From 201ba0376280157a2e211ad172eca647552b10d5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=BCrno=20Ader?= Date: Mon, 2 Nov 2015 16:52:55 +0200 Subject: [PATCH] Safer custom fields --- constance/admin.py | 21 +++++++++++++------ .../admin/constance/change_list.html | 2 +- 2 files changed, 16 insertions(+), 7 deletions(-) diff --git a/constance/admin.py b/constance/admin.py index 32bc15a..37c3cd3 100644 --- a/constance/admin.py +++ b/constance/admin.py @@ -15,6 +15,7 @@ from django.template.response import TemplateResponse from django.utils import six from django.utils.encoding import smart_bytes from django.utils.formats import localize +from django.utils.module_loading import import_string from django.utils.translation import ugettext_lazy as _ import django @@ -43,13 +44,21 @@ FIELDS = { float: (fields.FloatField, {'widget': NUMERIC_WIDGET}), } + def parse_additional_fields(fields): - for key in fields: - field = fields[key] - field[0] = eval(field[0]) - if 'widget' in field[1]: - field[1]['widget'] = eval(field[1]['widget']) - return fields + for key in fields: + field = fields[key] + + field[0] = import_string(field[0]) + + if 'widget' in field[1]: + klass = import_string(field[1]['widget']) + field[1]['widget'] = klass(**(field[1].get('widget_kwargs', {}) or {})) + + if 'widget_kwargs' in field[1]: + del field[1]['widget_kwargs'] + + return fields FIELDS.update(parse_additional_fields(settings.ADDITIONAL_FIELDS)) diff --git a/constance/templates/admin/constance/change_list.html b/constance/templates/admin/constance/change_list.html index 746e263..71c7da1 100644 --- a/constance/templates/admin/constance/change_list.html +++ b/constance/templates/admin/constance/change_list.html @@ -36,7 +36,7 @@ {% block bodyclass %}change-list{% endblock %} {% block content %} -
+
{% csrf_token %} {% if form.errors %}