Steps to reproduce:
- As an admin with programming rights, create a new user without script or programming right.
- Login with the freshly created user.
- Insert the following text in source mode in the about section:
- Click "Save & View"
An error is displayed in the about section that the script macro couldn't be executed.
The text "hello from groovy!" is displayed.
This works with any TextAreaClass property that has wiki syntax enabled and is displayed using the regular displayer, e.g., using $doc.display in a document where the content author is a user with programming right. The reason seems to be that `TextAreaClass` overrides the security document which is explicitly set by $doc.display to ensure that not the content author but the displayed object's author is used.