@sap/cds 8.5.0 → 8.6.0

package/lib/srv/srv-handlers.js

@@ -1,136 +1,131 @@
+/** @typedef {import('./cds.Service')} Service } */
+
 const cds = require('..'), {expected} = cds.error
 const LOG = cds.log()
 
 class EventHandlers {
 
-  constructor (name) {
-    this._handlers = {
-      /** @type {EventHandler[]} */ _initial:[],
-      /** @type {EventHandler[]} */ before:[],
-      /** @type {EventHandler[]} */ on:[],
-      /** @type {EventHandler[]} */ after:[],
-      /** @type {EventHandler[]} */ _error:[]
-    }
-    this.name = name
-  }
-
-  before (...args) { return _register (this, 'before', ...args) }
-  on     (...args) { return _register (this, 'on',     ...args) }
-  after  (...args) { return _register (this, 'after',  ...args) }
-  reject (e, path) { return _register (this, '_initial', e, path,
-    (r) => r.reject (405, `Event "${r.event}" not allowed for entity "${r.path}".`)
-  )}
+  /** @type {EventHandler[]} */ _initial = []
+  /** @type {EventHandler[]} */ before = []
+  /** @type {EventHandler[]} */ on = []
+  /** @type {EventHandler[]} */ after = []
+  /** @type {EventHandler[]} */ _error = []
 
+  /** @this {Service} */
   prepend (fn) {
-    const {_handlers} = this, _new = this._handlers = { on:[], before:[], after:[], _initial:[], _error:[] }
+    const {handlers} = this, _new = this.handlers = new EventHandlers
     const x = fn.call (this,this) // NOTE: we need the doubled await to compensate usages of srv.prepend() with missing awaits !!!
     if (x?.then) throw cds.error `srv.prepend() doesn't accept asynchronous functions anymore`
-    for (let each in _new) if (_new[each].length) _handlers[each].unshift(..._new[each])
-    this._handlers = _handlers
+    for (let each in _new) if (_new[each].length) handlers[each].unshift(..._new[each])
+    this.handlers = handlers
     return this
   }
 
-  async init() {}
-  async _init() {
-    const { impl } = this.options
-    if (typeof impl === 'function' && !/^class\b/.test(impl))
-      await impl.call(this,this)
-    await this.init()
-    return this
-  }
-}
-module.exports = EventHandlers
+  //--------------------------------------------------------------------------
+  /** Registers event handlers. This is the central method to register handlers,
+   * used by all respective public API methods, i.e. .on/before/after/reject.
+   * @param {Service} srv
+   * @param {'on'|'before'|'after'} phase
+   * @param {string|string[]} event
+   * @param {string|string[]} path
+   * @param {(req)=>{}} handler
+   */
+  register (srv, phase, event, path, handler) {
+
+    if (!handler) [ handler, path ] = [ path, '*' ] // argument path is optional
+    else if (path === undefined) expected `${{path}} to be a string or csn definition`
+    if (typeof handler !== 'function') expected `${{handler}} to be a function`
+    if (handler._is_stub) {
+      LOG.warn (`\n
+        WARNING: You are trying to register a frameworks-generated stub method for
+        custom action/function '${event}' in implementation of service '${srv.name}'.
+        We're ignoring that as we already registered the according handler.
+        Please fix your implementation, i.e., just don't register that handler.
+      `)
+      return srv
+    }
 
+    // Canonicalize event argument
+    if (!event || event === '*') event = undefined
+    else if (is_array(event)) {
+      for (let each of event) this.register (srv, phase, each, path, handler)
+      return srv
+    }
+    else if (event === 'SAVE' || event === 'WRITE') {
+      for (let each of ['CREATE','UPSERT','UPDATE']) this.register (srv, phase, each, path, handler)
+      return srv
+    }
+    else if (phase === 'after' && ( event === 'each'    //> srv.after ('each', Book, b => ...)    // event 'each' => READ each
+      || event === 'READ' && path?.is_singular          //> srv.after ('READ', Book, b => ...)    // Book is a singular def from cds-typer
+      || event === 'READ' && /^\(?each\b/.test(handler) //> srv.after ('READ', Book, each => ...) // handler's first param is named 'each'
+    )) {
+      event = 'READ' // override event='each' to 'READ'
+      const h=handler; handler = (rows,req) => is_array(rows) ? rows.forEach (r => h(r,req)) : rows && h(rows,req)
+    }
+    else if (typeof event === 'object') {
+      // extract action name from an action definition's fqn
+      event = event.name && /[^.]+$/.exec(event.name)[0] || expected `${{event}} to be a string or an action's CSN definition`
+    }
+    else event = AlternativeEvents[event] || event
 
