     url: encodeURI(formatPath(cleanQuery.substring(blankIndex, cleanQuery.length).trim()))
   }
 
@@ -427,12 +427,13 @@ const _stringToReqOptions = (query, data, target) => {
   return reqOptions
 }
 
-const _pathToReqOptions = (method, path, data, target) => {
+const _pathToReqOptions = (method, path, data, target, namespace) => {
   let url = path
   if (!url.startsWith('/')) {
     // extract entity name and instance identifier (either in "()" or after "/") from fully qualified path
     const parts = path.match(/([\w.]*)([\W.]*)(.*)/)
     if (!parts) url = '/' + path.match(/\w*$/)[0]
+    else if (url.startsWith(namespace)) url = '/' + parts[1].replace(namespace + '.', '') + parts[2] + parts[3]
     else url = '/' + parts[1].match(/\w*$/)[0] + parts[2] + parts[3]
 
     // normalize in case parts[2] already starts with /
@@ -459,7 +460,7 @@ const getReqOptions = (req, query, service) => {
       ? _cqnToReqOptions(query, service, req)
       : typeof query === 'string'
       ? _stringToReqOptions(query, req.data, req.target)
-      : _pathToReqOptions(req.method, req.path, req.data, req.target)
+      : _pathToReqOptions(req.method, req.path, req.data, req.target, service.namespace)
 
   if (service.kind === 'odata-v2' && req.event === 'READ' && reqOptions.url?.match(/(\/any\()|(\/all\()/)) {
     req.reject(501, 'Lambda expressions are not supported in OData v2')

package/libx/_runtime/sqlite/Service.js

@@ -98,10 +98,6 @@ module.exports = class SQLiteDatabase extends DatabaseService {
     }
   }
 
-  getDbUrl(tenant) {
-    return this.url4(tenant)
-  }
-
   url4(tenant) {
     const credentials = this.options.credentials || this.options || {}
     let dbUrl = credentials.database || credentials.url || credentials.host || ':memory:'

package/libx/_runtime/sqlite/customBuilder/CustomFunctionBuilder.js

@@ -87,7 +87,7 @@ class CustomFunctionBuilder extends FunctionBuilder {
   }
 
   _timeFunction(functionName, args) {
-    this._outputObj.sql.push('strftime(')
+    this._outputObj.sql.push('CAST(strftime(')
     this._outputObj.sql.push(dateTimeFunctions.get(functionName), ',')
     if (typeof args === 'string') {
       this._outputObj.sql.push(args, ')')
@@ -95,6 +95,7 @@ class CustomFunctionBuilder extends FunctionBuilder {
       this._addFunctionArgs(args)
       this._outputObj.sql.push(')')
     }
+    this._outputObj.sql.push(' as decimal)')
   }
 }
 

package/libx/odata/afterburner.js

@@ -30,6 +30,7 @@ const _addKeysDeep = (keys, keysCollector, ignoreManagedBacklinks) => {
 function _keysOf(entity, ignoreManagedBacklinks) {
   const keysCollector = []
   if (!entity || !entity.keys) return keysCollector
+
   _addKeysDeep(entity.keys, keysCollector, ignoreManagedBacklinks)
   return keysCollector
 }
@@ -174,15 +175,16 @@ function _convertVal(element, value) {
       throw new Error('Not a valid integer') // TODO
 
     case 'cds.String':
-    case 'cds.LargeString':
+    case 'cds.LargeString':      
+      return String(value)
+    case 'cds.Double':      
+      return parseFloat(value)
     case 'cds.Decimal':
     case 'cds.DecimalFloat':
-    case 'cds.Double':
     case 'cds.Int64':
     case 'cds.Integer64':
       if (typeof value === 'string') return value
       return String(value)
-
     case 'cds.Boolean':
       return typeof value === 'string' ? value === 'true' : value
 

package/libx/odata/cqn2odata.js

@@ -73,7 +73,7 @@ function hasValidProps(obj, ...names) {
   return true
 }
 
-function _args(args) {
+function _args(args, func) {
   const res = []
 
   for (const cur of args) {
@@ -83,11 +83,11 @@ function _args(args) {
     }
 
     if (hasValidProps(cur, 'func', 'args')) {
-      res.push(`${cur.func}(${_args(cur.args)})`)
+      res.push(`${cur.func}(${_args(cur.args, cur.func)})`)
     } else if (hasValidProps(cur, 'ref')) {
       res.push(_format(cur))
     } else if (hasValidProps(cur, 'val')) {
-      res.push(_format(cur))
+      res.push(_format(cur, null, null, null, null, func))
     }
   }
 
@@ -111,20 +111,20 @@ const _odataV2Func = (func, args) => {
       // this doesn't support the contains signature with two collections as args, introduced in odata v4.01
       return `substringof(${_args([args[1], args[0]])})`
     default:
-      return `${func}(${_args(args)})`
+      return `${func}(${_args(args, func)})`
   }
 }
 
-const _format = (cur, elementName, target, kind, isLambda) => {
+const _format = (cur, elementName, target, kind, isLambda, func) => {
   if (typeof cur !== 'object') return encodeURIComponent(formatVal(cur, elementName, target, kind))
   if (hasValidProps(cur, 'ref'))
     return encodeURIComponent(isLambda ? [LAMBDA_VARIABLE, ...cur.ref].join('/') : cur.ref[0].id || cur.ref.join('/'))
-  if (hasValidProps(cur, 'val')) return encodeURIComponent(formatVal(cur.val, elementName, target, kind))
+  if (hasValidProps(cur, 'val')) return encodeURIComponent(formatVal(cur.val, elementName, target, kind, func))
   if (hasValidProps(cur, 'xpr')) return `(${_xpr(cur.xpr, target, kind, isLambda)})`
   // REVISIT: How to detect the types for all functions?
   if (hasValidProps(cur, 'func')) {
     if (cur.args?.length) {
-      return kind === 'odata-v2' ? _odataV2Func(cur.func, cur.args) : `${cur.func}(${_args(cur.args)})`
+      return kind === 'odata-v2' ? _odataV2Func(cur.func, cur.args) : `${cur.func}(${_args(cur.args, cur.func)})`
     }
     return `${cur.func}()`
   }

package/libx/odata/utils.js

@@ -1,6 +1,8 @@
 const { toBase64url } = require('../_runtime/common/utils/binary')
 const cds = require('../_runtime/cds')
 
