auth-valid-restrict-grant
Rule Details
The grant property of a @restrict privilege defines one or more events that the privilege applies. This rule checks for valid values of @restrict.grant, that is, all standard CDS events (such as READ, CREATE, UPDATE, and DELETE) on entities. It also suggests to use * only when listing events including * and to use WRITE only when using solely standard CDS events with write semantics (CREATE, DELETE, UPDATE, UPSERT).
Examples
✅ Correct example
In the following example, CatalogService.ListOfBooks is restricted to the READ event for the Viewer role, which is a valid value for @restrict.grant:
using { sap.capire.bookshop as my } from '../db/schema';
service CatalogService {
@(restrict: [{ grant: 'READ', to: 'Viewer' }])
@readonly entity ListOfBooks as projection on Books excluding { descr };
@readonly entity Books as projection on my.Books { *,
author.name as author
} excluding { createdBy, modifiedBy };
}2
3
4
5
6
7
8
9
10
❌ Incorrect example
In the next example, the @restrict.grant has a typo in the event (that is, REAAD instead of READ) for the Viewer role, which is not a valid value for @restrict.grant so the rule will report a warning:
using { sap.capire.bookshop as my } from '../db/schema';
service CatalogService {
@(restrict: [{ grant: 'REAAD', to: 'Viewer' }])
// Invalid item 'REAAD'. Did you mean 'READ'?
@readonly entity ListOfBooks as projection on Books excluding { descr };
@readonly entity Books as projection on my.Books { *,
author.name as author
} excluding { createdBy, modifiedBy };
}2
3
4
5
6
7
8
9
10
11
Version
This rule was introduced in @sap/eslint-plugin-cds 2.4.1.