From 3d7b375ab4f09ac810db5521f13a60b7072ac9f5 Mon Sep 17 00:00:00 2001
From: Eric Lippmann <eric.lippmann@netways.de>
Date: Thu, 22 Jan 2015 15:23:02 +0100
Subject: [PATCH] Security: Require permissions for executing common service
 commands

---
 .../application/controllers/ServiceController.php      | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/modules/monitoring/application/controllers/ServiceController.php b/modules/monitoring/application/controllers/ServiceController.php
index 06417cc6e..522a02efc 100644
--- a/modules/monitoring/application/controllers/ServiceController.php
+++ b/modules/monitoring/application/controllers/ServiceController.php
@@ -47,6 +47,8 @@ class Monitoring_ServiceController extends MonitoredObjectController
      */
     public function acknowledgeProblemAction()
     {
+        $this->assertPermission('monitoring/command/acknowledge-problem');
+
         $this->view->title = $this->translate('Acknowledge Service Problem');
         $this->handleCommandForm(new AcknowledgeProblemCommandForm());
     }
@@ -56,6 +58,8 @@ class Monitoring_ServiceController extends MonitoredObjectController
      */
     public function addCommentAction()
     {
+        $this->assertPermission('monitoring/command/add-comment');
+
         $this->view->title = $this->translate('Add Service Comment');
         $this->handleCommandForm(new AddCommentCommandForm());
     }
@@ -65,6 +69,8 @@ class Monitoring_ServiceController extends MonitoredObjectController
      */
     public function rescheduleCheckAction()
     {
+        $this->assertPermission('monitoring/command/schedule-check');
+
         $this->view->title = $this->translate('Reschedule Service Check');
         $this->handleCommandForm(new ScheduleServiceCheckCommandForm());
     }
@@ -74,6 +80,8 @@ class Monitoring_ServiceController extends MonitoredObjectController
      */
     public function scheduleDowntimeAction()
     {
+        $this->assertPermission('monitoring/command/schedule-downtime');
+
         $this->view->title = $this->translate('Schedule Service Downtime');
         $this->handleCommandForm(new ScheduleServiceDowntimeCommandForm());
     }
@@ -83,6 +91,8 @@ class Monitoring_ServiceController extends MonitoredObjectController
      */
     public function processCheckResultAction()
     {
+        $this->assertPermission('monitoring/command/process-check-result');
+
         $this->view->title = $this->translate('Submit Passive Service Check Result');
         $this->handleCommandForm(new ProcessCheckResultCommandForm());
     }