From a34ad0227f85c988f04b37c113b9715c07db969c Mon Sep 17 00:00:00 2001
From: Eric Lippmann <eric.lippmann@netways.de>
Date: Thu, 23 Jul 2015 12:59:30 +0200
Subject: [PATCH] Don't load module menu entries if the authenticated user
 lacks the module permission

refs #9644
---
 library/Icinga/Web/Menu.php | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/library/Icinga/Web/Menu.php b/library/Icinga/Web/Menu.php
index 87be9ec40..9b62afbdd 100644
--- a/library/Icinga/Web/Menu.php
+++ b/library/Icinga/Web/Menu.php
@@ -206,13 +206,14 @@ class Menu implements RecursiveIterator
      */
     public static function load()
     {
-        /** @var $menu \Icinga\Web\Menu */
         $menu = new static('menu');
         $menu->addMainMenuItems();
+        $auth = Manager::getInstance();
         $manager = Icinga::app()->getModuleManager();
         foreach ($manager->getLoadedModules() as $module) {
-            /** @var $module \Icinga\Application\Modules\Module */
-            $menu->mergeSubMenus($module->getMenuItems());
+            if ($auth->hasPermission($manager::MODULE_PERMISSION_NS . $module->getName())) {
+                $menu->mergeSubMenus($module->getMenuItems());
+            }
         }
         return $menu->order();
     }