@sap/cds 7.4.2 → 7.5.1

package/libx/_runtime/auth/index.js

@@ -10,9 +10,9 @@ let passport, logged
 // strategy initializers for lazy loading of dependencies
 const _initializers = {
   // REVISIT: support basic authentication?
-  basic: ({ credentials }) => {
+  basic: ({ credentials, users }) => {
     const BasicStrategy = require('./strategies/basic')
-    passport.use(new BasicStrategy(credentials))
+    passport.use(new BasicStrategy(credentials || users))
   },
   dummy: () => {
     const DummyStrategy = require('./strategies/dummy')
@@ -165,7 +165,7 @@ module.exports = (srv, options = srv.options) => {
   if (config.impl) {
     // mount custom authentication middleware
     _mountCustomAuth(srv, app, config)
-  } else if (config.kind === 'ias-auth') {
+  } else if (config.kind === 'ias' || config.kind === 'ias-auth') {
     // ias-auth follows the new implementation pattern for auth middlewares
     const iasAuth = require('./strategies/ias-auth')(config)
     if (iasAuth) app.use(iasAuth)
@@ -186,8 +186,7 @@ module.exports = (srv, options = srv.options) => {
 }
 
 const _strategy4 = config => {
-  const strategy = config.strategy ? config.strategy.toLowerCase() : config.kind.replace('-auth', '')
-  if (strategy === 'mocked') return 'mock'
+  const strategy = config.kind.replace('mocked', 'mock').replace(/-auth$/, '')
   if (strategy in _initializers) return strategy
   process.exitCode = 1 // REVISIT: why exitCode needed?
   throw new Error(`Authentication kind "${config.kind}" is not supported`)

package/libx/_runtime/auth/strategies/basic.js

@@ -8,8 +8,8 @@ const { BasicStrategy: BS } = _require('passport-http')
 class BasicStrategy extends BS {
   constructor(credentials) {
     super(function (user, password, done) {
-      if (credentials[user] === password) {
-        done(null, new cds.User({ id: user }))
+      if ((credentials[user]?.password || credentials[user]) === password) {
+        done(null, new cds.User({ id: user, roles: credentials[user].roles || [] }))
       } else {
         this.fail()
       }

package/libx/_runtime/cds-services/adapter/odata-v4/OData.js

@@ -29,6 +29,7 @@ const _action = require('./handlers/action')
 const { normalizeError, isClientError } = require('../../../common/error/frontend')
 const { getErrorMessage } = require('../../../common/error/utils')
 
+// eslint-disable-next-line complexity
 function _log(level, arg) {
   const { params } = arg
 
@@ -46,34 +47,43 @@ function _log(level, arg) {
   if (!obj.level) obj.level = arg.level
   if (!obj.timestamp) obj.timestamp = arg.timestamp
 
-  if (level === 'error') {
-    // reduce 4xx to warning
-    if (isClientError(obj)) {
-      if (!LOG._warn) {
-        return
-      }
-      level = 'warn'
-    }
-  }
-
   // replace messages in toLog with developer texts (i.e., undefined locale) (cf. req.reject() etc.)
   const _message = obj.message
+  const _code = obj.code
   const _details = obj.details
 
+  // REVISIT: the (ugly!) stuff re code is somewhat of a duplicate to what we do in normalizeError -> refactor with new adapters!
   obj.message = getErrorMessage(obj)
-  if (obj.details) {
+  if (_code) obj.code = obj.code.match?.(/^ASSERT_/) ? 400 : obj.code
+  if (_details) {
     const details = []
+    const codes = new Set()
     for (const d of obj.details) {
-      details.push(Object.assign({}, d, { message: getErrorMessage(d) }))
+      const entry = Object.assign({}, d, { message: getErrorMessage(d) })
+      if (!_code) {
+        const k = d.statusCode ? 'statusCode' : d.status ? 'status' : d.code ? 'code' : undefined
+        const v = d[k]?.match?.(/^ASSERT_/) ? 400 : d[k]
+        codes.add(v)
+        entry[k] = v
+      }
+      details.push(entry)
     }
     obj.details = details
+    if (!_code && codes.size === 1) {
+      const n = Number(codes.values().next().value)
+      if (!isNaN(n)) obj.code = n
+    }
   }
 
