@sap/cds 9.6.0 → 9.6.2

package/CHANGELOG.md

@@ -4,6 +4,23 @@
 - The format is based on [Keep a Changelog](https://keepachangelog.com/).
 - This project adheres to [Semantic Versioning](https://semver.org/).
 
+## Version 9.6.2 - 2026-01-08
+
+### Fixed
+
+- Consider `@mandatory.message` for the error message, when a mandatory action / function parameter is not provided
+- Respond with error code `400` when receiving requests that use `any()` / `all()` filters on an association to one
+- Error message of unknown property check will no longer include `undefined` to identify structs without a name
+- `enterprise-messaging`: Type error in check for unofficial XSUAA fallback
+- Status Transition Flows: Exclusions for multiple projections
+
+## Version 9.6.1 - 2025-12-18
+
+### Fixed
+
+- Status check in case of non-existing subject
+- Gracefully handle bad value when calculating `@Core.OperationAvailable` from `@from`
+
 ## Version 9.6.0 - 2025-12-16
 
 ### Added

package/lib/compile/for/flows.js

@@ -13,12 +13,18 @@ const getFrom = action => {
 }
 
 function addOperationAvailableToActions(actions, statusEnum, statusElementName) {
-  for (const action of Object.values(actions)) {
+  action: for (const action of Object.values(actions)) {
     const fromList = getFrom(action)
-    const conditions = fromList.map(from => {
+    const conditions = []
+    for (const from of fromList) {
       const value = from['#'] ? statusEnum[from['#']]?.val ?? from['#'] : from
-      return `$self.${statusElementName} = ${typeof value === 'string' ? `'${value}'` : value}`
-    })
+      if (typeof value !== 'string') {
+        const msg = `Error while constructing @Core.OperationAvailable for action "${action.name}" of "${action.parent.name}". Value of @from must either be an enum symbol or a raw string.`
+        cds.log('cds|edmx').warn(msg)
+        continue action
+      }
+      conditions.push(`$self.${statusElementName} = '${value}'`)
+    }
     const condition = `(${conditions.join(' OR ')})`
     const parsedXpr = cds.parse.expr(condition)
     action['@Core.OperationAvailable'] ??= {
@@ -74,7 +80,7 @@ function addActionsToTarget(targetAnnotation, entity, actions) {
       identification.push({
         $Type: 'UI.DataFieldForAction',
         Action: `${entity._service.name}.${actionName}`,
-        Label: action["@Common.Label"] ?? action["@title"] ?? `{i18n>${actionName}}`,
+        Label: action['@Common.Label'] ?? action['@title'] ?? `{i18n>${actionName}}`,
         ...(entity['@odata.draft.enabled'] && {
           '@UI.Hidden': {
             '=': true,
@@ -180,8 +186,7 @@ module.exports = function cds_compile_for_flows(csn) {
     }
   }
 
-  const extensions = new Set()
-  const exclusions = new Set()
+  const to_be_extended = new Set()
 
   for (const name in csn.definitions) {
     const def = csn.definitions[name]
@@ -219,28 +224,35 @@ module.exports = function cds_compile_for_flows(csn) {
     if (base.elements?.transitions_) continue //> manually added -> don't interfere
 
     // add aspect FlowHistory to db entity
-    extensions.add(base_name)
-
-    // hack for "excludes" not possible via extensions
-    if (projections.length) projections.forEach(p => exclusions.add(p))
+    to_be_extended.add(base_name)
   }
 
-  if (extensions.size) {
+  if (to_be_extended.size) {
     // REVISIT: ensure sap.common.FlowHistory is there
     csn.definitions['sap.common.FlowHistory'] ??= JSON.parse(FlowHistory)
 
-    const _extensions = [...extensions].map(extend => ({ extend, includes: ['sap.common.FlowHistory'] }))
-    csn = cds.extend(csn).with({ extensions: _extensions })
+    const extensions = [...to_be_extended].map(extend => ({ extend, includes: ['sap.common.FlowHistory'] }))
+    const dsn = cds.extend(csn).with({ extensions })
 
     // REVISIT: annotate all generated X.transitions_ with @cds.autoexpose: false
-    for (const each of extensions) csn.definitions[`${each}.transitions_`]['@cds.autoexpose'] = false
-  }
+    for (const each of to_be_extended) dsn.definitions[`${each}.transitions_`]['@cds.autoexpose'] = false
 
-  if (exclusions.size) {
-    for (const proj of exclusions) {
-      delete csn.definitions[proj].elements.transitions_
-      delete csn.definitions[`${proj}.transitions_`]
+    // hack for "excludes" not possible via extensions
+    for (const name in dsn.definitions) {
+      const _new = dsn.definitions[name]
+      if (
+        _new.kind !== 'entity' ||
+        to_be_extended.has(name.replace(/\.transitions_$/, '')) ||
+        (!name.match(/\.transitions_$/) && !_new.elements.transitions_)
+      ) {
+        continue
+      }
+      const _old = csn.definitions[name]
+      if (!_old) delete dsn.definitions[name]
+      else if (_new.elements.transitions_ && !_old.elements.transitions_) delete _new.elements.transitions_
     }
+
+    csn = dsn
   }
 
