From ed03b537ba85b76a11ed67ff366889d159331d44 Mon Sep 17 00:00:00 2001 From: Vladimir Mikhaylenko Date: Mon, 7 Jul 2025 13:04:54 +0200 Subject: [PATCH 1/8] Java: Document `@Capabilities.ExpandRestrictions.*` --- guides/security/aspects.md | 22 ++++++++++++++++++---- 1 file changed, 18 insertions(+), 4 deletions(-) diff --git a/guides/security/aspects.md b/guides/security/aspects.md index 56308c84d..735536e54 100644 --- a/guides/security/aspects.md +++ b/guides/security/aspects.md @@ -528,17 +528,31 @@ The total number of request of OData batches can be limited by application confi
-Settings cds.odataV4.batch.maxRequests resp. cds.odataV2.batch.maxRequests specify the corresponding limits. +Use settings cds.odataV4.batch.maxRequests resp. cds.odataV2.batch.maxRequests to limit the amount of queries per OData `$batch`.
+
+ +To prevent clients from requesting too much data, you can define restrictions on `$expands` for your entities: + +- Use `@Capabilities.ExpandRestrictions.Expandable: false` to prevent any expands from the entity. +- Use `@Capabilities.ExpandRestrictions.NonExpandableProperties: [...]` to restrict expands for certain properties. +- Use `@Capabilities.ExpandRestrictions.MaxLevels: ...` to set maximum allowed depth of an `$expand` from this entity. You can set an application-wide limit with cds.query.restrictions.expand.maxLevels = \ that applies to all entities. Value `-1` indicates absence of limit. + +Good candidates for expand restrictions are associations to the same type (for example, when your entity represents tree or a hierarchy) or backlink associations of the compositions or many-to-many associations. + +
+ +
+ ::: warning ❗ CAP applications have to limit the amount of `$expands` per request in a custom handler. -Also the maximum amount of requests per `$batch` request need to be configured as follows: -- Node.js: cds.odata.batch_limit = \ -- Java: cds.odataV4.batch.maxRequests = \ +Also the maximum amount of requests per `$batch` request need to be configured with cds.odata.batch_limit = \ ::: +
+ ::: tip Design your CDS services exposed to web adapters on need-to-know basis. Be especially careful when exposing associations. ::: From 299bf0e9e13265b7a538b79f1b64f82911d5fbae Mon Sep 17 00:00:00 2001 From: Vladimir Mikhaylenko Date: Mon, 7 Jul 2025 13:07:21 +0200 Subject: [PATCH 2/8] Fix --- guides/security/aspects.md | 8 ++------ 1 file changed, 2 insertions(+), 6 deletions(-) diff --git a/guides/security/aspects.md b/guides/security/aspects.md index 735536e54..4aa5266eb 100644 --- a/guides/security/aspects.md +++ b/guides/security/aspects.md @@ -530,17 +530,13 @@ The total number of request of OData batches can be limited by application confi Use settings cds.odataV4.batch.maxRequests resp. cds.odataV2.batch.maxRequests to limit the amount of queries per OData `$batch`. - - -
- To prevent clients from requesting too much data, you can define restrictions on `$expands` for your entities: - Use `@Capabilities.ExpandRestrictions.Expandable: false` to prevent any expands from the entity. - Use `@Capabilities.ExpandRestrictions.NonExpandableProperties: [...]` to restrict expands for certain properties. - Use `@Capabilities.ExpandRestrictions.MaxLevels: ...` to set maximum allowed depth of an `$expand` from this entity. You can set an application-wide limit with cds.query.restrictions.expand.maxLevels = \ that applies to all entities. Value `-1` indicates absence of limit. -Good candidates for expand restrictions are associations to the same type (for example, when your entity represents tree or a hierarchy) or backlink associations of the compositions or many-to-many associations. +Good candidates for expand restrictions are the associations to the same type (for example, when your entity represents tree or a hierarchy) or backlink associations of the compositions or many-to-many associations.
