User#setDisabledStatus is not protected with admin right

The User API available in velocity scripts expose setDisabledStatus without any right protection, it means a user with only script right can use it to enable or disable users.

Reproduction steps:

• Create a user with edit and script rights
• With that user, create a page with this content:

  {{velocity}}
  #set ($adminUser = $xwiki.getUser('XWiki.Admin'))
  #set ($discard = $adminUser.setDisabledStatus('true'))
  {{/velocity}}
  

• Save and view the page

Expected result:

• Nothing should happen

Obtained result:

• Nothing is displayed and when admin user tries to login he's disabled