-//--------------------------------------------------------------------------
-/** Registers event handlers. This is the central method to register handlers,
- * used by all respective public API methods, i.e. .on/before/after/reject.
- * @param {'on'|'before'|'after'} phase
- * @param {string|string[]} event
- * @param {string|string[]} path
- * @param {(req)=>{}} handler
- */
-const _register = function (srv, phase, event, path, handler) { //NOSONAR
-
-  if (!handler) [ handler, path ] = [ path ] // argument path is optional
-  if (typeof handler !== 'function') expected `${{handler}} to be a function`
-  if (handler._is_stub) {
-    LOG.warn (`\n
-      WARNING: You are trying to register a frameworks-generated stub method for
-      custom action/function '${event}' in implementation of service '${srv.name}'.
-      We're ignoring that as we already registered the according handler.
-      Please fix your implementation, i.e., just don't register that handler.
-    `)
-    return srv
-  }
+    // Canonicalize path argument
+    if (!path || path === '*') path = undefined
+    else if (is_array(path)) {
+      for (let each of path) this.register (srv, phase, event, each, handler)
+      return srv
+    }
+    else if (typeof path === 'object') {
+      path = path.name || expected `${{path}} to be a string or an entity's CSN definition`
+    }
+    else if (typeof path === 'string') {
+      if (!path.startsWith(srv.name+'.')) path = `${srv.name}.${path}`
+    }
 
-  // Canonicalize event argument
-  if (!event || event === '*') event = undefined
-  else if (is_array(event)) {
-    for (let each of event) _register (srv, phase, each, path, handler)
-    return this
-  }
-  else if (event === 'SAVE') {
-    for (let each of ['CREATE','UPDATE']) _register (srv, phase, each, path, handler)
-    return this
-  }
-  else if (phase === 'after' && ( event === 'each'    //> srv.after ('each', Book, b => ...)    // event 'each' => READ each
-    || event === 'READ' && path?.is_singular          //> srv.after ('READ', Book, b => ...)    // Book is a singular def from cds-typer
-    || event === 'READ' && /^\(?each\b/.test(handler) //> srv.after ('READ', Book, each => ...) // handler's first param is named 'each'
-  )) {
-    event = 'READ' // override event='each' to 'READ'
-    const h=handler; handler = (rows,req) => is_array(rows) ? rows.forEach (r => h(r,req)) : rows && h(rows,req)
-  }
-  else if (typeof event === 'object') {
-    // extract action name from an action definition's fqn
-    event = event.name && /[^.]+$/.exec(event.name)[0] || expected `${{event}} to be a string or an action's CSN definition`
-  }
-  else event = AlternativeEvents[event] || event
+    if (cds.env.fiori.draft_compat) {
+      const entity = path && srv.model?.definitions[path.name || path]
+      if (['PATCH', 'CANCEL', 'NEW'].includes(event)) {
+        // delegate to drafts
+        path = typeof path === 'string' && path !== '*' && !path.endsWith('.drafts') ? path + '.drafts' : typeof path === 'object' && path.drafts || path
+        if (event === 'PATCH') event = 'UPDATE'
+      }
+      else if (entity && (event === 'READ' || entity.actions?.[event]) && (entity.drafts && !entity.name.endsWith('.drafts'))) {
+        // additionally add drafts for READ and bound actions/functions
+        this.register (srv, phase, event, entity.name + '.drafts', handler)
+      }
+    }
 
-  // Canonicalize path argument
-  if (!path || path === '*') path = undefined
-  else if (is_array(path)) {
-    for (let each of path) _register (srv, phase, event, each, handler)
-    return this
-  }
-  else if (typeof path === 'object') {
-    path = path.name || expected `${{path}} to be a string or an entity's CSN definition`
-  }
-  else if (typeof path === 'string') {
-    if (!path.startsWith(srv.name+'.')) path = `${srv.name}.${path}`
-  }
+    // Finally register with a filter function to match requests to be handled
+    const handlers = event === 'error' ? this._error : handler._initial ? this._initial : this[phase] // REVISIT: remove _initial handlers
+    handlers.push (new EventHandler (phase, event, path, handler))
 
