@sap/cds 7.9.4 → 8.0.4

package/libx/_runtime/common/composition/update.js

@@ -6,7 +6,7 @@ const { getDeepInsertCQNs } = require('./insert')
 const { getDeepDeleteCQNs } = require('./delete')
 const ctUtils = require('./utils')
 const { ensureNoDraftsSuffix } = require('../utils/draft')
-const { deepCopyObject } = require('../utils/copy')
+const { deepCopy } = require('../utils/copy')
 const getError = require('../../common/error')
 const { getEntityNameFromUpdateCQN } = require('../utils/cqn')
 
@@ -310,8 +310,8 @@ const getDeepUpdateCQNs = async (model, req, selectData) => {
   const from = getEntityNameFromUpdateCQN(query)
   const entityName = ensureNoDraftsSuffix(from)
   const draft = entityName !== from
-  const data = query.UPDATE.data ? deepCopyObject(query.UPDATE.data) : {}
-  const withObj = query.UPDATE.with ? deepCopyObject(query.UPDATE.with) : {}
+  const data = query.UPDATE.data ? deepCopy(query.UPDATE.data) : {}
+  const withObj = query.UPDATE.with ? deepCopy(query.UPDATE.with) : {}
   const entity = model.definitions[entityName]
   const entry = Object.assign({}, data, withObj, ctUtils.key(entity, selectData[0]))
   const compositionTree = getCompositionTree({

package/libx/_runtime/common/error/frontend.js

@@ -1,3 +1,4 @@
+// REVISIT: Requires thorough cleanup and refactoring, or elimination
 /*
  * OData spec:
  *   This object MUST contain name/value pairs with the names code and message,
@@ -24,17 +25,15 @@ const ADDITIONAL_MSG_PROPERTIES = Object.keys(ADDITIONAL_MSG_PROPERTIES_MAP)
 
 const _getFiltered = err => {
   const error = {}
-
-  Object.keys(err)
-    .concat(['message'])
-    .forEach(k => {
-      if (k in ALLOWED_PROPERTIES_MAP || k.startsWith('@')) {
-        error[k] = err[k]
-      } else if (k === 'numericSeverity') {
-        error['@Common.numericSeverity'] = err[k]
-      }
-    })
-
+  for (let k in err) {
+    // IMPORTANT: do not use Object.keys(err) here as that ignores enumerable properties from __proto__!
+    if (k in ALLOWED_PROPERTIES_MAP || k.startsWith('@')) {
+      error[k] = err[k]
+    } else if (k === 'numericSeverity') {
+      error['@Common.numericSeverity'] = err[k]
+    }
+  }
+  if ('message' in err) error.message = err.message
   return error
 }
 
@@ -173,8 +172,18 @@ const isClientError = e => {
   return numericCode >= 400 && numericCode < 500
 }
 
+const unwrapMultipleErrors = error => {
+  // According to the Fiori Elements Failed Message specification, the format must be:
+  // Root level: First error, Details: Other errors
+  const [firstDetail, ...restDetails] = error.details
+  Object.assign(error, firstDetail)
+  if (restDetails.length) error.details = restDetails
+  else delete error.details
+}
+
 module.exports = {
   normalizeError,
   getSapMessages,
-  isClientError
+  isClientError,
+  unwrapMultipleErrors
 }

package/libx/_runtime/common/error/log.js

@@ -0,0 +1,36 @@
+// REVISIT: I think we can remove this file. Log output doesn't need localization.
+const cds = require('../../cds')
+const LOG = cds.log()
+
+let _i18n
+const i18n = (...args) => {
+  if (!_i18n) _i18n = require('../i18n')
+  return _i18n(...args)
+}
+
+const { isClientError } = require('./frontend')
+
+module.exports = err => {
+  // REVISIT: how does level behave compared to _log in (legacy) odata adapter?
+  const level = isClientError(err) ? 'warn' : 'error'
+  if ((level === 'warn' && !LOG._warn) || (level === 'error' && !LOG._error)) return
+
+  // replace messages in toLog with developer texts (i.e., undefined locale)
+  const _message = err.message
+  const _details = err.details
+  err.message = i18n(err.message || err.code, undefined, err.args) || err.message
+  if (err.details) {
+    const details = []
+    for (const d of err.details) {
+      details.push(Object.assign({}, d, { message: i18n(d.message || d.code, undefined, d.args) || d.message }))
+    }
+    err.details = details
+  }
+
+  // log it
+  LOG[level](err)
+
+  // restore
+  err.message = _message
+  if (_details) err.details = _details
+}

