From b02c9fa78487d158c5737e9ed7b11bb848d38555 Mon Sep 17 00:00:00 2001
From: Kálmán Viktor <kviktor@cloud.bme.hu>
Date: Tue, 19 Nov 2013 15:56:14 +0100
Subject: [PATCH] dashboard: permission check for activity view

---
 circle/dashboard/views.py | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/circle/dashboard/views.py b/circle/dashboard/views.py
index b85befc..3066a9c 100644
--- a/circle/dashboard/views.py
+++ b/circle/dashboard/views.py
@@ -335,6 +335,9 @@ def mass_delete_vm(request, **kwargs):
 
 @require_POST
 def vm_activity(request, pk):
+    if not object.has_level(request.user, 'owner'):
+        raise PermissionDenied()
+
     latest = request.POST.get('latest')
     latest_sub = request.POST.get('latest_sub')
 
--
libgit2 0.26.0