execute-script and notify (with handler) bulk actions require root ac…

…cess

model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/scripting/actions/BaseActionExecutor.java

@@ -29,7 +29,10 @@
 import com.evolveum.midpoint.provisioning.api.ProvisioningService;
 
 import com.evolveum.midpoint.schema.result.OperationResult;
+import com.evolveum.midpoint.security.api.AuthorizationConstants;
 import com.evolveum.midpoint.security.api.SecurityEnforcer;
+import com.evolveum.midpoint.util.exception.SchemaException;
+import com.evolveum.midpoint.util.exception.SecurityViolationException;
 import com.evolveum.midpoint.util.logging.LoggingUtils;
 import com.evolveum.midpoint.util.logging.Trace;
 import com.evolveum.midpoint.util.logging.TraceManager;
@@ -101,4 +104,13 @@ protected Throwable processActionException(Throwable e, String actionName, Prism
     		throw new ScriptExecutionException("Couldn't execute action '" + actionName + "' on " + value + ": " + e.getMessage(), e);
 		}
 	}
+
+	protected void checkRootAuthorization(OperationResult globalResult, String actionName) throws ScriptExecutionException {
+		try {
+			securityEnforcer.authorize(AuthorizationConstants.AUTZ_ALL_URL, null, null, null, null, null, globalResult);
+		} catch (SecurityViolationException |SchemaException e) {
+			throw new ScriptExecutionException("You are not authorized to execute '" + actionName + "' action.");
+		}
+	}
+
 }

model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/scripting/actions/NotifyExecutor.java

@@ -75,6 +75,10 @@ public PipelineData execute(ActionExpressionType expression, PipelineData input,
                 PARAM_OPERATION, input, context, EventOperationType.class, globalResult);
         boolean forWholeInput = expressionHelper.getArgumentAsBoolean(expression.getParameter(), PARAM_FOR_WHOLE_INPUT, input, context, false, PARAM_SUBTYPE, globalResult);
 
+        if (handler != null) {
+			checkRootAuthorization(globalResult, NAME);		// TODO explain that the reason is that handler is not null
+		}
+
         if (status == null) {
             status = EventStatusType.SUCCESS;
         }

model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/scripting/actions/ScriptExecutor.java

@@ -69,6 +69,8 @@ public void init() {
     @Override
     public PipelineData execute(ActionExpressionType expression, PipelineData input, ExecutionContext context, OperationResult globalResult) throws ScriptExecutionException {
 
+		checkRootAuthorization(globalResult, NAME);
+
 		ScriptExpressionEvaluatorType script = expressionHelper.getSingleArgumentValue(expression.getParameter(), PARAM_SCRIPT, true, true,
 				NAME, input, context, ScriptExpressionEvaluatorType.class, globalResult);
 		String outputItem = expressionHelper.getSingleArgumentValue(expression.getParameter(), PARAM_OUTPUT_ITEM, false, false,