+  // reduce 4xx to warning
+  if (level === 'error') if (isClientError(obj)) level = 'warn'
+
   // log it
-  LOG[level](obj)
+  LOG[`_${level}`] && LOG[level](obj)
 
   // restore
   obj.message = _message
+  if (_code) obj.code = _code
   if (_details) obj.details = _details
 }
 

package/libx/_runtime/cds-services/adapter/odata-v4/ODataRequest.js

@@ -199,16 +199,11 @@ class ODataRequest extends cds.Request {
     const that = this
     Object.defineProperty(this._, 'shared', {
       get() {
-        if (!cds._deprecationWarningForShared) {
-          LOG._warn && LOG.warn('req._.shared is deprecated and will be removed.')
-          cds._deprecationWarningForShared = true
-        }
-
-        if (that.context) {
-          that._shared = that.context._shared = that.context._shared || { req, res }
-        } else {
-          that._shared = that._shared || { req, res }
-        }
+        cds._logDeprecation('req._.shared is deprecated and will be removed.')
+
+        if (that.context) that._shared = that.context._shared = that.context._shared || { req, res }
+        else that._shared = that._shared || { req, res }
+
         return that._shared
       }
     })
@@ -217,11 +212,7 @@ class ODataRequest extends cds.Request {
     const attr = { identityZone: this.tenant }
     Object.defineProperty(this, 'attr', {
       get() {
-        if (!cds._deprecationWarningForAttr) {
-          LOG._warn && LOG.warn('req.attr is deprecated and will be removed.')
-          cds._deprecationWarningForAttr = true
-        }
-
+        cds._logDeprecation('req.attr is deprecated and will be removed.')
         return attr
       }
     })

package/libx/_runtime/cds-services/adapter/odata-v4/handlers/update.js

@@ -14,8 +14,15 @@ const { hasOmitValuesPreference } = require('../utils/omitValues')
 
 const { getSapMessages } = require('../../../../common/error/frontend')
 
-const _isUpsertAllowed = target => {
-  return !(cds.env.runtime && cds.env.runtime.allow_upsert === false) && !(target && target._isDraftEnabled)
+const _isUpsertAllowed = req => {
+  return (
+    !(cds.env.runtime && cds.env.runtime.allow_upsert === false) &&
+    !(
+      req.target &&
+      req.target._isDraftEnabled &&
+      (!cds.env.fiori.lean_draft || (!req.data.IsActiveEntity && req.event === 'PATCH'))
+    )
+  )
 }
 
 const _infoForeignKeyInParent = (req, tx) => {
@@ -94,7 +101,7 @@ const _updateThenCreate = async (req, odataReq, odataRes, tx) => {
     result = await tx.dispatch(req)
   } catch (e) {
     const is404 = e.code === 404 || e.status === 404 || e.statusCode === 404
-    if (is404 && _isUpsertAllowed(req.target)) {
+    if (is404 && _isUpsertAllowed(req)) {
       // PUT/ PATCH with if-match header means "only if already exists", i.e., no insert if not
       if (req.headers['if-match'])
         throw Object.assign(new Error('412'), { statusCode: 412 })

package/libx/_runtime/cds-services/adapter/odata-v4/to.js

@@ -1,7 +1,8 @@
-const { alias2ref } = require('../../../common/utils/csn') // REVISIT: eliminate that
 const cds = require('../../../cds')
 const OData = require('./OData')
 
+const { alias2ref } = require('../../../common/utils/csn')
+
 /**
  * This is the express handler for a specific OData endpoint.
  * Note: the same service can be served at different endpoints.
@@ -13,7 +14,9 @@ module.exports = srv => {
 
 function OkraAdapter(srv, model = srv.model) {
   const edm = cds.compile.to.edm(model, { service: srv.definition?.name || srv.name })
-  alias2ref(srv, edm) // REVISIT: eliminate that -> done again and again -> search for _alias2ref
+
+  alias2ref(srv, edm)
+
   return new OData(edm, model, srv.options).addCDSServiceToChannel(srv)
 }
 

package/libx/_runtime/cds-services/adapter/odata-v4/utils/metaInfo.js

@@ -123,7 +123,8 @@ const _stringifyColumnsFromData = columns =>
     .map(key => `${key}(${_stringifyColumnsFromData(columns[key])})`)
     .join(',')
 