   // REVISIT: annotate all X.transitions_ with @odata.draft.enabled: false

package/lib/req/validate.js

@@ -28,14 +28,18 @@ class Validation {
     this.cleanse = options.cleanse !== false
   }
 
+  _targetFromPath (p,n) {
+    if (n === undefined) return p
+    if (n.row) return p + this.filter4(n)          // > some/entity(ID=1)...
+    if (typeof n === 'number') return p + `[${n}]` // > some/array[1]...
+    if (p && n) return p+'/'+n                     // > some/element...
+    return n    
+  }
+
   error (code, path, leaf, i18n, ...args) {
     const err = (this.errors ??= new ValidationErrors).add (code)
     if (this.options.path) path = [ this.options.path, ...path ] // e.g. used to prefix 'in/' for actions
-    if (path) err.target = (!leaf ? path : path.concat(leaf)).reduce?.((p,n)=> (
-      n?.row ? p + this.filter4(n) :          //> some/entity(ID=1)...
-      typeof n === 'number' ? p + `[${n}]` :  //> some/array[1]...
-      p && n ? p+'/'+n : n                    //> some/element...
-    ),'')
+    if (path) err.target = (!leaf ? path : path.concat(leaf)).reduce?.((p, n) => this._targetFromPath(p, n),'')
     if (typeof i18n === 'string') err.i18n = i18n
     if (args.length) err.args = args
     return err
@@ -50,12 +54,16 @@ class Validation {
       else if (typeof v === 'string' && !entity.elements[k].isUUID || entity.elements[k]['@odata.Type'] === 'Edm.String') v = `'${v}'`
       filter.push (`${k}=${v}`)
     }
-    return filter.length ? `(${filter})` : `[${index}]`
+    if (filter.length) return `(${filter})`
+    if (index !== undefined) return `[${index}]`
+    return ''
   }
 
-  unknown(e,d,input) {
+  unknown(e,d,input, path) {
     if (this.protocol === 'odata' && e.match(/^\w*@\w+\.\w+$/)) return delete input[e] //> skip all annotations, like @odata.Type (according to OData spec annotations contain an "@" and a ".")
-    d['@open'] || cds.error (`Property "${e}" does not exist in ${d.name}`, {status:400})
+    if (d['@open']) return
+    const target = d.name ?? path.reduce((p, n) => this._targetFromPath(p, n), '')
+    cds.error (`Property "${e}" does not exist in ${target}`, { status: 400, target }) 
   }
 }
 
@@ -209,12 +217,12 @@ class struct extends $any {
       if (each.$struct in data) continue // got struct for flattened element/fk, e.g. {author:{ID:1}}
       if ((each.elements && each.kind !== 'param' ) || each.foreignKeys) continue // skip struct-likes as we check flat payloads above, and deep payloads via struct.validate(), parameters don't have flat elements
       if (each.isAssociation) continue // unmanaged associations are always ignored (no value like)
-      else ctx.error (ASSERT_MANDATORY, path_, each.name)
+      else ctx.error (ASSERT_MANDATORY, path_, each.name, each['@mandatory.message'] || each['@mandatory'])
     }
     // check values of given data
     for (let each in data) { // will work for structured payloads as well as flattened ones with universal CSN
       let /** @type {$any} */ d = Object.hasOwn(elements, each) && elements[each]
-      if (!d || (d['@cds.api.ignore'] && ctx.rejectIgnore)) ctx.unknown (each, this, data)
+      if (!d || (d['@cds.api.ignore'] && ctx.rejectIgnore)) ctx.unknown (each, this, data, path_)
       else if (ctx.cleanse && d._is_readonly() && !d.key) delete data[each]
       else if (ctx.cleanse && d._is_immutable() && !ctx.insert && !path) delete data[each] // @Core.Immutable processed only for root, children are handled when knowing db state
       else if (d['@cds.validate'] !== false) d.validate (data[each], path_, ctx)

package/libx/_runtime/common/generic/flows.js

@@ -9,24 +9,20 @@ const FLOW_PREVIOUS = '$flow.previous'
 
 const $transitions_ = Symbol.for('transitions_')
 