package/libx/_runtime/common/error/utils.js

@@ -12,11 +12,8 @@ const i18n = (...args) => {
  * @returns localized error message
  */
 function getErrorMessage(error, locale) {
-  return (
-    i18n(error.message || error.code || error.status || error.statusCode, locale, error.args) ||
-    error.message ||
-    `${error.code || error.status || error.statusCode}`
-  )
+  const txt = i18n(error.message || error.code || error.status || error.statusCode, locale, error.args)
+  return txt || error.message || String(error.code || error.status || error.statusCode)
 }
 
 module.exports = {

package/libx/_runtime/common/generic/auth/autoexpose.js

@@ -1,25 +1,26 @@
 const cds = require('../../../../../lib')
 
 function noah_handler(req) {
-  const target = req.target
-  if (!target) return
-
-  // direct changes to draft administrative data is forbidden
-  if (target.name.match(/\.DraftAdministrativeData$/) && req.event !== 'READ') {
-    req.reject(405, 'ENTITY_IS_AUTOEXPOSE_READONLY', [target.name])
+  if (!req.subject) return
+  const root = this.model.definitions[req.subject.ref[0].id || req.subject.ref[0]]
+  if (!root) return
+
+  /*
+   * For auto-exposed Compositions all direct CRUD requests are rejected in non-draft case.
+   * For other auto-exposed entities in non-draft case only C_UD are rejected. Direct READ is allowed.
+   * Draft case is an exception. Direct requests are allowed.
+   */
+  if (!root._isDraftEnabled && root['@cds.autoexposed']) {
+    if (root['@cds.autoexpose']) {
+      if (req.event === 'READ') return //> allow read for value help requests
+      req.reject(405, 'ENTITY_IS_AUTOEXPOSE_READONLY', [root.name])
+    }
+    req.reject(405, 'ENTITY_IS_AUTOEXPOSED', [root.name])
   }
-
-  // if draft enabled, allow direct access
-  if (target._isDraftEnabled || !target['@cds.autoexposed']) return
-
-  if (target['@cds.autoexpose']) {
-    if (req.event === 'READ') return //> allow read for value help requests
-    req.reject(405, 'ENTITY_IS_AUTOEXPOSE_READONLY', [target.name])
+  const isAutoexposed = _isAutoexposed(req.target)
+  if (isAutoexposed && req.event !== 'READ') {
+    req.reject(405, 'ENTITY_IS_AUTOEXPOSE_READONLY', [req.target.name])
   }
-
-  // here, we are autoexposed (i.e., a composition)
-  // -> reject all direct changes (i.e., only via navigation is allowed)
-  if (req.subject?.ref.length === 1) req.reject(405, 'ENTITY_IS_AUTOEXPOSED', [target.name])
 }
 
 const _isAutoexposed = entity => {

package/libx/_runtime/common/generic/auth/expand.js

@@ -2,7 +2,7 @@ const cds = require('../../../cds')
 
 const { rewriteExpandAsterisk } = require('../../utils/rewriteAsterisks')
 
-const { ensureNoDraftsSuffix } = require('../../../fiori/utils/handler')
+const { ensureNoDraftsSuffix } = require('../../utils/draft')
 
 const _getTarget = (ref, target, definitions) => {
   if (cds.env.effective.odata.proxies) {

package/libx/_runtime/common/generic/auth/readOnly.js

@@ -1,11 +1,10 @@
-const cds = require('../../../cds')
 const { getAuthRelevantEntity } = require('./utils')
 const { WRITE_EVENTS } = require('./constants')
 
