Avoid leakage of state.check_commandline to restricted users

Users who do not have permission to see the object's `Source` tab, must be
restricted from accessing the object's `state.check_commandline` column.

library/Icingadb/Common/Auth.php

@@ -113,6 +113,15 @@ public function isMatchedOn(string $queryString, Model $object): bool
      */
     public function applyRestrictions(Query $query)
     {
+        // In case the user does not have permission to see the object's `Source` tab, then the user must be restricted
+        // from accessing the executed command for the object.
+        if (
+            ($query->getModel()->getTableName() === 'host' || $query->getModel()->getTableName() === 'service')
+            && ! $this->getAuth()->hasPermission('icingadb/object/show-source')
+        ) {
+            $query->withoutColumns(['state.check_commandline']);
+        }
+
         if ($this->getAuth()->getUser()->isUnrestricted()) {
             return;
         }

library/Icingadb/Web/Controller.php

@@ -83,6 +83,13 @@ public function createColumnControl(Query $query, ViewModeSwitcher $viewModeSwit
         $columns = [];
         foreach (explode(',', $columnsDef) as $column) {
             if ($column = trim($column)) {
+                if (
+                    array_slice(explode('.', $column), -1)[0] === 'check_commandline'
+                    && ! $this->hasPermission('icingadb/object/show-source')
+                ) {
+                    continue;
+                }
+
                 $columns[] = $column;
             }
         }