auth-valid-restrict-keys
Rule Details
To define authorizations on a fine-grained level, the @restrict annotation allows you to add all kinds of restrictions that are based on static user roles, the request operation, and instance filters. The building block of such a restriction is a single privilege. This rule checks that the privileges defined in @restrict have properly spelled to, grant, and where keys.
Examples
✅ Correct example
In the following example, the @restrict annotation on CatalogService.ListOfBooks has correctly spelled to, grant, and where keys in the defined privilege:
using { sap.capire.bookshop as my } from '../db/schema';
service CatalogService {
@(restrict: [{ grant: 'READ', to: 'Viewer', where: 'CreatedBy = $user' }])
@readonly entity ListOfBooks as projection on Books excluding { descr };
@readonly entity Books as projection on my.Books { *,
author.name as author
} excluding { createdBy, modifiedBy };
}2
3
4
5
6
7
8
9
10
❌ Incorrect example
In the next example, the @restrict annotation on CatalogService.ListOfBooks has typos in the grant key (grants instead of grant), the to key (too instead of to), and the where key (were instead of where) and the rule will report them as a warning:
using { sap.capire.bookshop as my } from '../db/schema';
service CatalogService {
@(restrict: [{ grants: 'READ', too: 'Viewer', were: 'CreatedBy = $user' }])
// Misspelled key 'grants'. Did you mean 'grant'?
// Misspelled key 'too'. Did you mean 'to'?
// Misspelled key 'were'. Did you mean 'where'?
@readonly entity ListOfBooks as projection on Books excluding { descr };
@readonly entity Books as projection on my.Books { *,
author.name as author
} excluding { createdBy, modifiedBy };
}2
3
4
5
6
7
8
9
10
11
12
13
Version
This rule was introduced in @sap/eslint-plugin-cds 2.4.1.