auth-valid-restrict-to
Rule Details
The to property of a @restrict privilege defines one or more user roles or pseudo roles that the privilege applies to. This rule checks that the values of @restrict.to are valid, that is, roles cannot be missing, misspelled and that roles including any should be simplified to just any.
Examples
✅ Correct example
The following example shows a correct usage of the @restrict.to annotation, where the to property is set to the Viewer rule which is a valid value:
cds
using { sap.capire.bookshop as my } from '../db/schema';
service CatalogService {
@(restrict: [{ grant: 'READ', to: 'Viewer', where: 'CreatedBy = $user' }])
@readonly entity ListOfBooks as projection on Books excluding { descr };
@readonly entity Books as projection on my.Books { *,
author.name as author
} excluding { createdBy, modifiedBy };
}1
2
3
4
5
6
7
8
9
10
2
3
4
5
6
7
8
9
10
❌ Incorrect example
The next example shows the @restrict.to annotation being left empty, which is a violation of this rule and a warning is raised:
cds
using { sap.capire.bookshop as my } from '../db/schema';
service CatalogService {
@(restrict: [{ grant: 'READ', to: '', where: 'CreatedBy = $user' }])
// Missing role on CatalogService.ListOfBooks for `@restrict.to`.
@readonly entity ListOfBooks as projection on Books excluding { descr };
@readonly entity Books as projection on my.Books { *,
author.name as author
} excluding { createdBy, modifiedBy };
}1
2
3
4
5
6
7
8
9
10
11
2
3
4
5
6
7
8
9
10
11
Version
This rule was introduced in @sap/eslint-plugin-cds 2.4.1.