@@ -548,7 +544,7 @@ Good candidates for expand restrictions are associations to the same type (for e ::: warning ❗ CAP applications have to limit the amount of `$expands` per request in a custom handler. -Also the maximum amount of requests per `$batch` request need to be configured with cds.odata.batch_limit = \ +Also, the maximum amount of requests per `$batch` request need to be configured with cds.odata.batch_limit = \ ::: From 6216ec252b7580afb43d16c773ac4c6ec9ef100f Mon Sep 17 00:00:00 2001 From: Vladimir Date: Mon, 7 Jul 2025 13:31:12 +0200 Subject: [PATCH 3/8] Update guides/security/aspects.md MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-authored-by: Adrian Görler --- guides/security/aspects.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/guides/security/aspects.md b/guides/security/aspects.md index 4aa5266eb..22d0d1f2e 100644 --- a/guides/security/aspects.md +++ b/guides/security/aspects.md @@ -536,7 +536,9 @@ To prevent clients from requesting too much data, you can define restrictions on - Use `@Capabilities.ExpandRestrictions.NonExpandableProperties: [...]` to restrict expands for certain properties. - Use `@Capabilities.ExpandRestrictions.MaxLevels: ...` to set maximum allowed depth of an `$expand` from this entity. You can set an application-wide limit with cds.query.restrictions.expand.maxLevels = \ that applies to all entities. Value `-1` indicates absence of limit. -Good candidates for expand restrictions are the associations to the same type (for example, when your entity represents tree or a hierarchy) or backlink associations of the compositions or many-to-many associations. +Good candidates for expand restrictions are associations to the same type (for example, when your entity represents tree or a hierarchy1>), backlink associations of compositions, or many-to-many associations. + +1>Hierarchical requests from the UI5 tree table do not use expand and are not affected by expand restriction. From 1eb6bf07b5ad3f897550b66e9e9ec3ec47df98aa Mon Sep 17 00:00:00 2001 From: Vladimir Mikhaylenko Date: Mon, 7 Jul 2025 13:34:30 +0200 Subject: [PATCH 4/8] Add java --- guides/security/aspects.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/guides/security/aspects.md b/guides/security/aspects.md index 22d0d1f2e..261b302f5 100644 --- a/guides/security/aspects.md +++ b/guides/security/aspects.md @@ -534,7 +534,7 @@ To prevent clients from requesting too much data, you can define restrictions on - Use `@Capabilities.ExpandRestrictions.Expandable: false` to prevent any expands from the entity. - Use `@Capabilities.ExpandRestrictions.NonExpandableProperties: [...]` to restrict expands for certain properties. -- Use `@Capabilities.ExpandRestrictions.MaxLevels: ...` to set maximum allowed depth of an `$expand` from this entity. You can set an application-wide limit with cds.query.restrictions.expand.maxLevels = \ that applies to all entities. Value `-1` indicates absence of limit. +- Use `@Capabilities.ExpandRestrictions.MaxLevels: ...` to set maximum allowed depth of an `$expand` from this entity. You can set an application-wide limit with cds.query.restrictions.expand.maxLevels = \ that applies to all entities. Value `-1` indicates absence of limit. Good candidates for expand restrictions are associations to the same type (for example, when your entity represents tree or a hierarchy1>), backlink associations of compositions, or many-to-many associations. From 7aeec2ea4ac40b8ea4df3a5ecb8dc8675708e29d Mon Sep 17 00:00:00 2001 From: Vladimir Mikhaylenko Date: Thu, 10 Jul 2025 11:05:18 +0200 Subject: [PATCH 5/8] ApplicationServices --- guides/security/aspects.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/guides/security/aspects.md b/guides/security/aspects.md index 261b302f5..7c6378e18 100644 --- a/guides/security/aspects.md +++ b/guides/security/aspects.md @@ -536,6 +536,8 @@ To prevent clients from requesting too much data, you can define restrictions on - Use `@Capabilities.ExpandRestrictions.NonExpandableProperties: [...]` to restrict expands for certain properties. - Use `@Capabilities.ExpandRestrictions.MaxLevels: ...