@sap/cds 8.2.1 → 8.2.3

package/CHANGELOG.md

@@ -4,6 +4,27 @@
 - The format is based on [Keep a Changelog](http://keepachangelog.com/).
 - This project adheres to [Semantic Versioning](http://semver.org/).
 
+## Version 8.2.3 - 2024-09-20
+
+### Changed
+
+- All annotations in input data are skipped and removed from the input by `cds.validate()` - as we did in legacy OData adapter
+
+### Fixed
+
+- Unmanaged associations are excluded from `@mandatory` checks
+- Properly reject direct requests to `DraftAdministrativeData`
+- Virtual elements annotated with `@Core.MediaType`
+- OData Requests targeting a specific instance and custom handler returns empty array
+- `cds-serve` and `cds-deploy` now set `cds.cli` information
+
+## Version 8.2.2 - 2024-09-13
+
+### Fixed
+
+- Erroneous caching in `cds.validate`
+- Properly check `$filter` element types across navigations
+
 ## Version 8.2.1 - 2024-09-04
 
 ### Fixed

package/bin/serve.js

@@ -158,6 +158,9 @@ async function serve (all=[], o={}) {
   if (o.watch)  return _watch.call(this, o.project,o)   // cds serve --watch <project>
   if (o.project) _chdir_to (o.project)      // cds run --project <project>
 
+  // let plugins know about the CLI
+  cds.cli = { command: 'serve', argv: all, options: o }
+
   // Ensure loading plugins before calling cds.env!
   await cds.plugins
 

package/lib/dbs/cds-deploy.js

@@ -384,6 +384,7 @@ const _entity4 = (file, csn) => {
 
 /** CLI used as via cds-deploy as deployer for PostgreSQL */
 if (!module.parent) (async function CLI () {
+  cds.cli = { command: 'deploy', argv: process.argv.slice(2), options: {} }
   await cds.plugins // IMPORTANT: that has to go before any call to cds.env, like through cds.deploy or cds.requires below
   let db = cds.requires.db
   try {
@@ -400,6 +401,7 @@ if (!module.parent) (async function CLI () {
       if (o.username) (db.credentials ??= {}).username = o.username
       if (o.password) (db.credentials ??= {}).password = o.password
     }
+    cds.cli.options = o
     db = await cds.connect.to(db);
     db = await cds.deploy('*',o).to(db)
   } finally {

package/lib/linked/validate.js

@@ -46,7 +46,8 @@ class Validation {
     return filter.length ? `(${filter})` : `[${index}]`
   }
 
-  unknown(e,d) {
+  unknown(e,d,input) {
+    if (e.startsWith('@')) return delete input[e] //> skip all annotations, like @odata.Type
     d['@open'] || cds.error (`Property "${e}" does not exist in ${d.name}`, {status:400})
   }
 }
@@ -92,43 +93,54 @@ const $any = class any {
    * this method for subsequent usages, with statically determined checks.
    */
   check_asserts (val, path, /** @type {Validation} */ ctx) {
-    // if (this['@cds.validate'] === false) return this.set ('check_asserts', ()=>{})
-    const asserts = []
-    const type_check = conf.strict && this.strict_check || this.type_check
-    if (type_check) {
-      asserts.push ((v,p,ctx) => v == null || type_check(v) || ctx.error ('ASSERT_DATA_TYPE', p, this.name, v, this ))
-    }
-    if (this._is_mandatory()) {
-      asserts.push ((v,p,ctx) => v != null && v.trim?.() !== '' || ctx.error ('ASSERT_NOT_NULL', p, this.name, v)) // ASSERT_NOT_NULL is misleading -> should be ASSERT_REQUIRED
-    }
-    if (this['@assert.format']) {
-      const format = new RegExp(this['@assert.format'],'u')
-      asserts.push ((v,p,ctx) => v == null || format.test(v) || ctx.error ('ASSERT_FORMAT', p, this.name, v, format))
-    }
-    if (this['@assert.range'] && !this.enum) {
-      const [ min, max ] = this['@assert.range']
-      asserts.push ((v,p,ctx) => v == null || min <= v && v <= max || ctx.error ('ASSERT_RANGE', p, this.name, v, min, max))
-    }
-    if (this['@assert.enum'] || this['@assert.range'] && this.enum) {
-      const vals = Object.entries(this.enum).map(([k,v]) => 'val' in v ? v.val : k)
-      const enums = vals.reduce((a,v) => (a[v]=true, a),{})
-      asserts.push ((v,p,ctx) => v == null || v in enums || vals.some(x => x == v) || ctx.error ('ASSERT_ENUM', p, this.name, typeof v === 'string' ? `"${v}"` : v, vals.join(', ')))
-    }
-    if (!asserts.length) return this.check_asserts = ()=>{} // nothing to do
-    this.set ('check_asserts', (v,p,ctx) => asserts.forEach (a => a(v,p,ctx)))
-    this.check_asserts (val, path, ctx) // call first time
+    // IMPORTANT: We need to use this.own() here as elements derived from reuse
+    // definitions or from elements of base entities might have different asserts
+    // than inherited ones.
+    const check_asserts = this.own('_check_asserts', () => {
+      const asserts = []
+      const type_check = conf.strict && this.strict_check || this.type_check
+      if (type_check) {
+        asserts.push ((v,p,ctx) => v == null || type_check(v) || ctx.error ('ASSERT_DATA_TYPE', p, this.name, v, this ))
+      }
+      if (this._is_mandatory()) {
+        asserts.push ((v,p,ctx) => v != null && v.trim?.() !== '' || ctx.error ('ASSERT_NOT_NULL', p, this.name, v)) // ASSERT_NOT_NULL is misleading -> should be ASSERT_REQUIRED
+      }
+      if (this['@assert.format']) {
+        const format = new RegExp(this['@assert.format'],'u')
+        asserts.push ((v,p,ctx) => v == null || format.test(v) || ctx.error ('ASSERT_FORMAT', p, this.name, v, format))
+      }
+      if (this['@assert.range'] && !this.enum) {
+        const [ min, max ] = this['@assert.range']
+        asserts.push ((v,p,ctx) => v == null || min <= v && v <= max || ctx.error ('ASSERT_RANGE', p, this.name, v, min, max))
+      }
+      if (this['@assert.enum'] || this['@assert.range'] && this.enum) {
+        const vals = Object.entries(this.enum).map(([k,v]) => 'val' in v ? v.val : k)
+        const enums = vals.reduce((a,v) => (a[v]=true, a),{})
+        asserts.push ((v,p,ctx) => v == null || v in enums || vals.some(x => x == v) || ctx.error ('ASSERT_ENUM', p, this.name, typeof v === 'string' ? `"${v}"` : v, vals.join(', ')))
+      }
+      if (!asserts.length) return ()=>{} // nothing to do
+      return (v,p,ctx) => asserts.forEach (a => a(v,p,ctx))
+    })
+    return check_asserts (val, path, ctx)
   }
 