+const MATH_FUNC = {'round': 1, 'floor': 1, 'ceiling': 1}
+
 const getSafeNumber = str => {
   const n = Number(str)
   return Number.isSafeInteger(n) || String(n) === str ? n : str
@@ -48,11 +50,12 @@ const _getElement = (csnTarget, key) => {
   }
 }
 
-const formatVal = (val, elementName, csnTarget, kind) => {
+const formatVal = (val, elementName, csnTarget, kind, func) => {
   if (val === null || val === 'null') return 'null'
   if (typeof val === 'boolean') return val
   if (typeof val === 'number') return getSafeNumber(val)
   if (!csnTarget && typeof val === 'string' && UUID.test(val)) return kind === 'odata-v2' ? `guid'${val}'` : val
+  if (typeof val === 'string' && func in MATH_FUNC) return val
   const element = _getElement(csnTarget, elementName)
   if (kind === 'odata-v2') {
     switch (element.type) {

package/libx/rest/RestAdapter.js

@@ -17,9 +17,13 @@ const error = require('./middleware/error')
 const { alias2ref } = require('../_runtime/common/utils/csn')
 const { bufferToBase64 } = require('../_runtime/common/utils/binary')
 
+const { getAccessRestrictions } = require('../_runtime/common/utils/restrictions')
+
 const RestAdapter = function (srv) {
   alias2ref(srv) // REVISIT: that's an anti pattern in new prototocol adapter setups
 
+  const accessRestrictions = getAccessRestrictions(srv)
+
   const router = express.Router()
 
   // pass srv-related stuff to middlewares via req
@@ -64,24 +68,19 @@ const RestAdapter = function (srv) {
     // REVISIT: ensure there always is a user (should be the case with new middlewares -> remove with old middlewares)
     if (!req.user) req.user = new cds.User.default
 
-    // REVISIT: This is authorization enforcement which is protocol-independent -> should move to service layer
-    const requires = srv.definition?.['@requires']
-    if (requires) {
-      const ok = typeof requires === 'string' ? req.user.is(requires) : requires.some(r => req.user.is(r))
-      if (ok) return next()
-    } else {
-      return next() // neither of the above
-    }
-
-    // > unauthorized or forbidden?
-    if (req.user._is_anonymous) {
-      // NOTE: "return req._login()" would not invoke custom error handlers
-      if (req._login) res.set('WWW-Authenticate', `Basic realm="Users"`)
-      else if (req.user._challenges) res.set('WWW-Authenticate', req.user._challenges.join(';'))
-      throw cds.error('Unauthorized', { statusCode: 401, code: '401' })
-    } else {
+    // check @restrict and @requires as soon as possible (DoS)
+    if (!accessRestrictions.some(r => req.user.is(r))) {
+      // > unauthorized or forbidden?
+      if (req.user._is_anonymous) {
+        // NOTE: "return req._login()" would not invoke custom error handlers
+        if (req._login) res.set('WWW-Authenticate', `Basic realm="Users"`)
+        else if (req.user._challenges) res.set('WWW-Authenticate', req.user._challenges.join(';'))
+        throw cds.error('Unauthorized', { statusCode: 401, code: '401' })
+      }
       throw cds.error('Forbidden', { statusCode: 403, code: '403' })
     }
+
+    next()
   })
 
   // -----------------------------------------------------------------------------------------

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@sap/cds",
-  "version": "7.1.2",
+  "version": "7.2.1",
   "description": "SAP Cloud Application Programming Model - CDS for Node.js",
   "homepage": "https://cap.cloud.sap/",
   "keywords": [

package/lib/auth/xsuaa-auth.js

@@ -1,2 +0,0 @@
-// REVISIT: "kind": "xsuaa-auth" does not work because cds.requires logic does not resolve it. Intentional?
-module.exports = require('./jwt-auth')

package/libx/_runtime/auth/utils.js

@@ -1,32 +0,0 @@
-const UNAUTHORIZED = { statusCode: 401, code: '401', message: 'Unauthorized' }
-const FORBIDDEN = { statusCode: 403, code: '403', message: 'Forbidden' }
-
-const getRequiresAsArray = definition => {
-  const requires = definition['@requires']
-  if (requires) return Array.isArray(requires) ? requires : [requires]
-}
-
-const isRestricted = srv => {
-  if (srv.definition['@requires']) return true
-
-  const entities = srv.entities
-  const entitiesKeys = Object.keys(entities)
-
-  return !!(
-    entitiesKeys.some(entity => entities[entity]['@requires'] || entities[entity]['@restrict']) ||
-    entitiesKeys.some(entity => {
-      const actions = entities[entity].actions
-      actions && Object.keys(actions).some(action => actions[action]['@requires'] || actions[action]['@restrict'])
-    }) ||
-    Object.keys(srv.operations).some(
-      operation => srv.operations[operation]['@requires'] || srv.operations[operation]['@restrict']
-    )
-  )
-}
-
-module.exports = {
-  UNAUTHORIZED,
-  FORBIDDEN,
-  getRequiresAsArray,
-  isRestricted
-}