diff --git a/circle/dashboard/views.py b/circle/dashboard/views.py
index 60d2607..2af86a1 100644
--- a/circle/dashboard/views.py
+++ b/circle/dashboard/views.py
@@ -1988,6 +1988,8 @@ class FavouriteView(TemplateView):
     def post(self, *args, **kwargs):
         user = self.request.user
         vm = Instance.objects.get(pk=self.request.POST.get("vm"))
+        if not vm.has_level(user, 'user'):
+            raise PermissionDenied()
         try:
             Favourite.objects.get(instance=vm, user=user).delete()
             return HttpResponse("Deleted.")