-  if (cds.env.fiori.draft_compat) {
-    const entity = path && srv.model?.definitions[path.name || path]
-    if (['PATCH', 'CANCEL', 'NEW'].includes(event)) {
-      // delegate to drafts
-      path = typeof path === 'string' && path !== '*' && !path.endsWith('.drafts') ? path + '.drafts' : typeof path === 'object' && path.drafts || path
-      if (event === 'PATCH') event = 'UPDATE'
-    }
-    else if (entity && (event === 'READ' || entity.actions?.[event]) && (entity.drafts && !entity.name.endsWith('.drafts'))) {
-      // additionally add drafts for READ and bound actions/functions
-      _register(srv, phase, event, entity.name + '.drafts', handler)
-    }
+    if (phase === 'on') cds.emit('subscribe',srv,event) //> inform messaging service
+    return srv
   }
 
-  // Finally register with a filter function to match requests to be handled
-  const _handlers = srv._handlers [event === 'error' ? '_error' : (handler._initial ? '_initial' : phase)] // REVISIT: remove _initial handlers
-  _handlers.push (new EventHandler (phase, event, path, handler))
 
-  if (phase === 'on') cds.emit('subscribe',srv,event) //> inform messaging service
-  return srv
+  //--------------------------------------------------------------------------
+  // EXPERIMENTAL: It is not decided yet, whether we should keep the stuff below
+  // => Please do not use anywhere!
+  onSucceeded (...args) { return _req_on (this, 'succeeded', ...args) }
+  onFailed (...args) { return _req_on (this, 'failed', ...args) }
+  for (event, path) { //> fetch all handlers for the given event and path
+    const filtered = {}
+    for (let each in this) {
+      filtered[each] = this[each].filter (h => h.for({event,path}))
+    }
+    return filtered
+  }
 }
+module.exports = EventHandlers
 
 
 class EventHandler {
   constructor (phase, event, path, handler) {
-    this[phase] = event || '*'
-    if (path) this.path = path
-    this.handler = handler
-    Object.defineProperties (this, { // non-enumerable properties to improve debugging
-      _initial: { value: handler._initial },
-      for: { value: this.for(event,path) }
-    })
+    const h = { [phase]: event || '*' }
+    if (path) h.path = path
+    h.handler = Object.defineProperty (handler, '_initial', {enumerable:false})
+    Object.defineProperty (h, 'for', {value: this.for(event,path) })
+    return h
   }
   /** Factory for the actual filter method this.for, assigned above */
   for (event, path) {
@@ -152,11 +147,6 @@ const AlternativeEvents = {
 }
 
 
-//--------------------------------------------------------------------------
-// EXPERIMENTAL: It is not decided yet, whether we should keep the stuff below
-// => Please do not use anywhere!
-EventHandlers.prototype.onSucceeded = function (...args) { return _req_on (this, 'succeeded', ...args) }
-EventHandlers.prototype.onFailed = function (...args) { return _req_on (this, 'failed', ...args) }
 const _req_on = (srv, succeeded_or_failed, event, path, handler) => {
   if (!handler) [path,handler] = [undefined,path]
   return srv.before (event,path, req => req.on(succeeded_or_failed,handler))

package/lib/srv/srv-methods.js

@@ -1,25 +1,25 @@
+/** @typedef {import('./cds.ServiceClient')} Service } */
+
 const cds = require('..')
 const LOG = cds.log('cds.serve',{label:'cds'})
 
 
-module.exports = (srv) => {
-  if (srv.model && ( //> we only support that for app services
-    srv.isAppService ||
-    srv.isExternal ||
-    srv._add_stub_methods
-  )) {
-    for (const each of srv.operations) {
-      add_handler_for (srv, each)
-    }
-    for (const each of srv.entities) {
-      for (const a in each.actions) {
-        add_handler_for (srv, each.actions[a])
-      }
+/** @param {Service} srv */
+module.exports = function (srv=this) {
+  if (!srv.definition) return //> can only add shortcuts for actions declared in service models
+  if (!srv.isAppService && !srv.isExternal && !srv._add_stub_methods) return
+  for (const each of srv.actions) {
+    add_handler_for (srv, each)
+  }
+  for (const each of srv.entities) {
+    for (const a in each.actions) {
+      add_handler_for (srv, each.actions[a])
     }
   }
-  return srv
 }
 
