auth-valid-restrict-where
Rule Details
The where property of a @restrict privilege defines a filter expression that restricts the access on an instance level (optional). This rule checks that the values of @restrict.where are valid, that is, the filter expression must be a valid expression that compiles without any errors.
Examples
✅ Correct example
In the following example, the @restrict privilege is defined with a valid where property CreatedBy = $user':
cds
using { sap.capire.bookshop as my } from '../db/schema';
service CatalogService {
@(restrict: [{ grant: 'READ', to: 'Viewer', where: 'CreatedBy = $user' }])
@readonly entity ListOfBooks as projection on Books excluding { descr };
@readonly entity Books as projection on my.Books { *,
author.name as author
} excluding { createdBy, modifiedBy };
}1
2
3
4
5
6
7
8
9
10
2
3
4
5
6
7
8
9
10
❌ Incorrect example
In the next example, the @restrict privilege is defined with an invalid where property CreatedBy === $user. Since this is not a valid filter expression according to the CDS compiler, the rule reports a warning:
cds
using { sap.capire.bookshop as my } from '../db/schema';
service CatalogService {
@(restrict: [{ grant: 'READ', to: 'Viewer', where: 'CreatedBy === $user' }])
// invalid `where` expression, the equality operator is `=`
@readonly entity ListOfBooks as projection on Books excluding { descr };
@readonly entity Books as projection on my.Books { *,
author.name as author
} excluding { createdBy, modifiedBy };
}1
2
3
4
5
6
7
8
9
10
11
2
3
4
5
6
7
8
9
10
11
Version
This rule was introduced in @sap/eslint-plugin-cds 2.4.1.