 function handler(req) {
   // @read-only
   let entity = getAuthRelevantEntity(req, this.model, ['@readonly'])
-  if (cds.env.fiori.lean_draft) entity = entity?.actives || entity
+  entity = entity?.actives || entity
 
   if (!entity || !entity['@readonly']) return
   if (entity['@readonly'] && req.event in WRITE_EVENTS) req.reject(405, 'ENTITY_IS_READ_ONLY', [entity.name])

package/libx/_runtime/common/generic/auth/restrict.js

@@ -6,32 +6,32 @@ const { getNormalizedPlainRestrictions } = require('./restrictions')
 
 const { cqn2cqn4sql } = require('../../utils/cqn2cqn4sql')
 
-const { isActiveEntityRequested, removeIsActiveEntityRecursively } = require('../../../fiori/utils/where')
-
 const _getResolvedApplicables = (applicables, req) => {
   const resolvedApplicables = []
 
   // REVISIT: the static portion of "mixed wheres" could already grant access -> optimization potential
   for (const restrict of applicables) {
-    // replace $user.x with respective values
-    const resolved = resolveUserAttrs({ grant: restrict.grant, target: restrict.target, where: restrict.where }, req)
-
-    // check for duplicates
-    if (
-      !resolvedApplicables.find(
-        restrict =>
-          resolved.grant === restrict.grant &&
-          (!resolved.target || resolved.target === restrict.target) &&
-          (!resolved.where || resolved.where === restrict.where)
-      )
-    ) {
-      if (resolved.where) {
-        resolved._xpr = cds.parse.expr(resolved.where).xpr
-        if (!resolved._xpr)
-          req.reject(400, `Exists predicate is missing in the association path "${resolved.where}" in @restrict.where`)
+    let resolved
+    if (restrict.where) {
+      let xpr
+      if (typeof restrict.where === 'string') {
+        xpr = cds.parse.expr(restrict.where).xpr
+        if (!xpr)
+          req.reject(400, `Exists predicate is missing in the association path "${restrict.where}" in @restrict.where`)
+      } else {
+        xpr = JSON.parse(JSON.stringify(restrict.where))
+      }
+
+      resolved = {
+        grant: restrict.grant,
+        target: restrict.target,
+        where: restrict.where,
+        // replace $user.x with respective values
+        _xpr: resolveUserAttrs(xpr, req)
       }
-      resolvedApplicables.push(resolved)
     }
+
+    resolvedApplicables.push(resolved || restrict)
   }
 
   return resolvedApplicables
@@ -140,11 +140,6 @@ const _getRestrictionForTarget = (resolvedApplicables, target) => {
 }
 
 const _addRestrictionsToRead = async (req, model, resolvedApplicables) => {
-  if (!cds.env.fiori.lean_draft && req.target._isDraftEnabled) {
-    req.query._draftRestrictions = resolvedApplicables
-    return
-  }
-
   // in case of $apply take a query from sub SELECT
   let query = req.query
   while (query.SELECT.from.SELECT) {
@@ -159,17 +154,6 @@ const _addRestrictionsToRead = async (req, model, resolvedApplicables) => {
   query.where(restrictionForTarget)
 }
 
-const _getFromWithIsActiveEntityRemoved = from => {
-  if (!from.ref) return from
-  for (const element of from.ref) {
-    if (element.where && isActiveEntityRequested(element.where)) {
-      element.where = removeIsActiveEntityRecursively(element.where)
-    }
-  }
-
-  return from
-}
-
 const _getUnrestrictedCount = async req => {
   const dbtx = cds.tx(req)
   const target =
@@ -208,8 +192,7 @@ const _getRestrictedCount = async (req, model, resolvedApplicables) => {
   return n
 }
 
-// eslint-disable-next-line complexity
-async function handler(req) {
+async function check_roles(req) {
   if (req.user._is_privileged || DRAFT_EVENTS[req.event]) {
     // > skip checks (events in DRAFT_EVENTS are checked in draft handlers via InProcessByUser)
     return
@@ -265,15 +248,13 @@ async function handler(req) {
   // no modification -> nothing more to do
   if (!MOD_EVENTS[req.event]) return
 
-  if (req.query.DELETE) req.query.DELETE.from = _getFromWithIsActiveEntityRemoved(req.query.DELETE.from)
-  if (req.query.SELECT) req.query.SELECT.from = _getFromWithIsActiveEntityRemoved(req.query.SELECT.from)
-
   // REVISIT: selected data could be used for etag check, diff, etc.
 