-const _listColumns = ({ columns, data, isUpsert, returnType, event, /* express */ _req, service }) => {
+const _listColumns = ({ columns, data, isUpsert, returnType, event, /* express */ _req, service, propertyName }) => {
+  if (columns.length === 1 && propertyName) return `/${propertyName}`
   // query options ($select, $expand, etc) as strings
   const queryOptions = _req.query
   let columnsStr

package/libx/_runtime/cds-services/services/utils/columns.js

@@ -114,15 +114,9 @@ const _getSearchableColumns = entity => {
   const defaultSearchFilteredColumns = searchableColumns.filter(column => column[defaultSearchElementTerm])
 
   if (defaultSearchFilteredColumns.length > 0) {
-    if (!cds._deprecationWarningForDefaultSearchElement) {
-      LOG._warn &&
-        LOG.warn(
-          'Annotation "@Search.defaultSearchElement" is deprecated and will be removed in an upcoming release. ' +
-            'Use "@cds.search" instead.'
-        )
-      cds._deprecationWarningForDefaultSearchElement = true
-    }
-
+    cds._logDeprecation(
+      'Annotation "@Search.defaultSearchElement" is deprecated and will be removed. Use "@cds.search" instead.'
+    )
     return defaultSearchFilteredColumns.map(column => column.name)
   }
 

package/libx/_runtime/cds.js

@@ -9,3 +9,16 @@ const { any, entity, Association } = cds.builtin.classes
 cds.extend(any).with(require('./common/aspects/any'))
 cds.extend(Association).with(require('./common/aspects/Association'))
 cds.extend(entity).with(require('./common/aspects/entity'))
+
+/**
+ * Logs a deprecation warning once per process
+ *
+ * @param {string} msg the deprecation warning to be logged
+ */
+cds._logDeprecation = function (msg) {
+  if (!cds._deprecations.has(msg)) {
+    cds._deprecations.add(msg)
+    cds.log().warn(msg)
+  }
+}
+Object.defineProperty(cds, '_deprecations', { value: new Set() })

package/libx/_runtime/common/composition/data.js

@@ -118,6 +118,9 @@ const _parentKey = (element, key) => {
 const _findWhere = (data, where) => {
   return data.filter(entry => {
     return Object.keys(where).every(key => {
+      if (Buffer.isBuffer(entry[key]) && Buffer.isBuffer(where[key])) {
+        return Buffer.compare(entry[key], where[key]) === 0
+      }
       return where[key] === entry[key]
     })
   })

package/libx/_runtime/common/composition/delete.js

@@ -137,7 +137,7 @@ function _getStaticWhere(allBackLinks, entity1) {
 
 const _addToCQNs = (cqns, subCQN, element, model, level) => {
   // REVISIT:
-  // The compiler generates foreign-key constraints (if features.assert_integrity_type = 'DB')
+  // The compiler generates foreign-key constraints (if features.assert_integrity === 'db')
   // and enables DELETE CASCADE. For these cases, the runtime doesn't need to delete compositions
   // manually, it's done by the database itself.
   // However, there are cases (unmanaged compositions), where this doesn't happen.

package/libx/_runtime/common/error/frontend.js

@@ -38,7 +38,7 @@ const _getFiltered = err => {
   return error
 }
 
-const _rewriteDBError = error => {
+const _rewriteError = error => {
   let { code, message } = error
   code = String(code || 'null')
 
@@ -66,7 +66,7 @@ const _rewriteDBError = error => {
 
 const _normalize = (err, locale, formatterFn = _getFiltered) => {
   // REVISIT: code and message rewriting
-  _rewriteDBError(err)
+  _rewriteError(err)
 
   // message (i18n)
   err.message = getErrorMessage(err, locale)

package/libx/_runtime/common/generic/auth/readOnly.js

@@ -16,7 +16,7 @@ function handler(req) {
 
   // @read-only
   let entity = getAuthRelevantEntity(req, this.model, ['@readonly'])
-  if (cds.env.fiori.lean_draft && (req.event === 'NEW' || req.event === 'UPDATE')) entity = entity?.actives
+  if (cds.env.fiori.lean_draft) entity = entity?.actives || entity
 
   if (!entity || !entity['@readonly']) return
   if (entity['@readonly'] && req.event in WRITE_EVENTS) req.reject(405, 'ENTITY_IS_READ_ONLY', [entity.name])

package/libx/_runtime/common/generic/auth/restrictions.js

@@ -69,7 +69,7 @@ const _addNormalizedRestrictPerGrant = (grant, where, restrict, restricts, defin
 
