According to the docs, they are authenticated, they are in a hostgroup for contacts, so they have the permission to make service commands.
I know that sounds a bit wierd, but if you are allowing them access to view hosts, then you must need these people to know what is going on. Allowing them to the ability to submit passive check results, etc, is not that bad of an idea. If you find that these people abuse the nagios monitor systems, then report them as abusing it, and deal with them accordingly. or simply remove there access. This nagios thing is a tool, so if someone is attempting to break it, then ban em or something.
"Authenticated contacts* are granted the following permissions for each service for which they are contacts (but not for services for which they are not contacts)…
* Authorization to view service status information
* Authorization to view service configuration information
* Authorization to view history and notifications for the service
* Authorization to issue service commands "