   _is_mandatory (d=this) {
-    return d.own('_mandatory', ()=> (
-      !d['@readonly'] // readonly -> not mandatory
-      && (d['@mandatory'] || d['@Common.FieldControl']?.['#'] === 'Mandatory')
-      && !d._is_flattened()
-    ))
-  }
-
-  _is_flattened (d=this) {
-    return d.parent?.query?.SELECT.columns?.some (c => c.ref?.length > 1 && d.name === (c.as || c.ref.at(-1)))
+    return d.own('_mandatory', ()=> {
+      if (d._is_readonly()) return false // readonly annotations have precedence over mandatory ones
+      if (d['@mandatory'] || d['@Common.FieldControl']?.['#'] === 'Mandatory') {
+        const q = d.parent?.query?.SELECT
+        if (!q) return true // it's a regular entity's element marked as mandatory
+        if (!q.from?.ref) return false // join or union -> elements can't be mandatory
+        const c = q.columns?.find (c => alias4(c) === d.name)
+        if (!c) return true // * or foo.* -> can't tell whether d is joined
+        if (!c.ref) return false // calculated fields aren't mandatory
+        if (c.ref.length === 1) return true // SELECT from Foo { foo }
+        if (c.ref.length === 2 && c.ref[0] === alias4(q.from)) return true // SELECT from Foo as f { f.foo }
+        else return false // joined field which can't be mandatory, e.g. SELECT from Books { author.name as author }
+        function alias4 (x) { return x.as || x.ref?.at(-1) }
+      }
+      else return false
+    })
   }
 
   _is_readonly (d=this) {
@@ -148,17 +160,21 @@ const $any = class any {
    * This is the case if the row date does not contain all primary key elements of the target entity.
    */
   _is_insert (row) {
-    const entity = this._target || this
-    const keys = Object.keys (entity.keys||{})
-    if (!keys.length) return this.set('_is_insert', ()=> true), true
-    else this.set('_is_insert', data => typeof data === 'object' && !keys.every(k => k in data))
-    return this._is_insert (row)
+    // IMPORTANT: We need to use this.own() here as derived entities might have
+    // different keys and thus different insert checks.
+    const _is_insert = this.own('__is_insert', () => {
+      const entity = this._target || this
+      const keys = Object.keys (entity.keys||{})
+      if (!keys.length) return ()=> true
+      else return data => typeof data === 'object' && !keys.every(k => k in data)
+    })
+    return _is_insert(row)
   }
 
