From a09ba158597798e862c2505f3eecd5761cde7427 Mon Sep 17 00:00:00 2001
From: Eric Lippmann <eric.lippmann@netways.de>
Date: Thu, 22 Jan 2015 17:13:35 +0100
Subject: [PATCH] monitoring/security: Hide 'Check Now' action if user lacks
 the respective permission

---
 .../scripts/show/components/checkstatistics.phtml   |  4 +++-
 .../Web/Controller/MonitoredObjectController.php    | 13 ++++++++-----
 2 files changed, 11 insertions(+), 6 deletions(-)

diff --git a/modules/monitoring/application/views/scripts/show/components/checkstatistics.phtml b/modules/monitoring/application/views/scripts/show/components/checkstatistics.phtml
index 50b40cdcc..e8c295298 100644
--- a/modules/monitoring/application/views/scripts/show/components/checkstatistics.phtml
+++ b/modules/monitoring/application/views/scripts/show/components/checkstatistics.phtml
@@ -23,7 +23,9 @@ if ($object->getType() === $object::TYPE_HOST) {
 <tr>
     <th><?= $this->translate('Last check') ?></th>
     <td data-base-target="_self">
-        <?= $checkNowForm ?>
+        <?php if (isset($checkNowForm)) { // Form is unset if the current user lacks the respective permission
+            echo $checkNowForm;
+        } ?>
         <?= $this->timeSince($object->last_check) ?>
     </td>
 </tr>
diff --git a/modules/monitoring/library/Monitoring/Web/Controller/MonitoredObjectController.php b/modules/monitoring/library/Monitoring/Web/Controller/MonitoredObjectController.php
index a89a3fc49..dd83f415b 100644
--- a/modules/monitoring/library/Monitoring/Web/Controller/MonitoredObjectController.php
+++ b/modules/monitoring/library/Monitoring/Web/Controller/MonitoredObjectController.php
@@ -57,11 +57,14 @@ abstract class MonitoredObjectController extends Controller
     public function showAction()
     {
         $this->setAutorefreshInterval(10);
-        $checkNowForm = new CheckNowCommandForm();
-        $checkNowForm
-            ->setObjects($this->object)
-            ->handleRequest();
-        $this->view->checkNowForm = $checkNowForm;
+        $auth = $this->Auth();
+        if ($auth->hasPermission('monitoring/command/schedule-check')) {
+            $checkNowForm = new CheckNowCommandForm();
+            $checkNowForm
+                ->setObjects($this->object)
+                ->handleRequest();
+            $this->view->checkNowForm = $checkNowForm;
+        }
         if ( ! in_array((int) $this->object->state, array(0, 99))) {
             if ((bool) $this->object->acknowledged) {
                 $removeAckForm = new RemoveAcknowledgementCommandForm();