auth-restrict-grant-service

Rule Details

Restrictions can be defined on different types of CDS resources, but there are some limitations with regard to supported privileges (see limitations).

Unsupported privilege properties are ignored by the runtime. Especially, for bound or unbound actions, the grant property is implicitly removed (assuming grant: '*' instead). The same is true for functions. This rule ensures that @restrict.grant on service level and for bound/unbound actions and functions is limited to grant: '*'.

Examples

✅ Correct example

Let's consider the following example with the CatalogService where the function getViewsCount() is restricted to the Admin role, granting all CDS events:

srv/cat-service.cds

cds

using { sap.capire.bookshop as my } from '../db/schema';

service CatalogService {
  @readonly entity ListOfBooks as projection on Books
  excluding { descr };

  @readonly entity Books as projection on my.Books { *,
    author.name as author
  } excluding { createdBy, modifiedBy };

  @requires: 'authenticated-user'
  function getViewsCount @(restrict: [{ to: 'Admin' }]) () returns Integer;
}

Open In Playground

❌ Incorrect example

If we were to slightly modify the above example and use grant: ['WRITE'] in the privilege of the function, the rule would be triggered to inform us that the value of grant is limited to '*':

srv/cat-service.cds

cds

using { sap.capire.bookshop as my } from '../db/schema';

service CatalogService {
  @readonly entity ListOfBooks as projection on Books
  excluding { descr };

  @readonly entity Books as projection on my.Books { *,
    author.name as author
  } excluding { createdBy, modifiedBy };

  @requires: 'authenticated-user'
  action submitOrder ( book: Books:ID, quantity: Integer ) returns { stock: Integer };
  event OrderedBook : { book: Books:ID; quantity: Integer; buyer: String };
  // The grant value provided in @restrict is limited to '*' for function 'CatalogService.getViewsCount'.
  function getViewsCount @(restrict: [{ grant: ['WRITE'], to: 'Admin' }]) () returns Integer; 
}

Open In Playground

Version

This rule was introduced in @sap/eslint-plugin-cds 2.6.4.

Domain Modeling

Providing Services

Consuming Services

Events & Messaging

Protocols/APIs

Serving UIs

Databases

Security

Data Privacy

Definition Language (CDL)

cds. Services

cds. Events

cds. compile()

cds. linked()

cds. ql

Working with CDS CQL

CQN Services

Event Handlers

Developing Applications

Operating Applications

CDS Lint

Rules Reference

CDS Design Time APIs

auth-restrict-grant-service

Rule Details

Examples

✅ Correct example

❌ Incorrect example

Version

Rules Reference

auth-restrict-grant-service ​

Rule Details ​

Examples ​

✅ Correct example ​

❌ Incorrect example ​

Version ​

auth-restrict-grant-service

Rule Details

Examples

✅ Correct example

❌ Incorrect example

Version