feat: reject update/delete without where #676

SamuelBrucksch · 2024-06-06T12:22:36Z

To discuss:

singletons -> check needed?
DELETE Foo(123)/bar -> would fail right now, should we check for to-one?

schiwekM · 2024-08-14T08:42:12Z

To discuss:

singletons -> check needed?

DELETE Foo(123)/bar -> would fail right now, should we check for to-one?

I'd say for singletons not needed and to-one should be excluded as it is spec compliant

danjoa · 2024-09-23T13:55:32Z

db-service/lib/SQLService.js

@@ -21,6 +21,14 @@ const BINARY_TYPES = {

 class SQLService extends DatabaseService {
 init() {
+ this.on(['UPDATE', 'DELETE'], ({ query}, next) => {
+ const cqn = query.UPDATE ?? query.DELETE
+ if (!cqn.where && !cqn.from?.ref?.at(-1).where && !cqn.entity?.ref?.at(-1).where) {


Suggested change

if (!cqn.where && !cqn.from?.ref?.at(-1).where && !cqn.entity?.ref?.at(-1).where) {

if (!cqn.where && !(cqn.from || cqn.entity)?.ref?.at(-1).where) {

danjoa · 2024-09-23T13:58:15Z

db-service/lib/SQLService.js

+ const op = query.DELETE ? 'delete' : 'update'
+ return cds.error(`Trying to ${op} all entites. Call .where(...) explicitely, to ${op} all entities.`)


Suggested change

const op = query.DELETE ? 'delete' : 'update'

return cds.error(`Trying to ${op} all entites. Call .where(...) explicitely, to ${op} all entities.`)

return cds.error(`${query.DELETE ? 'DELETE' : 'UPDATE'} without a where clause, which would affect all entites in the table. Add where 1=1 if your really want to do so`)

reject update/delete without where

120464c

SamuelBrucksch force-pushed the reject-delete-update-all-by-default branch from 287c322 to 120464c Compare June 6, 2024 12:23

SamuelBrucksch changed the title ~~reject update/delete without where~~ feat: reject update/delete without where Jun 6, 2024

SamuelBrucksch and others added 6 commits June 6, 2024 14:25

formatting

fea3729

add explicit delete all to tests

8141bb3

add more checks

2c284d4

more

6948889

fix another test

5040062

Merge branch 'main' into reject-delete-update-all-by-default

7b46778

BobdenOs added the next release pr to be checked for next release label Jun 14, 2024

SamuelBrucksch added 2 commits July 17, 2024 09:20

Merge branch 'main' into reject-delete-update-all-by-default

d677a9c

Merge branch 'main' into reject-delete-update-all-by-default

10dbc2a

johannes-vogel removed the next release pr to be checked for next release label Sep 2, 2024

danjoa reviewed Sep 23, 2024

View reviewed changes

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

feat: reject update/delete without where #676

feat: reject update/delete without where #676

SamuelBrucksch commented Jun 6, 2024 •

edited

Loading

schiwekM commented Aug 14, 2024

danjoa Sep 23, 2024

danjoa Sep 23, 2024

	if (!cqn.where && !cqn.from?.ref?.at(-1).where && !cqn.entity?.ref?.at(-1).where) {
	if (!cqn.where && !(cqn.from \|\| cqn.entity)?.ref?.at(-1).where) {

		const op = query.DELETE ? 'delete' : 'update'
		return cds.error(`Trying to ${op} all entites. Call .where(...) explicitely, to ${op} all entities.`)

	const op = query.DELETE ? 'delete' : 'update'
	return cds.error(`Trying to ${op} all entites. Call .where(...) explicitely, to ${op} all entities.`)
	return cds.error(`${query.DELETE ? 'DELETE' : 'UPDATE'} without a where clause, which would affect all entites in the table. Add where 1=1 if your really want to do so`)

feat: reject update/delete without where #676

Are you sure you want to change the base?

feat: reject update/delete without where #676

Conversation

SamuelBrucksch commented Jun 6, 2024 • edited Loading

schiwekM commented Aug 14, 2024

danjoa Sep 23, 2024

Choose a reason for hiding this comment

danjoa Sep 23, 2024

Choose a reason for hiding this comment

SamuelBrucksch commented Jun 6, 2024 •

edited

Loading