@sap/cds 7.9.1 → 7.9.2

package/CHANGELOG.md

@@ -4,6 +4,16 @@
 - The format is based on [Keep a Changelog](http://keepachangelog.com/).
 - This project adheres to [Semantic Versioning](http://semver.org/).
 
+## Version 7.9.2 - 2024-05-22
+
+### Fixed
+
+- Server crash in case of certain errors in Cloud SDK
+- Bug in restriction of entities modeled as composition of aspects
+- `$search`: resolve an exception accessing `req.query.elements`
+- Ignore flattened associations in projection on remote entities
+- Falsy keys in `cds.ql` were ignored in usage like `SELECT.from(Books, 0)`
+
 ## Version 7.9.1 - 2024-05-13
 
 ### Fixed

package/lib/env/cds-requires.js

@@ -142,6 +142,7 @@ const _databases = {
   },
 
   "hana": {
+    '[legacy-hana]': { impl: `${_runtime}/hana/Service.js` },
     '[better-hana]': { impl: '@cap-js/hana' },
     impl: `${_runtime}/hana/Service.js`,
   },

package/lib/ql/DELETE.js

@@ -10,7 +10,7 @@ module.exports = class Query extends Whereable {
 
   from(entity, key) {
     this.DELETE.from = this._target4 (...arguments) // supporting tts
-    if (key) this.byKey(key)
+    if (key !== undefined) this.byKey(key)
     return this
   }
 

package/lib/ql/SELECT.js

@@ -76,7 +76,7 @@ module.exports = class Query extends Whereable {
 
   from (target, second, third) {
     this.SELECT.from = target === '*' || this._target_ref4 (...arguments)
-    if (!target.raw && second) {
+    if (!target.raw && second !== undefined) {
       if (third) {
         this.byKey(second)
         this.columns(third)

package/lib/ql/UPDATE.js

@@ -11,7 +11,7 @@ module.exports = class Query extends Whereable {
 
   entity (e, key) {
     this.UPDATE.entity = this._target4 (...arguments) // supporting tts
-    if (key) this.byKey(key)
+    if (key !== undefined) this.byKey(key)
     return this
   }
 

package/lib/ql/Whereable.js

@@ -41,7 +41,7 @@ class Query extends require('./Query') {
   }
 
   byKey(key) {
-    if (typeof key !== 'object') key = { [Object.keys(this._target.keys||{ID:1})[0]]: key }
+    if (typeof key !== 'object' || key === null) key = { [Object.keys(this._target.keys||{ID:1})[0]]: key }
     if (this.SELECT) this.SELECT.one = true
     if (cds.env.features.keys_into_where) return this.where(key)
     if (this.UPDATE) { this.UPDATE.entity = { ref: [{ id: cds.env.ql.quirks_mode ? this.UPDATE.entity : this.UPDATE.entity.ref.at(-1), where: predicate4([key]) }] }; return this }

package/libx/_runtime/common/generic/auth/index.js

@@ -9,6 +9,54 @@ const restrictHandler = require('./restrict')
 const restrictExpandHandler = require('./expand')
 
 module.exports = cds.service.impl(function authorization() {
+  // REVISIT: general approach to dependent auth:
+  //          add restrictions to auth-dependent entities as if modeled to allow static access during request processing
+  // // TODO: where to do?
+  // // add restrictions to auth-dependent entities
+  // const defs = this.model.definitions
+  // const deps = []
+  // for (const each of this.entities) {
+  //   for (const k in each.compositions) {
+  //     const c = each.compositions[k]
+  //     const ct = defs[c.target]
+  //     if (defs[ct?.elements.up_?.target] === each && !ct['@requires'] && !ct['@restrict']) {
+  //       deps.push(c.target)
+  //     }
+  //   }
+  // }
+  // for (const each of deps) {
+  //   const e = defs[each]
+  //   let rstr
+  //   let cur = defs[e.elements.up_.target]
+  //   while (cur && !rstr) {
+  //     rstr = cur['@requires'] || cur['@restrict']
+  //     cur = defs[cur.elements.up_?.target]
+  //   }
+  //   if (rstr) {
+  //     // TODO: normalize restriction to @restrict syntax
+  //     // TODO: add rewrite paths in instance-based auth
+  //     e['@restrict'] = rstr
+  //   }
+  // }
+
+  // mark entities that depend on ancestor for auth with that ancestor
+  const defs = this.model.definitions
+  for (const each of this.entities) {
+    for (const k in each.compositions) {
+      const c = each.compositions[k]
+      const ct = defs[c.target]
+      if (defs[ct?.elements.up_?.target] === each && !ct['@requires'] && !ct['@restrict']) {
+        let rstr
+        let cur = defs[ct.elements.up_.target]
+        while (!rstr && cur) {
+          if (cur['@requires'] || cur['@restrict']) rstr = cur
+          cur = defs[cur.elements.up_?.target]
+        }
+        if (rstr) Object.defineProperty(ct, '_auth_depends_on', { value: rstr })
+      }
+    }
+  }
+
   /*
    * @requires
    */

