auth-no-empty-restrictions

Rule Details

The @requires annotation is a convenience shortcut for @restrict. You can use it to control which rule a user needs to have in order to access a given resource. Leaving this field empty is dangerous as it leads to unrestricted access to that service which is a security risk.

Examples

✅ Correct example

In the following example, the AdminService is correctly setup with @requires given the admin role:

srv/admin-service.cds

cds

using { sap.capire.bookshop as my } from '../db/schema';

service AdminService @(requires:'admin') {
  entity Books as projection on my.Books;
}

Open In Playground

❌ Incorrect example

If we were to replace the admin role by an empty string or provide an empty role array as shown in the next example, we now have unrestricted access to that service, which the rule makes us aware of:

srv/admin-service.cds

cds

using { sap.capire.bookshop as my } from '../db/schema';

// No explicit restrictions provided on service `AdminService`
// at `@requires`.
service AdminService @(requires:'') { 
  entity Books as projection on my.Books;
}

Open In Playground

Version

This rule was introduced in @sap/eslint-plugin-cds 1.0.1.

Domain Modeling

Providing Services

Consuming Services

Events & Messaging

Protocols/APIs

Serving UIs

Databases

Security

Data Privacy

Definition Language (CDL)

cds. Services

cds. Events

cds. compile()

cds. linked()

cds. ql

Working with CDS CQL

CQN Services

Event Handlers

Developing Applications

Operating Applications

CDS Lint

Rules Reference

CDS Design Time APIs

auth-no-empty-restrictions

Rule Details

Examples

✅ Correct example

❌ Incorrect example

Version

Rules Reference

auth-no-empty-restrictions ​

Rule Details ​

Examples ​

✅ Correct example ​

❌ Incorrect example ​

Version ​

auth-no-empty-restrictions

Rule Details

Examples

✅ Correct example

❌ Incorrect example

Version