Commit e6f7e48a by Bach Dániel

dashboard: add missing permission check

parent 53386bcc
...@@ -1988,6 +1988,8 @@ class FavouriteView(TemplateView): ...@@ -1988,6 +1988,8 @@ class FavouriteView(TemplateView):
def post(self, *args, **kwargs): def post(self, *args, **kwargs):
user = self.request.user user = self.request.user
vm = Instance.objects.get(pk=self.request.POST.get("vm")) vm = Instance.objects.get(pk=self.request.POST.get("vm"))
if not vm.has_level(user, 'user'):
raise PermissionDenied()
try: try:
Favourite.objects.get(instance=vm, user=user).delete() Favourite.objects.get(instance=vm, user=user).delete()
return HttpResponse("Deleted.") return HttpResponse("Deleted.")
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or sign in to comment