-function buildAllowedCondition(action, statusElementName, statusEnum) {
+function isCurrentStatusInFrom(result, action, statusElementName, statusEnum) {
   const fromList = getFrom(action)
-  const conditions = fromList.map(from => {
+  const allowed = fromList.filter(from => {
     const value = from['#'] ? (statusEnum[from['#']]?.val ?? statusEnum[from['#']]['$path'].at(-1)) : from
-    return `${statusElementName} = ${typeof value === 'string' ? `'${value}'` : value}`
+    return result[statusElementName] === value
   })
-  return `(${conditions.join(' OR ')})`
-}
-
-async function isCurrentStatusInFrom(subject, action, statusElementName, statusEnum) {
-  const cond = buildAllowedCondition(action, statusElementName, statusEnum)
-  const parsedXpr = cds.parse.expr(cond)
-  const dbEntity = await SELECT.one.from(subject).where(parsedXpr)
-  return dbEntity !== undefined
+  return allowed.length
 }
 
 async function checkStatus(subject, action, statusElementName, statusEnum) {
-  const allowed = await isCurrentStatusInFrom(subject, action, statusElementName, statusEnum)
+  const result = await SELECT.one.from(subject)
+  if (!result) cds.error(404)
+
+  const allowed = isCurrentStatusInFrom(result, action, statusElementName, statusEnum)
   if (!allowed) {
     const from = getFrom(action)
     const fromValues = JSON.stringify(from.flatMap(el => Object.values(el)))

package/libx/_runtime/messaging/enterprise-messaging-utils/registerEndpoints.js

@@ -29,7 +29,7 @@ class EndpointRegistry {
     cds.app.use(basePath, cds.middlewares.context())
     if (_IS_SECURED) {
       // unofficial XSUAA fallback
-      if (cds.env.requires.messaging.xsuaa) {
+      if (cds.env.requires.messaging?.xsuaa) {
         cds.app.use(basePath, _xsuaa_fallback())
       } else {
         cds.app.use(basePath, cds.middlewares.auth())

package/libx/odata/middleware/error.js

@@ -56,7 +56,7 @@ const _normalize = (err, req, keep,
   const status = err.status || err.statusCode || _status4(err) || _reduce(details)
 
   // Determine error code and message
-  const key = err.message || err.code || status
+  const key = err.message || err.code || status // REVISIT: Should we use the message over the code every time?
   const msg = i18n.messages.at (key, '', err.args) // lookup messages for log output from factory default texts
   if (msg && msg !== key) {
     if (typeof err.code !== 'string') err.code = key

package/libx/odata/parse/afterburner.js

@@ -85,7 +85,7 @@ function _addDefaultParams(ref, view) {
 }
 
 function getResolvedElement(entity, { ref }) {
-  const element = entity.elements[ref[0]]
+  const element = entity.elements[ref[0]?.id ?? ref[0]]
 
   if (element && element.isAssociation && ref.length > 1) {
     return getResolvedElement(element._target, { ref: ref.slice(1) })
@@ -782,7 +782,9 @@ function _validateXpr(xpr, target, isOne, model, aliases = []) {
     .map(element => element.name)
   const newFoundAliases = []
 
-  for (const x of xpr) {
+  for (let i = 0; i < xpr.length; i++) {
+    const x = xpr[i]
+
     if (x.as) newFoundAliases.push(x.as)
 
     if (x.xpr) {
@@ -795,9 +797,7 @@ function _validateXpr(xpr, target, isOne, model, aliases = []) {
 
       if (x.ref[0].where) {
         const element = target.elements[refName]
-        if (!element) {
-          _doesNotExistError(true, refName, target.name)
-        }
+        if (!element) _doesNotExistError(true, refName, target.name)
         _validateXpr(x.ref[0].where, element._target ?? element.items, isOne, model)
       }
 
@@ -818,28 +818,34 @@ function _validateXpr(xpr, target, isOne, model, aliases = []) {
         }
       }
 
+      if (xpr[i - 1] === 'exists') {
+        const element = getResolvedElement(target, x)
+        if (!element.isAssociation)
+          cds.error({ status: 400, message: 'Invalid use of lambda any / all on a non-association' })
+        if (element.is2one)
+          cds.error({ status: 400, message: 'Invalid use of lambda any / all on an association to one' })
+      }
+
       if (x.expand) {
         let element = target.elements[refName]
+
         if (element.kind === 'element' && element.elements) {
           // structured
           _validateXpr([{ ref: x.ref.slice(1) }], element, isOne, model)
           element = _structProperty(x.ref.slice(1), element)
         }
+
         const target_service = _get_service_of(target)
+
         if (!element._target || element._target._service !== target_service) {
-          _doesNotExistError(
-            true,
-            refName,
-            target_service ? target.name.replace(target_service.name + '.', '') : target.name
-          )
+          const targetName = target_service ? target.name.replace(target_service.name + '.', '') : target.name
+          _doesNotExistError(true, refName, targetName)
         }
+
         _validateXpr(x.expand, element._target, false, model)
-        if (x.where) {
-          _validateXpr(x.where, element._target, false, model)
-        }
-        if (x.orderBy) {
-          _validateXpr(x.orderBy, element._target, false, model)
-        }
+
+        if (x.where) _validateXpr(x.where, element._target, false, model)
+        if (x.orderBy) _validateXpr(x.orderBy, element._target, false, model)
       }
     }
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@sap/cds",
-  "version": "9.6.0",
+  "version": "9.6.2",
   "description": "SAP Cloud Application Programming Model - CDS for Node.js",
   "homepage": "https://cap.cloud.sap/",
   "keywords": [