` to set maximum allowed depth of an `$expand` from this entity. You can set an application-wide limit with cds.query.restrictions.expand.maxLevels = \ that applies to all entities. Value `-1` indicates absence of limit. +These restrictions also apply on CQN queries sent to the [application services](/java/cqn-services/#application-services). + Good candidates for expand restrictions are associations to the same type (for example, when your entity represents tree or a hierarchy1>), backlink associations of compositions, or many-to-many associations. 1>Hierarchical requests from the UI5 tree table do not use expand and are not affected by expand restriction. From 36e0535e4e10dc815fae27d940f2417f3511e363 Mon Sep 17 00:00:00 2001 From: Vladimir Mikhaylenko Date: Thu, 10 Jul 2025 11:08:59 +0200 Subject: [PATCH 6/8] ApplicationServices --- guides/security/aspects.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/guides/security/aspects.md b/guides/security/aspects.md index 7c6378e18..5e96118c2 100644 --- a/guides/security/aspects.md +++ b/guides/security/aspects.md @@ -536,7 +536,7 @@ To prevent clients from requesting too much data, you can define restrictions on - Use `@Capabilities.ExpandRestrictions.NonExpandableProperties: [...]` to restrict expands for certain properties. - Use `@Capabilities.ExpandRestrictions.MaxLevels: ...` to set maximum allowed depth of an `$expand` from this entity. You can set an application-wide limit with cds.query.restrictions.expand.maxLevels = \ that applies to all entities. Value `-1` indicates absence of limit. -These restrictions also apply on CQN queries sent to the [application services](/java/cqn-services/#application-services). +These restrictions apply on CQN queries sent to the [application services](/java/cqn-services/#application-services). Good candidates for expand restrictions are associations to the same type (for example, when your entity represents tree or a hierarchy1>), backlink associations of compositions, or many-to-many associations. From a32c233b7631c37594204844c9722dd9af57219f Mon Sep 17 00:00:00 2001 From: Vladimir Mikhaylenko Date: Thu, 10 Jul 2025 11:44:56 +0200 Subject: [PATCH 7/8] ApplicationServices --- guides/security/aspects.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/guides/security/aspects.md b/guides/security/aspects.md index 5e96118c2..9b45c986f 100644 --- a/guides/security/aspects.md +++ b/guides/security/aspects.md @@ -536,7 +536,9 @@ To prevent clients from requesting too much data, you can define restrictions on - Use `@Capabilities.ExpandRestrictions.NonExpandableProperties: [...]` to restrict expands for certain properties. - Use `@Capabilities.ExpandRestrictions.MaxLevels: ...` to set maximum allowed depth of an `$expand` from this entity. You can set an application-wide limit with cds.query.restrictions.expand.maxLevels = \ that applies to all entities. Value `-1` indicates absence of limit. -These restrictions apply on CQN queries sent to the [application services](/java/cqn-services/#application-services). +:::warning +These restrictions apply on CQN queries sent to the [application services](/java/cqn-services/#application-services). +::: Good candidates for expand restrictions are associations to the same type (for example, when your entity represents tree or a hierarchy1>), backlink associations of compositions, or many-to-many associations. From 85aa36f7ff85579c0a5dc223d6de00114fb72e0d Mon Sep 17 00:00:00 2001 From: Vladimir Mikhaylenko Date: Thu, 10 Jul 2025 11:47:34 +0200 Subject: [PATCH 8/8] better wording --- guides/security/aspects.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/guides/security/aspects.md b/guides/security/aspects.md index 9b45c986f..889d7434b 100644 --- a/guides/security/aspects.md +++ b/guides/security/aspects.md @@ -537,7 +537,7 @@ To prevent clients from requesting too much data, you can define restrictions on - Use `@Capabilities.ExpandRestrictions.MaxLevels: ...` to set maximum allowed depth of an `$expand` from this entity. You can set an application-wide limit with cds.query.restrictions.expand.maxLevels = \ that applies to all entities. Value `-1` indicates absence of limit. :::warning -These restrictions apply on CQN queries sent to the [application services](/java/cqn-services/#application-services). +These restrictions are enforced on 'READ' events on [Application services](/java/cqn-services/#application-services). ::: Good candidates for expand restrictions are associations to the same type (for example, when your entity represents tree or a hierarchy1>), backlink associations of compositions, or many-to-many associations.