cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Read only

Broken Authorization in @sap/cds 8.6.0

sven-leonhardt
Explorer

on ‎2025 Jan 09 4:04 PM

0 Kudos
429

I have a cds service secured via "@requires"

 

 

service MyService @(path: '/service/api/v1') @(requires: [
  'AdminRole'
]) {

 

 

When trying to access an entity on this service in CAP 8.5.1 without a proper role assignment I will get the expected error:

{"error":{"code":"403","@Common.numericSeverity":4,"message":"Forbidden"}}

However, when accessing the same entity after updating to CAP 8.6.0 the request is executed and returns a response, completely bypassing the authorization check defined via @requires.

I tested so far only locally via "auth": { "kind": "basic"}, not sure if it also happens with the other authentication strategies

Know the answer?

Help others by sharing your knowledge.

Answer

Need more details?

Request clarification before answering.

Show replies
Show replies
gregorw
SAP Mentor
SAP Mentor
‎2025 Jan 09 4:33 PM
0 Kudos
Have you filed a Case via SAP Support?
patricebender
Product and Topic Expert
Product and Topic Expert
‎2025 Jan 09 4:48 PM
0 Kudos
Hi, could you give us access to your project (or better even, a minimal sample) and provide detailed steps to reproduce this?
sven-leonhardt
Explorer
‎2025 Jan 09 7:31 PM
0 Kudos

Hi patricebender,

I investigated some more, and the issue is not with @requires as initially thought but with @restrict.

This code worked on 8.5.1. When a user without the attribute costCenter = 'DE' tried to access the entity, the call returned 403 - Forbidden

entity MyEntity @(restrict: [{ grant: '*', where: `$user.costCenter = 'DE'`}]) { key ID : Integer; name : String; }

Now with CAP 8.6.0 the call is passed on to the ON READ handler in the javascript implementation.

I found the corresponding change in the CHANGELOG.md of the new version:

+ Simple static clauses (e.g., `$user.level > 5`) are no longer evaluated by the server but added to the respective SQL regardless. As a result, requests may receive a response of `2xx` with an empty body instead of a `403`

I feel like this is a breaking change that should have been mentioned in the December release notes, because now I'll need to perform this check in the ON READ handler of my implementation manually.

 

 

Accepted Solutions (0)

Answers (0)

Ask a Question