Skip to Content
0
May 31, 2022 at 09:12 AM

Limit SELECT statement inside event handler

214 Views Last edit May 31, 2022 at 09:13 AM 2 rev

Hello experts!

I have a question with regards to authorization inside calls made from an service event handler. Let's say I have the following situation with an entity that is restricted to only allowing a user to see their own entities.

// service.cds
service MyService @(requires: 'authenticated-user') {
  @restrict: [{ grant: 'READ', where: 'createdBy = $user' }]
  entity MyEntity as projection on db.MyEntity;
  action someUnboundActionOnMyEntity();
}

// service.js
srv.on('someUnboundActionOnMyEntity', async req => {
  const { MyEntity } = srv.entities;
  const myEntity = await SELECT.one.from(MyEntity)
    .where({
      createdBy: req.user.id
      // Since the entity is already marked with @restrict in 
      // service.cds, is there a way to safely remove this
      // where-condition?
    });
  /* ... */
}

It seems like the calls inside of someAction() ignore the access restrictions made for MyEntity inside the service. I can solve this by adding the createdBy: req.user.id in every call made, but seems a bit tough?

Best regards,

Jibbril