auth-no-empty-restrictions

Rule Details

The @requires annotation is a convenience shortcut for @restrict. You can use it to control which rule a user needs to access a given resource. Leaving this field empty is dangerous because it leads to unrestricted access to that service, which is a security risk.

Examples

✅ Correct example

In the following example, the AdminService is correctly setup with @requires given the admin role:

srv/admin-service.cds

cds

using { sap.capire.bookshop as my } from '../db/schema';

service AdminService @(requires:'admin') {
  entity Books as projection on my.Books;
}

Open In Playground

❌ Incorrect example

If you replace the admin role with an empty string or provide an empty role array as shown in the next example, you now have unrestricted access to that service, which the rule makes you aware of:

srv/admin-service.cds

cds

using { sap.capire.bookshop as my } from '../db/schema';

// No explicit restrictions provided on service `AdminService`
// at `@requires`.
service AdminService @(requires:'') { 
  entity Books as projection on my.Books;
}

Open In Playground

Version

This rule was introduced in @sap/eslint-plugin-cds 1.0.1.

Rules Reference

Parts of 2025

All of 2024

All of 2023

All of 2022

All of 2021

All of 2020

auth-no-empty-restrictions ​

Rule Details ​

Examples ​

✅ Correct example ​

❌ Incorrect example ​