   /*
    * Here we check if UPDATE/DELETE requests add additional restrictions
    * Note: Needs to happen sequentially because of side effects
    */
+  // REVISIT: Do we really need to do that? Always?
   const unrestrictedCount = await _getUnrestrictedCount(req)
   if (unrestrictedCount === 0) req.reject(404)
 
@@ -284,6 +265,6 @@ async function handler(req) {
   }
 }
 
-handler._initial = true
+check_roles._initial = true
 
-module.exports = handler
+module.exports = check_roles

package/libx/_runtime/common/generic/auth/restrictions.js

@@ -1,6 +1,5 @@
 const WRITE_EVENTS = { CREATE: 1, NEW: 1, UPDATE: 1, PATCH: 1, DELETE: 1, CANCEL: 1, EDIT: 1 }
 const CRUD = Object.assign({ READ: 1 }, WRITE_EVENTS)
-const cds = require('../../../cds')
 
 /**
  * Returns the applicable restrictions for the current request as follows:
@@ -68,10 +67,7 @@ const _addNormalizedRestrictPerGrant = (grant, where, restrict, restricts, defin
 }
 
 const _addNormalizedRestrict = (restrict, restricts, definition) => {
-  const where = restrict.where
-    ? (restrict.where['='] || restrict.where).replace(/\$user/g, '$user.id').replace(/\$user\.id\./g, '$user.')
-    : undefined
-
+  const where = restrict.where?.xpr ?? restrict.where
   restrict.grant = Array.isArray(restrict.grant) ? restrict.grant : [restrict.grant || '*']
   restrict.grant.forEach(grant => _addNormalizedRestrictPerGrant(grant, where, restrict, restricts, definition))
 }
@@ -117,8 +113,7 @@ const _isToAccessAllowed = (user, restrict) => restrict.to.some(role => user.is(
 
 const getApplicableRestrictions = (restrictions, event, user) => {
   return restrictions.filter(restrict => {
-    const eventName = cds.env.fiori.lean_draft ? event : { NEW: 'CREATE' }[event] || event
-    return _isGrantAccessAllowed(eventName, restrict) && _isToAccessAllowed(user, restrict)
+    return _isGrantAccessAllowed(event, restrict) && _isToAccessAllowed(user, restrict)
   })
 }
 

package/libx/_runtime/common/generic/auth/utils.js

@@ -23,6 +23,7 @@ const reject = (req, reason = null) => {
   })
 }
 
+// REVISIT: Do we really need that? -> if not, let's eliminate it
 const getRejectReason = (req, annotation, definition, restrictedCount, unrestrictedCount) => {
   if (!LOG._debug) return
   // it is not possible to specify the reason further than the source as there are multiple factors
@@ -35,109 +36,111 @@ const getRejectReason = (req, annotation, definition, restrictedCount, unrestric
   }
 }
 
