From bd65f4d50af3d46008bfb63dd32a29f8e5def676 Mon Sep 17 00:00:00 2001
From: Eric Lippmann <eric.lippmann@netways.de>
Date: Fri, 23 Jan 2015 09:18:29 +0100
Subject: [PATCH] monitoring/security: Hide delete comment action in the
 comments overview if user lacks the respective permission

---
 .../monitoring/application/controllers/ListController.php    | 5 ++++-
 .../monitoring/application/views/scripts/list/comments.phtml | 2 ++
 2 files changed, 6 insertions(+), 1 deletion(-)

diff --git a/modules/monitoring/application/controllers/ListController.php b/modules/monitoring/application/controllers/ListController.php
index 3ed9c4e62..cb334b421 100644
--- a/modules/monitoring/application/controllers/ListController.php
+++ b/modules/monitoring/application/controllers/ListController.php
@@ -484,7 +484,10 @@ class Monitoring_ListController extends Controller
                 'comment_expiration'    => $this->translate('Expiration')
             )
         );
-        $this->view->delCommentForm = new DeleteCommentCommandForm();
+
+        if ($this->Auth()->hasPermission('monitoring/command/comment/delete')) {
+            $this->view->delCommentForm = new DeleteCommentCommandForm();
+        }
     }
 
     public function servicegroupsAction()
diff --git a/modules/monitoring/application/views/scripts/list/comments.phtml b/modules/monitoring/application/views/scripts/list/comments.phtml
index 98daceecd..857017b4d 100644
--- a/modules/monitoring/application/views/scripts/list/comments.phtml
+++ b/modules/monitoring/application/views/scripts/list/comments.phtml
@@ -75,6 +75,7 @@
               date('H:i', $comment->expiration)
             ) : $this->translate('This comment does not expire.'); ?>
         </td>
+        <?php if (isset($delCommentForm)): // Form is unset if the current user lacks the respective permission ?>
         <td style="width: 2em" data-base-target="self">
           <?php
           $delCommentForm = clone $delCommentForm;
@@ -87,6 +88,7 @@
           echo $delCommentForm;
           ?>
         </td>
+        <?php endif ?>
       </tr>
 <?php endforeach ?>
     </tbody>