Remote code execution through preview of XClass changes in AWM editor

Steps to reproduce:

1. Log in as a user with edit but no script right.
2. Create a document "EvilDisplayer.WebHome".
3. Edit this document with the class editor. Add a property named "title" (name doesn't matter) of type "Computed Field" with "Custom Display" 

   {{groovy}}println("Hello from Groovy Display!"){{/groovy}} 

1. Save this document.
2. Go to the movies app in the help application ("Help.Applications.Movies.WebHome")
3. Click on "Edit application" under "Actions".
4. Click on the "Configure" icon in the "Genre" property".
5. Change the order of two of the values (for example, move "Comedy" before "Action").
6. Use the inspector in the web developer tools to find the "div" with "hidden" class before the "Genre" label
7. Find the hidden input with the name "template-staticList1" and value "AppWithinMinutes.StaticList".
8. Change the value to "EvilDisplayer.WebHome".
9. Confirm the change of the genre with a click on the check icon at the top right of the input.

Expected result:

An error is displayed as the current user doesn't have programming right.

Actual result:

"Hello from Groovy Display!" is displayed which demonstrates a successful remote code execution:

The problem is that in https://github.com/xwiki/xwiki-platform/blob/a87cb9d9282d99e8e7fa82a77c4e8c0bbb0d8430/xwiki-platform-core/xwiki-platform-oldcore/src/main/java/com/xpn/xwiki/objects/classes/PropertyClass.java#L310-L314 the saved author is used for the right check with the new displayer value.