Implement proper permission check for template details

circle/dashboard/views/template.py

@@ -20,6 +20,7 @@ from datetime import timedelta
 import json
 import logging
 
+import openstack_api
 from braces.views._access import AccessMixin
 from django.contrib import messages
 from django.contrib.auth.models import User
@@ -219,7 +220,7 @@ class TemplateList(LoginRequiredMixin, FilterMixin, SingleTableView):
 
         context['search_form'] = self.search_form
 
-        #TODO: what is this?
+        # TODO: what is this?
 
         # tem0for t in InstanceTemplate.objects.all()
         # #  if t.instance_set.count() < 1]
@@ -279,6 +280,7 @@ class TemplateList(LoginRequiredMixin, FilterMixin, SingleTableView):
     def get_queryset(self):
         return InstanceTemplate.objects.filter(owner_id=self.request.user.id)
 
+
 class TemplateDelete(DeleteViewBase):
     model = InstanceTemplate
     success_message = _("Template successfully deleted.")
@@ -292,19 +294,23 @@ class TemplateDelete(DeleteViewBase):
         object.delete()
 
 
-
-
 class TemplateDetail(LoginRequiredMixin, GraphMixin, SuccessMessageMixin, UpdateView):
     model = InstanceTemplate
     template_name = "dashboard/template-edit.html"
     form_class = TemplateForm
     success_message = _("Successfully modified template.")
 
+    def __get_snapshot_ids(self, request):
+        images = openstack_api.glance.image_list_detailed(request)[0]  # TODO: why nested lists?
+        return [
+            i.id for i in images if hasattr(i, 'image_location') and i.image_location == 'snapshot'
+        ]
+
     def get(self, request, *args, **kwargs):
         template = self.get_object()
 
-        #TODO: multiple users
-        if template.owner_id != request.user.id:
+        snapshot_ids = self.__get_snapshot_ids(request)
+        if template.image_id not in snapshot_ids:
             raise PermissionDenied()
 
         if request.is_ajax():
@@ -392,10 +398,10 @@ class TemplateDetail(LoginRequiredMixin, GraphMixin, SuccessMessageMixin, Update
         return reverse_lazy("dashboard.views.template-detail",
                             kwargs=self.kwargs)
 
-    def post(self, request):
+    def post(self, request, *args, **kwargs):
         template = self.get_object()
-        # TODO: multiple users
-        if template.owner_id != request.user.id:
+        snapshot_ids = self.__get_snapshot_ids(request)
+        if template.image_id not in snapshot_ids:
             raise PermissionDenied()
         return super(TemplateDetail, self).post(self, request, args, kwargs)
 
@@ -404,6 +410,7 @@ class TemplateDetail(LoginRequiredMixin, GraphMixin, SuccessMessageMixin, Update
         kwargs['user'] = self.request.user
         return kwargs
 
+
 #
 # class DiskRemoveView(DeleteViewBase):
 #     model = Disk