 const _addNormalizedRestrict = (restrict, restricts, definition) => {
   const where = restrict.where
-    ? restrict.where.replace(/\$user/g, '$user.id').replace(/\$user\.id\./g, '$user.')
+    ? (restrict.where['='] || restrict.where).replace(/\$user/g, '$user.id').replace(/\$user\.id\./g, '$user.')
     : undefined
 
   restrict.grant = Array.isArray(restrict.grant) ? restrict.grant : [restrict.grant || '*']

package/libx/_runtime/common/generic/sorting.js

@@ -1,5 +1,4 @@
 const cds = require('../../cds')
-const LOG = cds.log('app')
 const { getAllKeys } = require('../../cds-services/adapter/odata-v4/odata-to-cqn/utils')
 const { DRAFT_COLUMNS_MAP } = require('../../common/constants/draft')
 
@@ -7,10 +6,10 @@ const _getStaticOrders = req => {
   const { target: entity, query } = req
   const defaultOrders = entity['@cds.default.order'] || entity['@odata.default.order'] || []
 
-  if (!cds._deprecationWarningForDefaultSort && defaultOrders.length > 0) {
-    LOG._warn &&
-      LOG.warn('Annotations "@cds.default.order" and "@odata.default.order" are deprecated and will be removed.')
-    cds._deprecationWarningForDefaultSort = true
+  if (defaultOrders.length > 0) {
+    cds._logDeprecation(
+      'Annotations "@cds.default.order" and "@odata.default.order" are deprecated and will be removed.'
+    )
   }
 
   const ordersFromKeys = []

package/libx/_runtime/common/utils/csn.js

@@ -1,4 +1,5 @@
 const cds = require('../../cds')
+
 const resolveStructured = require('../../common/utils/resolveStructured')
 
 const getEtagElement = entity => {
@@ -91,7 +92,8 @@ const _initializeCache = (model, namespace) => {
 }
 
 const findCsnTargetFor = (edmName, model, namespace) => {
-  const cache = model._edmToCSNNameMap || (model._edmToCSNNameMap = {})
+  const cache =
+    model._edmToCSNNameMap || Object.defineProperty(model, '_edmToCSNNameMap', { value: {} })._edmToCSNNameMap
   const edm2csnMap = cache[namespace] || (cache[namespace] = _initializeCache(model, namespace))
 
   if (edm2csnMap[edmName]) return edm2csnMap[edmName]
@@ -133,12 +135,6 @@ const _setAlias2ref = entity => {
   return entity
 }
 
-function _alias2RefRest(service) {
-  for (const each of service.entities) {
-    _setAlias2ref(each)
-  }
-}
-
 const prefixForStruct = element => {
   const prefixes = []
   let parent = element.parent
@@ -149,19 +145,28 @@ const prefixForStruct = element => {
   return prefixes.length ? prefixes.reverse().join('_') + '_' : ''
 }
 
+/*
+ * REVISIT:
+ * - which scenarios require this?
+ * - does it still work when serving multiple protocols?
+ * - can we cache it?
+ */
 function alias2ref(service, edm) {
   if (!edm) {
-    return _alias2RefRest(service)
-  }
-  const defs = edm[service.definition.name]
-  for (const each of service.entities) {
-    const def = defs[each.name.replace(service.definition.name + '.', '').replace(/\./g, '_')]
-    if (!def || !def.$Key || def.$Key.every(ele => typeof ele === 'string')) continue
-    each._alias2ref = Object.defineProperty({}, '__2alias', { value: {}, configurable: true })
-    for (const mapping of def.$Key.filter(ele => typeof ele !== 'string')) {
-      for (const [key, value] of Object.entries(mapping)) {
-        each._alias2ref[key] = value.split('/')
-        each._alias2ref.__2alias[value] = key
+    // REST
+    for (const each of service.entities) _setAlias2ref(each)
+  } else {
+    // OData
+    const defs = edm[service.definition.name]
+    for (const each of service.entities) {
+      const def = defs[each.name.replace(service.definition.name + '.', '').replace(/\./g, '_')]
+      if (!def || !def.$Key || def.$Key.every(ele => typeof ele === 'string')) continue
+      each._alias2ref = Object.defineProperty({}, '__2alias', { value: {}, configurable: true })
+      for (const mapping of def.$Key.filter(ele => typeof ele !== 'string')) {
+        for (const [key, value] of Object.entries(mapping)) {
+          each._alias2ref[key] = value.split('/')
+          each._alias2ref.__2alias[value] = key
+        }
       }
     }
   }

package/libx/_runtime/common/utils/restrictions.js

@@ -1,5 +1,6 @@
 const cds = require('../../cds')
 
