From a19c155d9f647d9a3a5dd7676baaea1fb60fa998 Mon Sep 17 00:00:00 2001
From: Eric Lippmann <eric.lippmann@netways.de>
Date: Thu, 22 Jan 2015 17:33:20 +0100
Subject: [PATCH] monitoring/security: Hide delete comment action if user lacks
 the respective permission

---
 .../views/scripts/show/components/comments.phtml      | 11 ++++++-----
 .../Web/Controller/MonitoredObjectController.php      |  2 +-
 2 files changed, 7 insertions(+), 6 deletions(-)

diff --git a/modules/monitoring/application/views/scripts/show/components/comments.phtml b/modules/monitoring/application/views/scripts/show/components/comments.phtml
index 07968dfc8..d20cec0c2 100644
--- a/modules/monitoring/application/views/scripts/show/components/comments.phtml
+++ b/modules/monitoring/application/views/scripts/show/components/comments.phtml
@@ -34,10 +34,6 @@ foreach ($object->comments as $comment) {
         $this->escape($comment->comment)
     ) : $this->escape($comment->comment);
 
-
-    $form = clone $delCommentForm;
-    $form->populate(array('comment_id' => $comment->id));
-
     ?>
 
     <tr>
@@ -46,7 +42,12 @@ foreach ($object->comments as $comment) {
             <table>
                 <tr>
                     <td style="vertical-align: top;" data-base-target="_self">
-                        <?= $form ?> (<?= ucfirst($comment->type) ?>):
+                        <?php if (isset($delCommentForm)) { // Form is unset if the current user lacks the respective permission
+                            $form = clone $delCommentForm;
+                            $form->populate(array('comment_id' => $comment->id));
+                            echo $form;
+                        } ?>
+                        (<?= ucfirst($comment->type) ?>):
                     </td>
                     <td style="padding-left: .5em;">
                         <?= str_replace(array('\r\n', '\n'), '<br>', $text) ?>
diff --git a/modules/monitoring/library/Monitoring/Web/Controller/MonitoredObjectController.php b/modules/monitoring/library/Monitoring/Web/Controller/MonitoredObjectController.php
index cb87d22ad..8cbea2d37 100644
--- a/modules/monitoring/library/Monitoring/Web/Controller/MonitoredObjectController.php
+++ b/modules/monitoring/library/Monitoring/Web/Controller/MonitoredObjectController.php
@@ -72,7 +72,7 @@ abstract class MonitoredObjectController extends Controller
                 }
             }
         }
-        if (count($this->object->comments) > 0) {
+        if (count($this->object->comments) > 0 && $auth->hasPermission('monitoring/command/comment/delete')) {
             $delCommentForm = new DeleteCommentCommandForm();
             $delCommentForm
                 ->setObjects($this->object)