Support for input validation on ordinal types (@assert.range) and string expressions (@assert.format) has been added. All valid constraints defined on entity elements of simple type are checked in an early BEFORE-handler of the CDS service. CUD-Requests, which don't match one of the constraints, are rejected.
Instance-based authorization is active by default, that means, where conditions of @restrict-annotated entities are evaluated for events READ, UPDATE, and DELETE. There are some limitations related to paths in the where expression, see Java > Security.
Introduced enhanced expression parser for the where condition, which allows automatic type conversion of user attributes.
Grants for draft-related events such as draftEdit, DRAFT_CANCEL, or DRAFT_NEW etc. are derived from grants of standard CQN events. For instance, granted event CREATE implies also DRAFT_NEW. Before that, draft events had to be listed in @restrict annotations in order to permit access.
The where condition of @restrict won't apply anymore for draft entities on events READ, DELETE, and UPDATE. This allows to create and edit draft entities, which temporarily don't match the condition. The condition will be checked when activating the draft entity.
Support for new keyword $UNRESTRICTED in user attribute value lists. Soon XSUAA will issue JWT tokens with potential $UNRESTRICTED string values in attribute lists of unrestricted users. Unrestricted attributes will be dropped by the runtime when evaluating where-conditions of @restrict annotated entities during instance-based authorization. The former logic - unrestricted access indicated by empty attribute value lists - will be removed in a later version after some transition period.