cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

CAP: Restrict annotation seems to not work on OData level with bound actions

Go to solution
Trulov
Participant

on ‎04-27-2023 1:11 PM

0 Kudos

Hi together,

I was just implementing a sample CAP project with bound actions and associated exemplary http requests. At this point I noticed that apparently bound actions are executable on entries, that are not visible to the user.

I've created this Github repo for you to test. I think that the last request ("cannotSubmitOtherOrder") in the ./test/requests.http file should not work.

I've read the docs about restricting actions, but I think it should not be possible to execute actions on entities which you're not supposed to see, no?

But maybe I'm missing something 😉

Best Regards
Tom

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

vansyckel
Advisor
Advisor
‎04-28-2023 12:08 PM
0 Kudos

Hi truloff ,

@restrict.where is currently not supported for bound actions/ functions. It is in our backlog, but without a timeline.

You can add the test yourself rather easily via our Querying API like this:

this.on('submit', Orders, async function (req) {
  const orders = await this.read(req.subject)
  if (orders.length === 0) req.reject(403)
  // here, the user may see the order
})

Best,
Sebastian

Show replies
Show replies
Trulov
Participant
‎04-28-2023 4:38 PM
0 Kudos

Hi Sebastian,

thank you four your quick answer. It would definitely be nice to have such kind of restrict.where annotation for actions. I'm just thinking of an implementation I did, where the Orders entity itself is an external source, so it would add a lot of delay in form of http requests to this authentication. Not to mention the readability improvement.

But nevertheless thank you for your solution, I'll go ahead and try it out!

Best Regards
Tom

vansyckel
Advisor
Advisor
‎05-03-2023 8:16 AM
0 Kudos

Hi Tom,

FYI, unfortunately, we'd add the same performance penalty in a generic implementation, as there is no other option than executing a pre-check.

Best,
Sebastian

Answers (0)

Ask a Question