+
+/** @param {Service} srv */
 const add_handler_for = (srv, def) => {
   const event = def.name.match(/\w*$/)[0]
 

package/lib/srv/srv-tx.js

@@ -1,3 +1,5 @@
+/** @typedef {import('./cds.Service')} Service } */
+
 const cds = require('../index')
 const EventContext = require('../req/context')
 class RootContext extends EventContext {
@@ -17,7 +19,7 @@ class NestedContext extends EventContext {
 /**
  * This is the implementation of the `srv.tx(req)` method. It constructs
  * a new Transaction as a derivate of the `srv` (i.e. {__proto__:srv})
- * @returns { Promise<Transaction & import('./srv-api')> }
+ * @returns { Promise<Transaction & Service> }
  * @param { EventContext } ctx
  */
 module.exports = exports = function srv_tx (ctx,fn) { const srv = this
@@ -58,7 +60,7 @@ class Transaction {
     return tx
   }
 
-  /** @param {import('./srv-api')} srv */
+  /** @param {Service} srv */
   constructor (srv, ctx) {
     const tx = { __proto__:srv, _kind: new.target.name, context: ctx }
     const proto = new.target.prototype
@@ -97,7 +99,7 @@ class Transaction {
      * err is undefined if nested tx (cf. "root.before ('failed', ()=> this.rollback())")
      */
     // FIXME: with noa, this.context === cds.context and not the individual cds.Request
-    if (err) for (const each of this._handlers._error) each.handler.call(this, err, this.context)
+    if (err) for (const each of this.handlers._error) each.handler.call(this, err, this.context)
 
     if (this.ready) { //> nothing to do if no transaction started at all
       // don't actually roll back if already committed (e.g., error thrown in on succeeded or on done)

package/lib/utils/cds-utils.js

@@ -246,7 +246,7 @@ exports.deprecated = (fn, { kind = 'Method', old = fn.name+'()', use } = {}) =>
   const reset = '\x1b[0m'
   // use cds.log in production for custom logger
   const {warn} = cds.env.production ? cds.log() : console
-  if(typeof fn !== 'function') {
+  if (typeof fn !== 'function') {
     if (cds.env.features.deprecated === 'off') return
     [kind,old,use] = [fn.kind || 'Configuration',fn.old,fn.use]
     warn (
@@ -267,7 +267,7 @@ exports.deprecated = (fn, { kind = 'Method', old = fn.name+'()', use } = {}) =>
         '\nDEPRECATED:', old, '\n',
         '\n  ', (kind ? `${kind} ${old}` : old), 'is deprecated and will be removed in upcoming releases!',
         use ? `\n   => Please use ${use} instead.` : '', '\n',
-        o.stack.replace(/^Error:\s*at.*\n/,'\n'), '\n',
+        o.stack.replace(/^Error:?\s*at.*\n/m,'\n'), '\n',
         '\n------------------------------------------------------------------------------\n',
         reset
       )

package/libx/_runtime/cds-services/adapter/odata-v4/handlers/error.js

@@ -116,7 +116,7 @@ const getErrorHandler = (crashOnError = true, srv) => {
     // REVISIT: invoking service.on('error') handlers needs a cleanup with new protocol adapters!!!
     // invoke srv.on('error', function (err, req) { ... }) here in special situations
     // REVISIT: if for compat reasons, remove once cds^5.1
-    if (srv._handlers._error.length) {
+    if (srv.handlers._error.length) {
       // REVISIT: move to error middleware
       let ctx = cds.context
       if (!ctx) {
@@ -125,11 +125,11 @@ const getErrorHandler = (crashOnError = true, srv) => {
         // but then the ctx in the else branch below isn't the ODataRequest anymore
         // > error before req was dispatched
         const creq = new cds.Request({ req, res: req.res, user: cds.context.user })
-        for (const each of srv._handlers._error) each.handler.call(srv, err, creq)
+        for (const each of srv.handlers._error) each.handler.call(srv, err, creq)
       } else if (ctx._tx?._done !== 'rolled back') {
         // > error after req was dispatched, e.g., serialization error in okra
         const creq = /* odataReq.req || */ new cds.Request({ req, res: req.res, user: ctx.user, tenant: ctx.tenant })
-        for (const each of srv._handlers._error) each.handler.call(srv, err, creq)
+        for (const each of srv.handlers._error) each.handler.call(srv, err, creq)
       }
     }
 

