@posiwise/common-services 0.2.7 → 0.2.8
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
|
@@ -1452,6 +1452,9 @@ class PermissionService {
|
|
|
1452
1452
|
if (!permission) {
|
|
1453
1453
|
return false;
|
|
1454
1454
|
}
|
|
1455
|
+
if (typeof permission === 'boolean') {
|
|
1456
|
+
return permission;
|
|
1457
|
+
}
|
|
1455
1458
|
let expr = '';
|
|
1456
1459
|
if (permission === PERMISSION_NAMES.SuperAdmin) {
|
|
1457
1460
|
return this.isSuperAdmin();
|
|
@@ -1478,7 +1481,24 @@ class PermissionService {
|
|
|
1478
1481
|
expr = this.handleNonBooleanPermissions(permission, expr, productKey, permission_key, productSlug);
|
|
1479
1482
|
// Now expr is made of true/false values with &&, ||, ()
|
|
1480
1483
|
// Safe parser: no eval() - CSP 'unsafe-eval' not required
|
|
1481
|
-
|
|
1484
|
+
const ourResult = this.evaluateBooleanExpression(expr);
|
|
1485
|
+
// Comparison: warn if result differs from legacy eval (for verification, no behavior change)
|
|
1486
|
+
try {
|
|
1487
|
+
// eslint-disable-next-line no-eval
|
|
1488
|
+
const evalResult = eval(expr);
|
|
1489
|
+
const evalAsBool = !!evalResult;
|
|
1490
|
+
if (evalAsBool !== ourResult) {
|
|
1491
|
+
console.warn('[PermissionService] Result diff vs eval:', {
|
|
1492
|
+
expr,
|
|
1493
|
+
ourResult,
|
|
1494
|
+
evalResult
|
|
1495
|
+
});
|
|
1496
|
+
}
|
|
1497
|
+
}
|
|
1498
|
+
catch {
|
|
1499
|
+
// eval blocked (CSP) or invalid - skip comparison
|
|
1500
|
+
}
|
|
1501
|
+
return ourResult;
|
|
1482
1502
|
}
|
|
1483
1503
|
/** Safe boolean expression parser - replaces eval() for CSP compliance. */
|
|
1484
1504
|
evaluateBooleanExpression(expr) {
|