The groups restendpoint accessible at <your-localhost>/rest/scriptrunner-confluence/latest/lock-content-macro/groups is accessible by any user. Only logged in users should access it.
HOW TO REPLICATE IT
- Start a Confluence instance.
- When the server is up and running (NO NEED TO LOG IN), go to the restendpoint (type in the browser URL <your-localhost>/rest/scriptrunner-confluence/latest/lock-content-macro/groups)
- You should see an array of groups (in json format). If no group has been added, an empty array is displayed (If you start a clean instance the array is always empty).
- Instead of the group array the Log in home page should still be diplayed.
The problem is in the class com.onresolve.scriptrunner.runner.rest.confluence.LockContentMacroRestEndPoint. The method getGroups(@QueryParam("searchTerm") String searchTerm) should check the user authentication before returning the result).
The problem was found out during release of ScriptRunner for Confluence version 5.4.9, but probably the issue was there for older versions too.
Also tested with the latest version of ScriptRunner for Confluence 5.4.47 and the issue is still present.