   _required (elements) {
-    const _required = Object.values(elements).filter(this._is_mandatory)
-    this.set('_required', ()=> _required)
-    return _required
+    // IMPORTANT: We need to use this.own() here as derived entities might have
+    // different elements or elements with different annotations than base entitites.
+    return this.own('__required', ()=> Object.values(elements).filter(this._is_mandatory))
   }
 
   /** Forward declaration for universal CSN */
@@ -175,12 +191,13 @@ class struct extends $any {
       if (each.name in skip) continue // skip uplinks in deep inserts -> see Composition.validate()
       if (each.$struct in data) continue // got struct for flattened element/fk, e.g. {author:{ID:1}}
       if (each.elements || each.foreignKeys) continue // skip struct-likes as we check flat payloads above, and deep payloads via struct.validate()
+      if (each.isAssociation) continue // unmanaged associations are always ignored (no value like)
       else ctx.error ('ASSERT_NOT_NULL', path_, each.name) // ASSERT_NOT_NULL should be ASSERT_REQUIRED
     }
     // check values of given data
     for (let each in data) { // will work for structured payloads as well as flattened ones with universal CSN
       let /** @type {$any} */ d = elements[each]
-      if (!d || typeof d === 'function') ctx.unknown (each, this, data) // `each` might be a method of LinkedDefinitions, like filter, map, some, every, ...
+      if (!d) ctx.unknown (each, this, data)
       else if (ctx.cleanse && d._is_readonly()) delete data[each]
       else if (d['@cds.validate'] !== false) d.validate (data[each], path_, ctx)
     }
@@ -295,4 +312,4 @@ $.LargeBinary.prototype .type_check = v => Buffer.isBuffer(v) || typeof v === 's
 $.LargeString.prototype .type_check = v => Buffer.isBuffer(v) || typeof v === 'string' || v instanceof Readable
 
 // Mixin above class extensions to cds.linked.classes
-$.mixin ( Decimal, string, $any, action, array, struct, entity, Association, Composition )
+$.mixin ( Decimal, string, $any, action, array, struct, entity, Association, Composition )

package/libx/_runtime/common/utils/streamProp.js

@@ -60,7 +60,7 @@ const handleStreamProperties = (target, columns, model) => {
       _addColumns(target, columns)
     } else if (col.ref && (type === 'cds.LargeBinary' || (mediaType && !ignoreMediaType))) {
       if (mediaType) {
-        _addColumn(name, mediaType, columns, element['@Core.IsURL'], target)
+        if (!element.virtual) _addColumn(name, mediaType, columns, element['@Core.IsURL'], target)
         columns.splice(index, 1)
       } else if (!cds.env.features.stream_compat) {
         columns.splice(index, 1)

package/libx/_runtime/fiori/lean-draft.js

@@ -781,7 +781,10 @@ const Read = {
 
     // DraftAdministrativeData is only accessible via drafts
     if (_isCount(query)) return run(query)
-    if (query._target.name.endsWith('.DraftAdministrativeData')) return run(query._drafts)
+    if (query._target.name.endsWith('.DraftAdministrativeData')) {
+      if (query.SELECT.from.ref?.length === 1) throw new Error('Invalid draft request') // only via drafts
+      return run(query._drafts)
+    }
     if (!query._target._isDraftEnabled) return run(query)
     if (
       !query.SELECT.groupBy &&

package/libx/odata/middleware/read.js

@@ -262,6 +262,11 @@ module.exports = adapter => {
 
         const metadata = getODataMetadata(query, { result, isCollection: !one })
         result = getODataResult(result, metadata, { isCollection: !one, property: _propertyAccess })
+
+        if (!result) {
+          throw Object.assign(new Error('404'), { statusCode: 404 })
+        }
+
         res.send(result)
       })
       .catch(err => {

package/libx/odata/parse/afterburner.js

@@ -754,7 +754,7 @@ module.exports = (cqn, model, namespace, protocol) => {
   }
 
   if (cqn.SELECT.where) {
-    _processWhere(cqn.SELECT.where, root)
+    _processWhere(cqn.SELECT.where, target)
   }
 
   // one?

package/libx/odata/utils/result.js

@@ -53,13 +53,15 @@ const _rewriteMetadataDeep = result => {
  * @returns {object} - the odata result
  */
 module.exports = function getODataResult(result, metadata, options = {}) {
-  if (result == null) return ''
+  if (result == null) return
 
   const { isCollection, property } = options
 
   if (isCollection && !Array.isArray(result)) result = [result]
   else if (!isCollection && Array.isArray(result)) result = result[0]
 
+  if (result === undefined) return
+
   // make sure @odata.context is the first element (per OData spec)
   const odataResult = {
     [METADATA.$context]: metadata.context

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@sap/cds",
-  "version": "8.2.1",
+  "version": "8.2.3",
   "description": "SAP Cloud Application Programming Model - CDS for Node.js",
   "homepage": "https://cap.cloud.sap/",
   "keywords": [