Safer custom fields

2026-03-16 22:40:24 +00:00 · 2015-11-02 16:52:55 +02:00 · 2015-11-02 16:52:55 +02:00 · 201ba03762
commit 201ba03762
parent 55ddbad52c
2 changed files with 16 additions and 7 deletions
--- a/constance/admin.py
+++ b/constance/admin.py
@ -15,6 +15,7 @@ from django.template.response import TemplateResponse
 from django.utils import six
 from django.utils.encoding import smart_bytes
 from django.utils.formats import localize
+from django.utils.module_loading import import_string
 from django.utils.translation import ugettext_lazy as _
 import django

@ -43,13 +44,21 @@ FIELDS = {
    float: (fields.FloatField, {'widget': NUMERIC_WIDGET}),
 }

+
 def parse_additional_fields(fields):
-   for key in fields:
-      field = fields[key]
-      field[0] = eval(field[0])
-      if 'widget' in field[1]:
-         field[1]['widget'] = eval(field[1]['widget'])
-   return fields
+    for key in fields:
+        field = fields[key]
+
+        field[0] = import_string(field[0])
+
+        if 'widget' in field[1]:
+            klass = import_string(field[1]['widget'])
+            field[1]['widget'] = klass(**(field[1].get('widget_kwargs', {}) or {}))
+
+            if 'widget_kwargs' in field[1]:
+                del field[1]['widget_kwargs']
+
+    return fields


 FIELDS.update(parse_additional_fields(settings.ADDITIONAL_FIELDS))
--- a/constance/templates/admin/constance/change_list.html
+++ b/constance/templates/admin/constance/change_list.html
@ -36,7 +36,7 @@
 {% block bodyclass %}change-list{% endblock %}

 {% block content %}
-  <div id="content-main">
+  <div id="content-main" class="constance">
    <div class="module" id="changelist">
        <form id="changelist-form" action="" method="post">{% csrf_token %}
            {% if form.errors %}