diff --git a/circle/dashboard/views.py b/circle/dashboard/views.py index 4767891..f444e5c 100644 --- a/circle/dashboard/views.py +++ b/circle/dashboard/views.py @@ -2121,23 +2121,29 @@ class VmCreate(LoginRequiredMixin, TemplateView): if not request.user.has_perm('vm.create_vm'): raise PermissionDenied() - form_error = form is not None - template = (form.template.pk if form_error - else request.GET.get("template")) - templates = InstanceTemplate.get_objects_with_level( - 'user', request.user, disregard_superuser=True) - if form is None and template: - form = self.form_class(user=request.user, - template=templates.get(pk=template)) + if form is None: + template_pk = request.GET.get("template") + else: + template_pk = form.template.pk + + if template_pk: + template = get_object_or_404(InstanceTemplate, pk=template_pk) + if not template.has_level(request.user, 'user'): + raise PermissionDenied() + if form is None: + form = self.form_class(user=request.user, template=template) + else: + templates = InstanceTemplate.get_objects_with_level( + 'user', request.user, disregard_superuser=True) context = self.get_context_data(**kwargs) - if template: + if template_pk: context.update({ 'template': 'dashboard/_vm-create-2.html', 'box_title': _('Customize VM'), 'ajax_title': True, 'vm_create_form': form, - 'template_o': templates.get(pk=template), + 'template_o': template, }) else: context.update({ @@ -2163,18 +2169,15 @@ class VmCreate(LoginRequiredMixin, TemplateView): def __create_customized(self, request, *args, **kwargs): user = request.user + # no form yet, using POST directly: + template = get_object_or_404(InstanceTemplate, + pk=request.POST.get("template")) form = self.form_class( - request.POST, user=request.user, - template=InstanceTemplate.objects.get( - pk=request.POST.get("template") - ) - ) + request.POST, user=request.user, template=template) if not form.is_valid(): return self.get(request, form, *args, **kwargs) post = form.cleaned_data - template = InstanceTemplate.objects.get(pk=post['template']) - # permission check if not template.has_level(user, 'user'): raise PermissionDenied()