+// REVISIT: This is a perfect example of the expensive-check-before-doing anti pattern
 const containsAnyRestrictions = srv => {
   const accessRestrictions = getAccessRestrictions(srv)
   if (accessRestrictions.length > 1 || accessRestrictions[0] !== 'any') return true
@@ -22,23 +23,13 @@ const containsAnyRestrictions = srv => {
 const getAccessRestrictions = srv => {
   let restrictions = srv.definition['@restrict'] || srv.definition['@requires']
   if (restrictions) {
-    if (typeof restrictions === 'string') restrictions = [restrictions]
-    else
-      restrictions = restrictions
-        .map(r => (typeof r === 'string' ? r : r.to))
-        .reduce((acc, cur) => {
-          Array.isArray(cur) ? acc.push(...cur) : acc.push(cur)
-          return acc
-        }, [])
+    if (typeof restrictions === 'string') return [restrictions]
+    return restrictions.map(r => r.to || r).flat()
   } else {
-    const { restrict_all_services } = cds.env.requires.auth
-    const in_prod = process.env.NODE_ENV === 'production'
-    // REVISIT: cleanup during streamlined auth
-    const is_mocked_auth = cds.env.requires.auth._kind === 'mocked'
-    if (restrict_all_services === false || !in_prod || is_mocked_auth) restrictions = ['any']
-    else restrictions = ['authenticated-user']
+    if (cds.env.requires.auth.restrict_all_services === false) return ['any']
+    if (process.env.NODE_ENV !== 'production') return ['any']
+    return ['authenticated-user']
   }
-  return restrictions
 }
 
 module.exports = {

package/libx/_runtime/db/generic/input.js

@@ -31,7 +31,8 @@ const _processComplexCategory = ({ row, key, val, category, req, element }) => {
 
   // propagate keys
   if (category === 'propagateForeignKeys') {
-    propagateForeignKeys(key, row, element._foreignKeys, element.isComposition, { deleteAssocs: true })
+    if (req.event !== 'UPSERT')
+      propagateForeignKeys(key, row, element._foreignKeys, element.isComposition, { deleteAssocs: true })
     return
   }
 
@@ -175,7 +176,7 @@ const _pickDraft = element => {
     return { categories } // > no need to continue
   }
 
-  if (element.default && !DRAFT_COLUMNS_MAP[element.name]) {
+  if (element.default && !DRAFT_COLUMNS_MAP[element.name] && !element.isAssociation) {
     categories.push({ category: 'default', args: element })
   }
 

package/libx/_runtime/fiori/generic/readOverDraft.js

@@ -73,7 +73,7 @@ const _shouldReadOverDraft = (req, definitions) => {
 
   // for $expand requests, read over the draft if the navigation target is non-draft-enabled
   // REVISIT: this is an interim workaround to be removed
-  if (!req.target._isDraftEnabled && SELECT.columns && SELECT.columns.some(column => column.expand)) return true
+  if (!req.target._isDraftEnabled && SELECT.columns?.some(column => column.expand)) return true
 
   // read over the draft only for navigation scenarios
   if (fromRef.length === 1) return false
@@ -90,10 +90,7 @@ const _shouldReadOverDraft = (req, definitions) => {
   if (isActiveEntityRequested(firstFromRef.where)) return false
 
   const pathSegments = fromRef.map(path => (typeof path === 'string' ? path : path.id))
-  const excludeAssoc = assoc => {
-    if (assoc.name === 'DraftAdministrativeData' || assoc.name === 'SiblingEntity') return true
-    return false
-  }
+  const excludeAssoc = assoc => assoc.name === 'DraftAdministrativeData' || assoc.name === 'SiblingEntity'
 
