In macro mode "High", only macros from a trusted location or certificate can be run. However, the user can easily add certificates to the list of trusted certs. There should be a way to lock this down so that users can't add certificates to the list of trusted sources themselves.
Created attachment 191288 [details] Example extension to lock down the key
This was fixed with bug 129311, but was broken with commit https://git.libreoffice.org/core/+/6ed8c5a0f19901ab413c6610649326b2475c3a8c%5E%21 That commit added a TODO which needs to be fixed: case SvtSecurityOptions::EOption::MacroTrustedAuthors: bReadonly = m_bROTrustedAuthors; bReadonly = false; // TODO? officecfg::Office::Common::Security::Scripting::TrustedAuthors::isReadOnly();
Noel Grandin committed a patch related to this issue. It has been pushed to "master": https://git.libreoffice.org/core/commit/c0e438eaceb47932e61b9223e048e4eda3ed7636 tdf#158577 Allow locking down adding new trusted authors It will be available in 24.2.0. The patch should be included in the daily builds available at https://dev-builds.libreoffice.org/daily/ in the next 24-48 hours. More information about daily builds can be found at: https://wiki.documentfoundation.org/Testing_Daily_Builds Affected users are encouraged to test the fix and report feedback.
Noel Grandin committed a patch related to this issue. It has been pushed to "libreoffice-7-6": https://git.libreoffice.org/core/commit/5ab183c0f2757d8f6a4ebe6476b98c924ee06c48 tdf#158577 Allow locking down adding new trusted authors It will be available in 7.6.5. The patch should be included in the daily builds available at https://dev-builds.libreoffice.org/daily/ in the next 24-48 hours. More information about daily builds can be found at: https://wiki.documentfoundation.org/Testing_Daily_Builds Affected users are encouraged to test the fix and report feedback.