@sap/eslint-plugin-cds/lib/rules/auth-use-requires.js

ESLint plugin including recommended SAP Cloud Application Programming model and environment rules

'use strict'

module.exports = {
  meta: {
    schema: [{/* to avoid deprecation warning for ESLint 9 */}],
    docs: {
      description: 'Use `@requires` instead of `@restrict.to` in actions and services with unrestricted events.',
      category: 'Model Validation',
      recommended: true,
      version: '2.4.1',
      url: 'https://cap.cloud.sap/docs/tools/cds-lint/rules/auth-use-requires',
    },
    messages: {
      useRequires: 'Use `@requires` instead of `@restrict.to` at {{kind}} `{{name}}`.'
    },
    type: 'problem',
    model: 'inferred'
  },
  create (context) {
    return {
      service: checkRestrict,
      action: checkRestrict,
      function: checkRestrict,
    }

    function checkRestrict (e) {
      if (!Array.isArray(e?.['@restrict']))
        return

      for (const entry of e['@restrict']) {
        // Scenario: `@restrict: [ { to: 'Foo', grant: '*' } ]`
        // There must be no `where` condition, as otherwise it wouldn't be equivalent
        // to `@requires`.  `to` must not be `null`, as `@requires: null` is not the
        // same as `@restrict: [{to:null}]`.
        // See https://cap.cloud.sap/docs/guides/security/authorization#supported-combinations-with-cds-resources
        // for documentation.
        if (entry?.to !== undefined && entry.to !== null &&
           (entry.grant === '*' || !entry.grant) && entry.where === undefined) {
          context.report({
            messageId: 'useRequires',
            data: { kind: e.kind, name: e.name },
            node: context.getNode(e),
            file: e.$location.file
          })
          break // max one report per annotation
        }
      }
    }

  }
}