   // Read over the draft only if:
   // - the navigation target is an association and

package/libx/_runtime/fiori/lean-draft.js

@@ -203,7 +203,43 @@ cds.ApplicationService.prototype.handle = async function (req) {
   }
 
   if (req.event === 'NEW' || req.event === 'CANCEL' || req.event === 'draftPrepare') {
-    if (draftParams.IsActiveEntity) req.reject(501)
+    if (draftParams.IsActiveEntity && !cds.env.fiori.bypass_draft) req.reject(501)
+    if (req.data.IsActiveEntity === true && cds.env.fiori.bypass_draft) {
+      const containsDraftRoot =
+        this.model.entities[query.INSERT.into?.ref?.[0]?.id || query.INSERT.into?.ref?.[0] || query.INSERT.into][
+          '@Common.DraftRoot.ActivationAction'
+        ]
+
+      if (!containsDraftRoot) req.reject(403, 'DRAFT_MODIFICATION_ONLY_VIA_ROOT')
+
+      const isDirectAccess = typeof req.query.INSERT.into === 'string' || req.query.INSERT.into.ref?.length === 1
+      const data = Object.assign({}, req.data) // IsActiveEntity is not enumerable
+      const draftsRootRef =
+        typeof query.INSERT.into === 'string'
+          ? [req.target.drafts.name]
+          : _redirectRefToDrafts([query.INSERT.into.ref[0]], this.model)
+      let rootHasDraft
+
+      // children: check root entity has no draft
+      if (!isDirectAccess) {
+        rootHasDraft = await SELECT.one([1]).from({ ref: draftsRootRef })
+      }
+
+      // direct access and req.data contains keys: check if root has no draft with that keys
+      if (isDirectAccess && entity_keys(query._target).every(k => k in data)) {
+        const keyData = entity_keys(query._target).reduce((res, k) => {
+          res[k] = req.data[k]
+          return res
+        }, {})
+        rootHasDraft = await SELECT.one([1]).from({ ref: draftsRootRef }).where(keyData)
+      }
+
+      if (rootHasDraft) req.reject(409, 'DRAFT_ALREADY_EXISTS')
+
+      const cqn = INSERT.into(query.INSERT.into).entries(data)
+      await run(cqn, { event: 'CREATE' })
+      return { ...data, IsActiveEntity: true }
+    }
     req.target = req.target.drafts
 
     if (query.INSERT?.into) {
@@ -244,13 +280,16 @@ cds.ApplicationService.prototype.handle = async function (req) {
 
   if (req.event === 'draftActivate') {
     LOG.debug('activate draft')
+
     // It would be great if we'd have a SELECT ** to deeply expand the entity (along compositions), that should
     // be implemented in expand implementation.
     if (req.query.SELECT.from.ref.length > 1 || draftParams.IsActiveEntity !== false) {
       req.reject(400, 'Action "draftActivate" can only be called on the root draft entity')
     }
+
     const targetDraft = req.target.drafts
     const cols = expandStarStar(targetDraft)
+
     // Use `run` (since also etags might need to be checked)
     // REVISIT: Find a better approach (`etag` as part of CQN?)
     const draftRef = _redirectRefToDrafts(query.SELECT.from.ref, this.model)
@@ -265,13 +304,15 @@ cds.ApplicationService.prototype.handle = async function (req) {
         ])
     )
     if (!res) req.reject(_etagValidationType ? 412 : { code: 'DRAFT_NOT_EXISTING', status: 404 })
-    if (res.DraftAdministrativeData?.InProcessByUser !== cds.context.user.id)
+    if (res.DraftAdministrativeData?.InProcessByUser !== cds.context.user.id) {
       req.reject(403, 'DRAFT_LOCKED_BY_ANOTHER_USER', [res.DraftAdministrativeData?.InProcessByUser])
+    }
     const DraftAdministrativeData_DraftUUID = res.DraftAdministrativeData_DraftUUID
     delete res.DraftAdministrativeData_DraftUUID
     delete res.DraftAdministrativeData
     const HasActiveEntity = res.HasActiveEntity
     delete res.HasActiveEntity
+
     // First run the handlers as they might need access to DraftAdministrativeData or the draft entities
     const result = await run(
       HasActiveEntity
@@ -299,6 +340,7 @@ cds.ApplicationService.prototype.handle = async function (req) {
     columns.push({ ref: ['DraftAdministrativeData'], expand: [{ ref: ['InProcessByUser'] }] })
     rootQuery.SELECT.columns = columns
     rootQuery.SELECT.one = true
+    rootQuery.SELECT.from = { ref: [query.SELECT.from.ref[0]] }
     const root = await cds.run(rootQuery)
     if (!root) req.reject(404)
     if (root.DraftAdministrativeData?.InProcessByUser !== cds.context.user.id) req.reject(403)
@@ -308,7 +350,8 @@ cds.ApplicationService.prototype.handle = async function (req) {
   }
 
