Protect preference and navigation from guests

This is an implicit allowance to the user/* permission space, for any logged in user.

refs #11281

application/controllers/NavigationController.php

@@ -35,6 +35,8 @@ class NavigationController extends Controller
     {
         parent::init();
         $this->itemTypeConfig = Navigation::getItemTypeConfiguration();
+
+        $this->assertPermission('user/navigation');
     }
 
     /**

application/controllers/PreferenceController.php

@@ -18,6 +18,16 @@ use Icinga\Web\Widget\Tab;
  */
 class PreferenceController extends BasePreferenceController
 {
+    /**
+     * {@inheritdoc}
+     */
+    public function init()
+    {
+        parent::init();
+
+        $this->assertPermission('user/preference');
+    }
+
     /**
      * Create tabs for this preference controller
      *

library/Icinga/User.php

@@ -457,6 +457,12 @@ class User
             return true;
         }
 
+        // the user/* context is available for all default users
+        // TODO: verify security! (admin?)
+        if (!$this->isGuest() and strpos($requiredPermission, 'user/') === 0) {
+            return true;
+        }
+
         $requiredWildcard = strpos($requiredPermission, '*');
         foreach ($this->permissions as $grantedPermission) {
             if ($requiredWildcard !== false) {