package/libx/_runtime/cds.js

@@ -4,10 +4,11 @@ module.exports = cds
 /*
  * csn aspects
  */
-const { any, entity, Association } = cds.builtin.classes
+const { any, entity, Association, service } = cds.builtin.classes
 cds.extend(any).with(require('./common/aspects/any'))
 cds.extend(Association).with(require('./common/aspects/Association'))
 cds.extend(entity).with(require('./common/aspects/entity'))
+cds.extend(service).with(require('./common/aspects/service'))
 
 /*
  * Determines whether a request requires resolving of the target entity.

package/libx/_runtime/common/aspects/service.js

@@ -0,0 +1,25 @@
+const cds = require('../../cds')
+
+module.exports = cds.env.effective.odata.containment
+  ? class {
+      get _containedEntities() {
+        return this.own('__containedEntities', () => {
+          const containees = new Set()
+
+          for (const e in this.entities) {
+            const entity = this.entities[e]
+            if (entity.compositions) {
+              for (const c in entity.compositions) {
+                const comp = entity.compositions[c]
+                if (comp.parent.name !== comp.target) {
+                  containees.add(comp.target)
+                }
+              }
+            }
+          }
+
+          return containees
+        })
+      }
+    }
+  : class {}

package/libx/_runtime/common/generic/auth/index.js

@@ -1,5 +1,6 @@
 const cds = require('../../../cds')
 
+const serviceHandler = require('./service')
 const requiresHandler = require('./requires')
 const readOnlyHandler = require('./readOnly')
 const insertOnlyHandler = require('./insertOnly')
@@ -57,6 +58,10 @@ module.exports = cds.service.impl(function authorization() {
     }
   }
 
+  // service-level restrictions (not all requests are dispatched by protocol adapter with its early access check)
+  // REVISIT: make default in cds^9 -> remove feature flag completely or at least make it an opt-out
+  if (cds.env.features.service_level_restrictions) this.before('*', serviceHandler)
+
   /*
    * @requires
    */

package/libx/_runtime/common/generic/auth/restrict.js

@@ -5,6 +5,10 @@ const { reject, getRejectReason, resolveUserAttrs, getAuthRelevantEntity } = req
 const { DRAFT_EVENTS, MOD_EVENTS } = require('./constants')
 const { getNormalizedPlainRestrictions } = require('./restrictions')
 
+const _hasRef = xpr => {
+  for (const each of xpr) if (each.ref || (each.xpr && _hasRef(each.xpr))) return true
+}
+
 const _getResolvedApplicables = (applicables, req) => {
   const resolvedApplicables = []
 
@@ -26,7 +30,8 @@ const _getResolvedApplicables = (applicables, req) => {
         target: restrict.target,
         where: restrict.where,
         // replace $user.x with respective values
-        _xpr: resolveUserAttrs(xpr, req)
+        _xpr: resolveUserAttrs(xpr, req),
+        _hasRef: _hasRef(xpr)
       }
     }
 
@@ -38,7 +43,11 @@ const _getResolvedApplicables = (applicables, req) => {
 
 const _getStaticAuthRestrictions = resolvedApplicables => {
   return resolvedApplicables.filter(
-    resolved => resolved && resolved._xpr.length === 3 && resolved._xpr.every(ele => typeof ele !== 'object' || ele.val)
+    resolved =>
+      resolved &&
+      !resolved._hasRef &&
+      resolved._xpr.length === 3 &&
+      resolved._xpr.every(ele => typeof ele !== 'object' || ele.val)
   )
 }
 
@@ -71,6 +80,7 @@ const _handleStaticAuthRestrictions = (resolvedApplicables, req) => {
     const vals = restriction._xpr.filter(ele => typeof ele === 'object' && ele.val).map(ele => ele.val)
     return _evalStatic(op, vals)
   })
+
   // static clause grants access => done
   if (isAllowed) return
 