-const _getCurrentSubClause = (next, restrict) => {
-  const escaped = next[0].replace(/\$/g, '\\$').replace(/\./g, '\\.')
-  const re1 = new RegExp(`([\\w\\.']*)\\s*=\\s*(${escaped})|(${escaped})\\s*=\\s*([\\w\\.']*)`)
-  const re2 = new RegExp(`([\\w\\.']*)\\s*in\\s*(${escaped})|(${escaped})\\s*in\\s*([\\w\\.']*)`)
-  const re3 = new RegExp(`(${escaped})\\s*is\\s*null`)
-  const re4 = new RegExp(`(${escaped})\\s*is\\s*not\\s*null`)
-  const clause =
-    restrict.where.match(re3) || restrict.where.match(re4) || restrict.where.match(re1) || restrict.where.match(re2)
-
-  if (clause) return clause
-
-  // NOTE: arrayed attr with "=" as operator is some kind of legacy case
-  throw new Error('user attribute array must be used with operator "=", "in", "is null", or "is not null"')
-}
-
-const _isNull = (userAttrs, attr) =>
-  userAttrs[attr] == null || (Array.isArray(userAttrs[attr]) && userAttrs[attr].length === 0)
-const _isNotNull = (userAttrs, attr) =>
-  userAttrs[attr] != null && Array.isArray(userAttrs[attr]) && userAttrs[attr].length > 0
-
-const _processUserAttr = (next, restrict, userAttrs, attr) => {
-  const clause = _getCurrentSubClause(next, restrict)
-  const valOrRef = clause[1] || clause[4]
-
-  if (clause[0].match(/ is\s*null/)) {
-    restrict.where = restrict.where.replace(clause[0], _isNull(userAttrs, attr) ? '1 = 1' : '1 = 2')
-  } else if (clause[0].match(/ is\s*not\s*null/)) {
-    restrict.where = restrict.where.replace(clause[0], _isNotNull(userAttrs, attr) ? '1 = 1' : '1 = 2')
-  } else {
-    if (_isNull(userAttrs, attr)) {
-      restrict.where = restrict.where.replace(clause[0], '1 = 2')
-    } else if (clause[0].match(/ in /)) {
-      if (userAttrs[attr].length === 1) {
-        restrict.where = restrict.where.replace(clause[0], `${valOrRef} = '${userAttrs[attr][0]}'`)
-      } else {
-        restrict.where = restrict.where.replace(
-          clause[0],
-          `${valOrRef} in (${userAttrs[attr].map(ele => `'${ele}'`).join(', ')})`
-        )
+const _isNull = element => element.val === null || element.list?.length === 0
+const _isNotNull = element => element.val !== null && (!element.list || element.list.length)
+
+const _processNullAttr = where => {
+  if (!where) return
+
+  for (let i = where.length - 1; i >= 0; i--) {
+    if (where[i] === 'null') {
+      if (where[i - 2] === 'is' && where[i - 1] === 'not' && _isNull(where[i - 3])) {
+        where.splice(i - 3, 4, { val: '1' }, '=', { val: '2' })
+        i = i - 3
+      } else if (where[i - 2] === 'is' && where[i - 1] === 'not' && _isNotNull(where[i - 3])) {
+        where.splice(i - 3, 4, { val: '1' }, '=', { val: '1' })
+        i = i - 3
+      } else if (where[i - 1] === 'is' && _isNull(where[i - 2])) {
+        where.splice(i - 2, 3, { val: '1' }, '=', { val: '1' })
+        i = i - 2
+      } else if (where[i - 1] === 'is' && _isNotNull(where[i - 2])) {
+        where.splice(i - 2, 3, { val: '1' }, '=', { val: '2' })
+        i = i - 2
       }
-    } else if (valOrRef.startsWith("'") && userAttrs[attr].includes(valOrRef.split("'")[1])) {
-      restrict.where = restrict.where.replace(clause[0], `${valOrRef} = ${valOrRef}`)
-    } else {
-      restrict.where = restrict.where.replace(
-        clause[0],
-        `(${userAttrs[attr].map(ele => `${valOrRef} = '${ele}'`).join(' or ')})`
-      )
     }
   }
 }
 
-/*
- * for supporting xssec v3
- */
-const _getAttrsAsProxy = (attrs, additional = {}) => {
-  return new Proxy(
-    {},
-    {
-      get: function (_, attr) {
-        if (attr in additional) return additional[attr]
-        return attrs[attr]
+// NOTE: arrayed attr with "=" as operator is a valid expression (see authorization guide)
+const _arrayComparison = (arr, where, index) => {
+  if (arr.length === 0) where[index] = { val: null }
+  else if (arr.length === 1) where[index] = { val: arr[0] }
+  else {
+    let start, element
+    if (where[index - 1] === '=' && where[index - 2]) {
+      start = index - 2
+      element = where[index - 2]
+    } else if (where[index + 1] === '=' && where[index + 2]) {
+      start = index
+      element = where[index + 2]
+    }
+    if (start !== undefined) {
+      const expr = []
+      arr.forEach(el => {
+        if (expr.length) expr.push('or')
+        expr.push(element, '=', { val: el })
+      })
+      where.splice(start, 3, { xpr: expr })
+    } else {
+      if (where[index + 1] !== 'is')
+        throw new Error('user attribute array must be used with operator "=", "in", "is null", or "is not null"')
+      where[index] = {
+        list: arr.map(v => {
+          return { val: v }
+        })
       }
     }
-  )
+  }
 }
 
