At least after
XWIKI-10999, the $hasProgramming variable is no longer checking if the current user has PR on the main wiki, but is either returning always true or is checking if the last content author of the main wiki's preferences page has PR, which is completely wrong.
The problem is 2 fold:
1. The variable should be defined without specifying the main wiki preferences document (i.e. just $services.security.authorization.hasAccess('programming') instead of the current $services.security.authorization.hasAccess('programming', $wikiPreferencesReference)) because of a "special" way the current user is handled in https://github.com/xwiki/xwiki-platform/blob/master/xwiki-platform-core/xwiki-platform-security/xwiki-platform-security-bridge/src/main/java/org/xwiki/security/authorization/internal/DefaultContextualAuthorizationManager.java#L163 (resulting in actually asking if the main wiki preferences document has PR and not if the current user has PR, which is not intended). This problem was introduced in
2. Since all .vm files are now executed with PR (using the AuthorExecutor component in the TemplateManager), the security document will always be a privileged one and any rights check for PR or SR in xwikivars.vm will return positive, since the current context document will not be checked. (Would need to check the actual commit, but probably around the same time).
Even if we currently easily fix problem 1. by removing the $wikiPreferencesReference parameter, the var will still always be true because of 2. which might need some kind of exception from the SUExecutor.