@@ -155,14 +165,19 @@ const _addRestrictionsToRead = async (req, model, resolvedApplicables) => {
 
 const _getUnrestrictedCount = async req => {
   const dbtx = cds.tx(req)
+
   const target =
     (req.query.UPDATE && req.query.UPDATE.entity) ||
     (req.query.DELETE && req.query.DELETE.from) ||
     (req.query.SELECT && req.query.SELECT.from)
   const selectUnrestricted = SELECT.one(['count(*) as n']).from(target)
-  const whereUnrestricted = (req.query.UPDATE && req.query.UPDATE.where) || (req.query.DELETE && req.query.DELETE.where)
 
-  if (whereUnrestricted) selectUnrestricted.where(whereUnrestricted)
+  // REVISIT: remove with cds^9
+  if (cds.env.features.compat_restrict_where) {
+    const whereUnrestricted =
+      (req.query.UPDATE && req.query.UPDATE.where) || (req.query.DELETE && req.query.DELETE.where)
+    if (whereUnrestricted) selectUnrestricted.where(whereUnrestricted)
+  }
 
   // Because of side effects, the statements have to be fired sequentially.
   const { n } = await dbtx.run(selectUnrestricted)
@@ -171,14 +186,18 @@ const _getUnrestrictedCount = async req => {
 
 const _getRestrictedCount = async (req, model, resolvedApplicables) => {
   const dbtx = cds.tx(req)
+
   const target =
     (req.query.UPDATE && req.query.UPDATE.entity) ||
     (req.query.DELETE && req.query.DELETE.from) ||
     (req.query.SELECT && req.query.SELECT.from)
   const selectRestricted = SELECT.one(['count(*) as n']).from(target)
-  const whereRestricted = (req.query.UPDATE && req.query.UPDATE.where) || (req.query.DELETE && req.query.DELETE.where)
 
-  if (whereRestricted) selectRestricted.where(whereRestricted)
+  // REVISIT: remove with cds^9
+  if (cds.env.features.compat_restrict_where) {
+    const whereRestricted = (req.query.UPDATE && req.query.UPDATE.where) || (req.query.DELETE && req.query.DELETE.where)
+    if (whereRestricted) selectRestricted.where(whereRestricted)
+  }
 
   if (typeof selectRestricted.SELECT === 'object') {
     selectRestricted.SELECT.from.ref = _addWheresToRef(selectRestricted.SELECT.from.ref, model, resolvedApplicables)
@@ -233,10 +252,14 @@ async function check_roles(req) {
 
   const resolvedApplicables = _getResolvedApplicables(restrictions, req)
 
-  // REVISIT: support more complex statics
-  const staticAuthRestriction = _getStaticAuthRestrictions(resolvedApplicables)
-  if (staticAuthRestriction.length > 0) {
-    return _handleStaticAuthRestrictions(staticAuthRestriction, req)
+  // REVISIT with cds^9
+  // - remove compat_static_auth
+  // - make check on CREATE/ NEW and unbound a compat opt-in
+  if (cds.env.features.compat_static_auth || req.event in { CREATE: 1, NEW: 1 } || this.operations[req.event]) {
+    const staticAuthRestriction = _getStaticAuthRestrictions(resolvedApplicables)
+    if (staticAuthRestriction.length > 0) {
+      return _handleStaticAuthRestrictions(staticAuthRestriction, req)
+    }
   }
 
   if (req.event === 'READ') {
@@ -244,7 +267,7 @@ async function check_roles(req) {
     return
   }
 
-  //Instance based authorization for bound actions /functions
+  // Instance based authorization for bound actions /functions
   await restrictBoundActionFunctions(req, resolvedApplicables, definition, this)
 
   // no modification -> nothing more to do
@@ -272,15 +295,14 @@ const isBoundToCollection = action =>
 
 const restrictBoundActionFunctions = async (req, resolvedApplicables, definition, srv) => {
   if (req.target?.actions?.[req.event] && !isBoundToCollection(req.target.actions[req.event])) {
-    //Clone to avoid target modification, which would cause a different query
+    // Clone to avoid target modification, which would cause a different query
     const query = cds.ql.clone(req.query) ?? SELECT.from(req.subject)
     _addRestrictionsToRead({ query: query, target: req.target }, cds.model, resolvedApplicables)
-    const result = await srv.run(query)
+    const result = await (cds.env.features.compat_restrict_bound ? srv : cds.tx(req)).run(query)
     if (!result || result.length === 0) {
       // If we got a result, we don't need to check for the existence, hence only in this special case we must determine if `404` or `403`.
       const unrestrictedCount = await _getUnrestrictedCount(req)
       if (unrestrictedCount === 0) req.reject(404)
-
       if (LOG._debug) LOG.debug(`Restricted access on action ${req.event}`)
       reject(req, getRejectReason(req, '@restrict', definition))
     }