-/*
- * resolves user attributes deeply, even though nested attributes are officially not supported
- */
-const resolveUserAttrs = (restrict, req) => {
-  const _getNext = where => where.match(/\$user\.([\w.]*)/)
-  let next = _getNext(restrict.where)
-
-  while (next !== null) {
-    const parts = next[1].split('.')
-    let skip
-    let val
-    let attrs = _getAttrsAsProxy(req.user.attr, { id: req.user.id })
-    let attr = parts.shift()
-
-    while (attr) {
-      if (attrs[attr] === undefined || Array.isArray(attrs[attr])) {
-        _processUserAttr(next, restrict, attrs, attr)
-        skip = true
-        break
+const _handleArray = (arr, where, index) => {
+  if (where[index - 1] === 'in') {
+    if (arr.length === 0) where[index] = { list: [{ val: '__dummy__' }] }
+    else
+      where[index] = {
+        list: arr.map(v => {
+          return { val: v }
+        })
       }
+  } else _arrayComparison(arr, where, index)
+}
 
-      val = !Number.isNaN(Number(attrs[attr])) && attr !== 'id' ? attrs[attr] : `'${attrs[attr]}'`
-      if (val === null || val === undefined) break
-
-      attrs = _getAttrsAsProxy(attrs[attr])
-      attr = parts.shift()
+const resolveUserAttrs = (where, req) => {
+  let non_existing
+  for (let i = 0; i < where.length; i++) {
+    const r = where[i]
+    if (r.xpr) r.xpr = resolveUserAttrs(r.xpr, req)
+    else if (r.SELECT?.where) r.SELECT.where = resolveUserAttrs(r.SELECT.where, req)
+    else if (r?.ref?.[0] === '$user') {
+      if (r.ref.length === 1 || r.ref[1] === 'id') r.val = req.user.id
+      else {
+        let val = req.user.attr
+        for (let j = 1; j < r.ref.length; j++) {
+          const attr = r.ref[j]
+          if (!Object.prototype.hasOwnProperty.call(val, attr)) {
+            non_existing = true
+            break
+          } else val = val?.[attr]
+        }
+        if (non_existing) break
+        if (val === undefined) val = null
+        if (val === null && where[i - 1] === 'in') where[i] = { list: [{ val: '__dummy__' }] }
+        else if (Array.isArray(val)) _handleArray(val, where, i)
+        else r.val = val
+      }
+      delete r.ref
+    } else if (r.ref) {
+      r.ref.forEach(el => {
+        if (el.where) el.where = resolveUserAttrs(el.where, req)
+      })
     }
+  }
 
-    if (!skip) {
-      const v = val === undefined ? null : typeof val === 'string' && val.match(/^\d*$/) ? `'${val}'` : val
-      restrict.where = restrict.where.replace(next[0], v).replace('in null', 'is null')
-    }
+  if (non_existing) return [{ val: '1' }, '=', { val: '2' }]
 
-    next = _getNext(restrict.where)
-  }
+  _processNullAttr(where)
 
