Groovy jobs check the wrong author, allowing remote code execution

Steps to reproduce:

1. Login as a user without programming right
2. Choose any document whose content has last been changed by a user with programming right on which you have edit right. This could be the user profile for users created by admins.
3. Edit that document using the object editor and add an object of class XWiki.SchedulerJobClass with the following contents:
   • Job name: any name you like
   • Job description: any text
   • Job class: com.xpn.xwiki.plugin.scheduler.GroovyJob
   • Status: Normal
   • Cron expression: 0 0/5 * * * ?
   • Job script: services.logging.getLogger("foo").error("Job content executed")
   • Job execution context user: XWiki.Admin
   • Job execution context lang: en
   • Job execution context database: xwiki
4. Exploit XWIKI-20851 to trigger (or schedule) the job (set the "which" parameter to the document reference of the document on which you've added the job object)

Expected result:

The job isn't executed as its author doesn't have programming right and thus no log message is displayed.

Actual result:

A message similar to 

2023-04-18 10:20:00,028 [DefaultQuartzScheduler_Worker-2] ERROR foo                            - Job content executed 

is displayed in the log. This shows that the Groovy code has been executed.

This shows a privilege escalation from simple edit to programming right. The underlying root cause is that the job executor checks the rights of the content author of the document that contains the job but the job script can be changed without changing the content author.

For the reproduction steps, XWIKI-20851 needs to be exploited to actually execute the job but it is also possible that an admin created a job that is editable by users without programming right, in which case this step wouldn't be necessary.