package/libx/_runtime/common/generic/auth/service.js

@@ -0,0 +1,24 @@
+const { reject, getRejectReason } = require('./utils')
+
+const _getRequiresAsArray = definition =>
+  definition['@requires']
+    ? Array.isArray(definition['@requires'])
+      ? definition['@requires']
+      : [definition['@requires']]
+    : false
+
+function handler(req) {
+  if (req.user._is_privileged) {
+    // > skip checks
+    return
+  }
+
+  const requires = _getRequiresAsArray(this.definition)
+
+  if (!requires || requires.some(role => req.user.is(role))) return
+  reject(req, getRejectReason(req, '@requires', this.definition))
+}
+
+handler._initial = true
+
+module.exports = handler

package/libx/_runtime/common/generic/auth/utils.js

@@ -105,8 +105,10 @@ const _handleArray = (arr, where, index) => {
   } else _arrayComparison(arr, where, index)
 }
 
+const $nonexistent = Symbol('nonexistent')
+const operators = new Set(['=', '!=', '<>', '<', '<=', '>', '>=', 'in'])
+
 const resolveUserAttrs = (where, req) => {
-  let non_existing
   for (let i = 0; i < where.length; i++) {
     const r = where[i]
     if (r.xpr) r.xpr = resolveUserAttrs(r.xpr, req)
@@ -118,11 +120,17 @@ const resolveUserAttrs = (where, req) => {
         for (let j = 1; j < r.ref.length; j++) {
           const attr = r.ref[j]
           if (!Object.prototype.hasOwnProperty.call(val, attr)) {
-            non_existing = true
-            break
+            val = $nonexistent
+            if (where[i - 2] && operators.has(where[i - 1])) {
+              where.splice(i - 2, 3, { val: '1' }, '=', { val: '2' })
+            } else if (where[i + 2] && operators.has(where[i + 1])) {
+              where.splice(i, 3, { val: '1' }, '=', { val: '2' })
+            } else if (where[i + 1] === 'is') {
+              where.splice(i, where[i + 2] === 'not' ? 4 : 3, { val: '1' }, '=', { val: '2' })
+            }
           } else val = val?.[attr]
         }
-        if (non_existing) break
+        if (val === $nonexistent) continue
         if (val === undefined) val = null
         if (val === null && where[i - 1] === 'in') where[i] = { list: [{ val: '__dummy__' }] }
         else if (Array.isArray(val)) _handleArray(val, where, i)
@@ -135,11 +143,11 @@ const resolveUserAttrs = (where, req) => {
       })
     } else if (r.func) {
       r.args = resolveUserAttrs(r.args, req)
+    } else if (r.val) {
+      if (typeof r.val === 'number') r.param = false
     }
   }
 
-  if (non_existing) return [{ val: '1' }, '=', { val: '2' }]
-
   _processNullAttr(where)
 
   return where

package/libx/_runtime/common/generic/etag.js

@@ -118,7 +118,7 @@ const commonGenericValidateETag = async function (req) {
     // add where clause for validation
     const validationClause = ['exists', validationStmt]
     req.query.where(validationClause)
-    // HACK for current draft impl
+    // HACK for current draft impl // REVISIT: which is really bad
     req._etagValidationClause = validationClause
     req._etagValidationType = ifMatchEtags ? 'if-match' : 'if-none-match'
   }

package/libx/_runtime/common/utils/cqn.js

@@ -82,8 +82,7 @@ function targetFromPath(from, model) {
 }
 
 const resolveFromSelect = query => {
-  const __protoSelect = Object.getPrototypeOf(SELECT())
-  if (!(query instanceof __protoSelect.constructor)) Object.setPrototypeOf(query, __protoSelect)
+  if (!(query instanceof SELECT.class)) Object.setPrototypeOf(query, SELECT.class.prototype)
   const { from } = query.SELECT
   return from.SELECT ? resolveFromSelect(from) : from
 }