   if (req.event === 'PATCH') {
-    if (draftParams.IsActiveEntity || !('IsActiveEntity' in draftParams)) req.reject(501)
+    if (!('IsActiveEntity' in draftParams)) req.reject(501)
+
     if (draftParams.IsActiveEntity === false) {
       LOG.debug('patch draft')
       if (req.target?.name.endsWith('DraftAdministrativeData')) req.reject(405)
@@ -334,6 +377,28 @@ cds.ApplicationService.prototype.handle = async function (req) {
       req.data.IsActiveEntity = false
       return req.data
     }
+
+    LOG.debug('patch active')
+
+    if (!cds.env.fiori.bypass_draft) {
+      const msg =
+        !cds.profiles?.includes('production') &&
+        '`cds.env.fiori.bypass_draft` must be enabled to support updating active instances.'
+      return req.reject(403, msg)
+    }
+
+    const entityRef = query.UPDATE.entity.ref
+
+    if (!this.model.entities[entityRef[0].id]['@Common.DraftRoot.ActivationAction']) {
+      req.reject(403, 'DRAFT_MODIFICATION_ONLY_VIA_ROOT')
+    }
+
+    const draftsRef = _redirectRefToDrafts(entityRef, this.model)
+    const hasDraft = !!(await SELECT.one([1]).from({ ref: [draftsRef[0]] }))
+    if (hasDraft) req.reject(409, 'DRAFT_ALREADY_EXISTS')
+
+    await run(query)
+    return req.data
   }
 
   if (req.event === 'STREAM' && draftParams.IsActiveEntity === false) {
@@ -345,7 +410,6 @@ cds.ApplicationService.prototype.handle = async function (req) {
   }
 
   req.query = query
-
   return handle(req)
 }
 
@@ -1132,7 +1196,7 @@ async function onCancel(req) {
     if (processByUser && processByUser !== cds.context.user.id)
       req.reject(403, 'DRAFT_LOCKED_BY_ANOTHER_USER', [processByUser])
   }
-  const queries = !draft ? [] : [this.run(DELETE.from({ ref: req.query.DELETE.from.ref }))]
+  const queries = !draft ? [] : [this.run(DELETE.from({ ref: req.query.DELETE.from.ref }), req.data)]
   if (draft && req.target['@Common.DraftRoot.ActivationAction'])
     // only for draft root
     queries.push(

package/libx/_runtime/hana/Service.js

@@ -94,7 +94,7 @@ class HanaDatabase extends DatabaseService {
   }
 
   _registerBeforeHandlers() {
-    this.before(['CREATE', 'UPDATE'], '*', this._input) // > has to run before rewrite
+    this.before(['CREATE', 'UPDATE', 'UPSERT'], '*', this._input) // > has to run before rewrite
     this.before('READ', '*', search) // > has to run before rewrite
     this.before(['CREATE', 'READ', 'UPDATE', 'DELETE', 'UPSERT'], '*', this._rewrite)
 

package/libx/_runtime/messaging/AMQPWebhookMessaging.js

@@ -39,7 +39,7 @@ class AMQPWebhookMessaging extends MessagingService {
   }
 
   startListening(opt = {}) {
-    if (!this._listenToAll && !this.subscribedTopics.size) return
+    if (!this._listenToAll.value && !this.subscribedTopics.size) return
     if (!opt.doNotDeploy) {
       const management = this.getManagement()
       this.queued(management.createQueueAndSubscriptions.bind(management))()

package/libx/_runtime/messaging/Outbox.js

@@ -1,15 +1,10 @@
 const cds = require('../cds')
-const LOG = cds.log()
-
-let logged
 
 module.exports = class Outbox extends cds.Service {
   constructor(...args) {
-    if (!logged && LOG._warn) {
-      // prettier-ignore
-      LOG.warn('Internal class `OutboxService` is deprecated and will be removed. Services are outboxable via config or `cds.outboxed()`.')
-      logged = true
-    }
+    cds._logDeprecation(
+      'Internal class `OutboxService` is deprecated and will be removed. Services are outboxable via config or `cds.outboxed()`.'
+    )
 
     super(...args)