package/libx/_runtime/common/generic/auth/utils.js

@@ -140,9 +140,10 @@ const resolveUserAttrs = (restrict, req) => {
   return restrict
 }
 
-const _authDependsOnParent = (entity, annotations) => {
+const _authDependsOnAncestor = (entity, annotations) => {
   // @cds.autoexposed and not @cds.autoexpose -> not explicitly exposed by modeling
   return (
+    entity._auth_depends_on ||
     entity.name.match(/\.DraftAdministrativeData$/) ||
     (entity['@cds.autoexposed'] && !entity['@cds.autoexpose'] && !annotations.some(a => a in entity))
   )
@@ -159,7 +160,10 @@ const cqnFrom = req => {
 
 const getAuthRelevantEntity = (req, model, annotations) => {
   if (!req.target || !(req.event in CRUD_EVENTS)) return
-  if (!_authDependsOnParent(req.target, annotations)) return req.target
+
+  const it = _authDependsOnAncestor(req.target, annotations)
+  if (!it) return req.target
+  if (it?.kind === 'entity' && req.subject.ref?.length === 1) return it
 
   let cqn = cqnFrom(req)
 
@@ -188,7 +192,7 @@ const getAuthRelevantEntity = (req, model, annotations) => {
   let authRelevantEntity
   for (let i = segments.length - 1; i >= 0; i--) {
     const segment = segments[i]
-    if (segment.kind === 'entity' && !_authDependsOnParent(segment, annotations)) {
+    if (segment.kind === 'entity' && !_authDependsOnAncestor(segment, annotations)) {
       authRelevantEntity = segment
       break
     }

package/libx/_runtime/common/utils/resolveView.js

@@ -33,6 +33,9 @@ const _inverseTransition = transition => {
 
       const ref0 = value.ref[0]
       if (value.ref.length > 1) {
+        // ignore flattened columns like author.name
+        if (transition.target.elements[ref0].isAssociation) continue
+
         const nested = inverseTransition.mapping.get(ref0) || {}
         if (!nested.transition) nested.transition = { mapping: new Map() }
         let current = nested.transition.mapping

package/libx/_runtime/db/generic/rewrite.js

@@ -14,8 +14,13 @@ const _restoreLink = req => {
 function handler(req) {
   if (typeof req.query === 'string') return
 
-  // invoke req.subject before it gets modified
+  // invoke req.subject and req.query.elements before it gets modified
   req.subject
+  try {
+    req.query.elements
+  } catch {
+    // ignore potential errors (no x4 support in req.query.elements)
+  }
 
   if (!this.model) {
     // best-effort rewrite of path in from

package/libx/_runtime/db/utils/generateAliases.js

@@ -132,7 +132,7 @@ const _addAliasToElement = (expr, alias) => {
     return { ...expr, args }
   }
 
-  if (expr.SELECT && expr.SELECT.where) {
+  if (expr?.SELECT?.where) {
     // special case in lambda functions
     _addParentAlias(expr.SELECT.where, alias)
   }

package/libx/_runtime/remote/utils/client.js

@@ -205,8 +205,10 @@ const _getSanitizedError = (e, reqOptions, options = { suppressRemoteResponseBod
   }
 
   // AxiosError's toJSON() method doesn't include the request and response objects
-  e.toJSON = function () {
-    return { ...this.__proto__.toJSON(), request: this.request, response: this.response }
+  if (e.__proto__.toJSON) {
+    e.toJSON = function () {
+      return { ...this.__proto__.toJSON(), request: this.request, response: this.response }
+    }
   }
 
   return e

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@sap/cds",
-  "version": "7.9.1",
+  "version": "7.9.2",
   "description": "SAP Cloud Application Programming Model - CDS for Node.js",
   "homepage": "https://cap.cloud.sap/",
   "keywords": [