@posiwise/common-services 0.2.5 → 0.2.6
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
|
@@ -1478,9 +1478,23 @@ class PermissionService {
|
|
|
1478
1478
|
expr = this.handleNonBooleanPermissions(permission, expr, productKey, permission_key, productSlug);
|
|
1479
1479
|
// Now expr is made of true/false values with &&, ||, ()
|
|
1480
1480
|
// Safe parser: no eval() - CSP 'unsafe-eval' not required
|
|
1481
|
-
const
|
|
1482
|
-
|
|
1483
|
-
|
|
1481
|
+
const ourResult = this.evaluateBooleanExpression(expr);
|
|
1482
|
+
let evalResult;
|
|
1483
|
+
try {
|
|
1484
|
+
evalResult = eval(expr.trim());
|
|
1485
|
+
}
|
|
1486
|
+
catch {
|
|
1487
|
+
evalResult = undefined;
|
|
1488
|
+
}
|
|
1489
|
+
if (ourResult !== evalResult) {
|
|
1490
|
+
console.warn('[PermissionService] MISMATCH - parser vs eval', {
|
|
1491
|
+
permission,
|
|
1492
|
+
expr: expr.trim(),
|
|
1493
|
+
ourResult,
|
|
1494
|
+
evalResult
|
|
1495
|
+
});
|
|
1496
|
+
}
|
|
1497
|
+
return this.evaluateBooleanExpression(expr);
|
|
1484
1498
|
}
|
|
1485
1499
|
/** Safe boolean expression parser - replaces eval() for CSP compliance. */
|
|
1486
1500
|
evaluateBooleanExpression(expr) {
|