-  return restrict
+  return where
 }
 
 const _authDependsOnAncestor = (entity, annotations) => {

package/libx/_runtime/common/generic/crud.js

@@ -1,7 +1,7 @@
 const cds = require('../../cds')
 const { SELECT } = cds.ql
 
-const { deepCopyArray } = require('../utils/copy')
+const { deepCopy } = require('../utils/copy')
 const { getColumns } = require('../utils/columns')
 const { enhanceStreamResult } = require('../utils/stream')
 const getError = require('../error')
@@ -12,7 +12,6 @@ const _targetEntityDoesNotExist = async req => {
 }
 
 exports.impl = cds.service.impl(function () {
-  // eslint-disable-next-line complexity
   this.on(['CREATE', 'READ', 'UPDATE', 'DELETE', 'UPSERT'], '*', async function (req) {
     if (!req.query) {
       throw getError({
@@ -39,7 +38,7 @@ exports.impl = cds.service.impl(function () {
 
     const { ref } = (req.query.INSERT && req.query.INSERT.into) || (req.query.SELECT && req.query.SELECT.from) || {}
     // REVISIT: why is copy necessary?
-    if (ref && ref.length > 1) pathExistsQuery = SELECT(1).from({ ref: deepCopyArray(ref.slice(0, -1)) })
+    if (ref && ref.length > 1) pathExistsQuery = SELECT(1).from({ ref: deepCopy(ref.slice(0, -1)) })
 
     if (req.event === 'CREATE' && pathExistsQuery) {
       const res = await pathExistsQuery
@@ -101,8 +100,10 @@ exports.impl = cds.service.impl(function () {
       if (await _targetEntityDoesNotExist(req)) req.reject(404) // REVISIT: add a reasonable error message
     }
 
-    // flag to trigger read after write in protocol adapter
-    req._.readAfterWrite = true
+    // flag to trigger read after write in legacy odata adapter
+    if (req.constructor.name in { ODataRequest: 1 }) req._.readAfterWrite = true
+    if (req.protocol?.match(/odata/)) req._.readAfterWrite = true //> REVISIT for noah
+
     return req.data
   })
 

package/libx/_runtime/common/generic/etag.js

@@ -73,10 +73,10 @@ const _getValidationStmt = (ifMatchEtags, ifNoneMatchEtags, req, model) => {
 const commonGenericValidateETag = async function (req) {
   /*
    * currently, etag is only supported for OData requests
-   * REST requests should be added later
+   * REST requests should be added later -> REVISIT!!!
    * other protocols, such as graphql, need to be checked
    */
-  if (req.protocol !== 'odata-v4') return
+  if (req.protocol !== 'odata') return
 
   // automatically add etag columns if not already there
   if (req.query.SELECT) addEtagColumns(req.query.SELECT.columns, req.target)
@@ -148,14 +148,10 @@ module.exports = cds.service.impl(function () {
     if (!entity._etag) continue
 
     if (entity._isDraftEnabled) {
-      if (cds.env.fiori?.lean_draft) {
-        this.before(['READ', 'DELETE'], entity, commonGenericValidateETag)
-        // if draft compat is on, the read handler is automatically registered for <entity> and <entity>.drafts
-        const events = cds.env.fiori.draft_compat ? ['UPDATE', 'CANCEL'] : ['READ', 'UPDATE', 'CANCEL']
-        this.before(events, entity.drafts, commonGenericValidateETag)
-      } else {
-        this.before(['READ', 'PATCH', 'CANCEL', 'DELETE'], entity, commonGenericValidateETag)
-      }
+      this.before(['READ', 'DELETE'], entity, commonGenericValidateETag)
+      // if draft compat is on, the read handler is automatically registered for <entity> and <entity>.drafts
+      const events = cds.env.fiori.draft_compat ? ['UPDATE', 'CANCEL'] : ['READ', 'UPDATE', 'CANCEL']
+      this.before(events, entity.drafts, commonGenericValidateETag)
     } else {
       this.before(['READ', 'UPDATE', 'DELETE'], entity, commonGenericValidateETag)
     }
@@ -164,8 +160,7 @@ module.exports = cds.service.impl(function () {
       // etag not applicable to functions and unbound actions
       if (entity.actions[action].kind !== 'action') continue
       if (entity._isDraftEnabled) {
-        let _entity = entity
-        if (cds.env.fiori?.lean_draft) _entity = action === 'draftEdit' ? entity : entity.drafts
+        const _entity = action === 'draftEdit' ? entity : entity.drafts
         this.before(action === 'draftEdit' ? 'EDIT' : action, _entity, commonGenericValidateETag)
       } else {
         this.before(action, entity, commonGenericValidateETag)