@posiwise/common-services 0.2.6 → 0.2.8
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
|
@@ -1452,6 +1452,9 @@ class PermissionService {
|
|
|
1452
1452
|
if (!permission) {
|
|
1453
1453
|
return false;
|
|
1454
1454
|
}
|
|
1455
|
+
if (typeof permission === 'boolean') {
|
|
1456
|
+
return permission;
|
|
1457
|
+
}
|
|
1455
1458
|
let expr = '';
|
|
1456
1459
|
if (permission === PERMISSION_NAMES.SuperAdmin) {
|
|
1457
1460
|
return this.isSuperAdmin();
|
|
@@ -1479,22 +1482,23 @@ class PermissionService {
|
|
|
1479
1482
|
// Now expr is made of true/false values with &&, ||, ()
|
|
1480
1483
|
// Safe parser: no eval() - CSP 'unsafe-eval' not required
|
|
1481
1484
|
const ourResult = this.evaluateBooleanExpression(expr);
|
|
1482
|
-
|
|
1485
|
+
// Comparison: warn if result differs from legacy eval (for verification, no behavior change)
|
|
1483
1486
|
try {
|
|
1484
|
-
|
|
1487
|
+
// eslint-disable-next-line no-eval
|
|
1488
|
+
const evalResult = eval(expr);
|
|
1489
|
+
const evalAsBool = !!evalResult;
|
|
1490
|
+
if (evalAsBool !== ourResult) {
|
|
1491
|
+
console.warn('[PermissionService] Result diff vs eval:', {
|
|
1492
|
+
expr,
|
|
1493
|
+
ourResult,
|
|
1494
|
+
evalResult
|
|
1495
|
+
});
|
|
1496
|
+
}
|
|
1485
1497
|
}
|
|
1486
1498
|
catch {
|
|
1487
|
-
|
|
1488
|
-
}
|
|
1489
|
-
if (ourResult !== evalResult) {
|
|
1490
|
-
console.warn('[PermissionService] MISMATCH - parser vs eval', {
|
|
1491
|
-
permission,
|
|
1492
|
-
expr: expr.trim(),
|
|
1493
|
-
ourResult,
|
|
1494
|
-
evalResult
|
|
1495
|
-
});
|
|
1499
|
+
// eval blocked (CSP) or invalid - skip comparison
|
|
1496
1500
|
}
|
|
1497
|
-
return
|
|
1501
|
+
return ourResult;
|
|
1498
1502
|
}
|
|
1499
1503
|
/** Safe boolean expression parser - replaces eval() for CSP compliance. */
|
|
1500
1504
|
evaluateBooleanExpression(expr) {
|
|
@@ -1531,17 +1535,23 @@ class PermissionService {
|
|
|
1531
1535
|
return (this.evaluateBooleanExpression(left) && this.evaluateBooleanExpression(right));
|
|
1532
1536
|
}
|
|
1533
1537
|
}
|
|
1538
|
+
// Strip matching outer parens - only when first ( and last ) are a pair
|
|
1534
1539
|
if (expr.startsWith('(') && expr.endsWith(')')) {
|
|
1535
1540
|
let d = 0;
|
|
1536
|
-
for (let j =
|
|
1541
|
+
for (let j = 0; j < expr.length; j++) {
|
|
1537
1542
|
if (expr[j] === '(')
|
|
1538
1543
|
d++;
|
|
1539
|
-
if (expr[j] === ')')
|
|
1544
|
+
else if (expr[j] === ')')
|
|
1540
1545
|
d--;
|
|
1546
|
+
if (d === 0) {
|
|
1547
|
+
if (j === expr.length - 1) {
|
|
1548
|
+
return this.evaluateBooleanExpression(expr.substring(1, expr.length - 1));
|
|
1549
|
+
}
|
|
1550
|
+
break;
|
|
1551
|
+
}
|
|
1541
1552
|
if (d < 0)
|
|
1542
|
-
|
|
1553
|
+
break;
|
|
1543
1554
|
}
|
|
1544
|
-
return this.evaluateBooleanExpression(expr.substring(1, expr.length - 1));
|
|
1545
1555
|
}
|
|
1546
1556
|
return false;
|
|
1547
1557
|
}
|
|
@@ -1549,6 +1559,8 @@ class PermissionService {
|
|
|
1549
1559
|
if (typeof permission !== 'boolean') {
|
|
1550
1560
|
permission.split(' ').forEach(x => {
|
|
1551
1561
|
const raw = x.trim();
|
|
1562
|
+
if (!raw)
|
|
1563
|
+
return;
|
|
1552
1564
|
if (['||', '&&', '(', ')'].includes(raw)) {
|
|
1553
1565
|
expr += ` ${raw} `;
|
|
1554
1566
|
}
|