auth-restrict-grant-service
Rule Details
Restrictions can be defined on different types of CDS resources, but there are some limitations regarding supported privileges (see limitations).
Unsupported privilege properties are ignored by the runtime. For bound or unbound actions, the grant property is implicitly removed (assuming grant: '*' instead). The same is true for functions. This rule ensures that @restrict.grant on service level and for bound/unbound actions and functions is limited to grant: '*'.
Examples
✅ Correct example
Let's consider the following example with the CatalogService where the function getViewsCount() is restricted to the Admin role, granting all CDS events:
using { sap.capire.bookshop as my } from '../db/schema';
service CatalogService {
@readonly entity ListOfBooks as projection on Books
excluding { descr };
@readonly entity Books as projection on my.Books { *,
author.name as author
} excluding { createdBy, modifiedBy };
@requires: 'authenticated-user'
function getViewsCount @(restrict: [{ to: 'Admin' }]) () returns Integer;
}2
3
4
5
6
7
8
9
10
11
12
13
❌ Incorrect example
If you modify the above example and use grant: ['WRITE'] in the privilege of the function, the rule would be triggered to inform you that the value of grant is limited to '*':
using { sap.capire.bookshop as my } from '../db/schema';
service CatalogService {
@readonly entity ListOfBooks as projection on Books
excluding { descr };
@readonly entity Books as projection on my.Books { *,
author.name as author
} excluding { createdBy, modifiedBy };
@requires: 'authenticated-user'
action submitOrder ( book: Books:ID, quantity: Integer ) returns { stock: Integer };
event OrderedBook : { book: Books:ID; quantity: Integer; buyer: String };
// The grant value provided in @restrict is limited to '*' for function 'CatalogService.getViewsCount'.
function getViewsCount @(restrict: [{ grant: ['WRITE'], to: 'Admin' }]) () returns Integer;
}2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
Version
This rule was introduced in @sap/eslint-plugin-cds 2.6.4.