diff --git a/xwiki-platform-core/xwiki-platform-rendering/xwiki-platform-rendering-macros/xwiki-platform-rendering-macro-code/pom.xml b/xwiki-platform-core/xwiki-platform-rendering/xwiki-platform-rendering-macros/xwiki-platform-rendering-macro-code/pom.xml
index febd69326cdf..5ae44c78a802 100644
--- a/xwiki-platform-core/xwiki-platform-rendering/xwiki-platform-rendering-macros/xwiki-platform-rendering-macro-code/pom.xml
+++ b/xwiki-platform-core/xwiki-platform-rendering/xwiki-platform-rendering-macros/xwiki-platform-rendering-macro-code/pom.xml
@@ -68,5 +68,10 @@
xwiki-platform-security-authorization-api
${project.version}
+
+ org.xwiki.platform
+ xwiki-platform-security-requiredrights-macro
+ ${project.version}
+
diff --git a/xwiki-platform-core/xwiki-platform-rendering/xwiki-platform-rendering-macros/xwiki-platform-rendering-macro-code/src/main/java/org/xwiki/rendering/internal/macro/code/CodeMacroRequiredRightsAnalyzer.java b/xwiki-platform-core/xwiki-platform-rendering/xwiki-platform-rendering-macros/xwiki-platform-rendering-macro-code/src/main/java/org/xwiki/rendering/internal/macro/code/CodeMacroRequiredRightsAnalyzer.java
new file mode 100644
index 000000000000..ee3ff1aa69c6
--- /dev/null
+++ b/xwiki-platform-core/xwiki-platform-rendering/xwiki-platform-rendering-macros/xwiki-platform-rendering-macro-code/src/main/java/org/xwiki/rendering/internal/macro/code/CodeMacroRequiredRightsAnalyzer.java
@@ -0,0 +1,71 @@
+/*
+ * See the NOTICE file distributed with this work for additional
+ * information regarding copyright ownership.
+ *
+ * This is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU Lesser General Public License as
+ * published by the Free Software Foundation; either version 2.1 of
+ * the License, or (at your option) any later version.
+ *
+ * This software is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this software; if not, write to the Free
+ * Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
+ * 02110-1301 USA, or see the FSF site: http://www.fsf.org.
+ */
+package org.xwiki.rendering.internal.macro.code;
+
+import java.util.List;
+
+import javax.inject.Inject;
+import javax.inject.Named;
+import javax.inject.Singleton;
+
+import org.xwiki.component.annotation.Component;
+import org.xwiki.platform.security.requiredrights.MacroRequiredRight;
+import org.xwiki.platform.security.requiredrights.MacroRequiredRightReporter;
+import org.xwiki.platform.security.requiredrights.MacroRequiredRightsAnalyzer;
+import org.xwiki.properties.BeanManager;
+import org.xwiki.properties.PropertyException;
+import org.xwiki.rendering.block.MacroBlock;
+import org.xwiki.rendering.macro.code.CodeMacroParameters;
+
+import static org.xwiki.rendering.macro.source.MacroContentSourceReference.TYPE_SCRIPT;
+
+/**
+ * Required rights analyzer for the code macro.
+ *
+ * @version $Id$
+ * @since 16.4.7
+ * @since 16.10.3
+ * @since 17.0.0
+ */
+@Component
+@Singleton
+@Named("code")
+public class CodeMacroRequiredRightsAnalyzer implements MacroRequiredRightsAnalyzer
+{
+ @Inject
+ private BeanManager beanManager;
+
+ @Override
+ public void analyze(MacroBlock macroBlock, MacroRequiredRightReporter reporter)
+ {
+ CodeMacroParameters parameters = new CodeMacroParameters();
+
+ try {
+ this.beanManager.populate(parameters, macroBlock.getParameters());
+
+ if (parameters.getSource() != null && TYPE_SCRIPT.equals(parameters.getSource().getType())) {
+ reporter.report(macroBlock, List.of(MacroRequiredRight.SCRIPT),
+ "rendering.macro.code.requiredRights.scriptSource");
+ }
+ } catch (PropertyException e) {
+ // Ignore, the macro won't be executed when populating the parameters fails.
+ }
+ }
+}
diff --git a/xwiki-platform-core/xwiki-platform-rendering/xwiki-platform-rendering-macros/xwiki-platform-rendering-macro-code/src/main/resources/ApplicationResources.properties b/xwiki-platform-core/xwiki-platform-rendering/xwiki-platform-rendering-macros/xwiki-platform-rendering-macro-code/src/main/resources/ApplicationResources.properties
new file mode 100644
index 000000000000..e824d39f3d05
--- /dev/null
+++ b/xwiki-platform-core/xwiki-platform-rendering/xwiki-platform-rendering-macros/xwiki-platform-rendering-macro-code/src/main/resources/ApplicationResources.properties
@@ -0,0 +1,46 @@
+# ---------------------------------------------------------------------------
+# See the NOTICE file distributed with this work for additional
+# information regarding copyright ownership.
+#
+# This is free software; you can redistribute it and/or modify it
+# under the terms of the GNU Lesser General Public License as
+# published by the Free Software Foundation; either version 2.1 of
+# the License, or (at your option) any later version.
+#
+# This software is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+# Lesser General Public License for more details.
+#
+# You should have received a copy of the GNU Lesser General Public
+# License along with this software; if not, write to the Free
+# Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
+# 02110-1301 USA, or see the FSF site: http://www.fsf.org.
+# ---------------------------------------------------------------------------
+
+###############################################################################
+# XWiki Core localization
+#
+# This contains the translations of the module in the default language
+# (generally English).
+#
+# See https://dev.xwiki.org/xwiki/bin/view/Community/L10N/Conventions/ for more details about about
+# translation key naming.
+#
+# Comments: it's possible to add some detail about a key to make easier to
+# translate it by adding a comment before it. To make sure a comment is not
+# assigned to the following key use at least three sharps (###) for the comment
+# or after it.
+#
+# Deprecated keys:
+# * when deleting a key it should be moved to deprecated section at the end
+# of the file (between #@deprecatedstart and #@deprecatedend) and associated to the
+# first version in which it started to be deprecated
+# * when renaming a key, it should be moved to the same deprecated section
+# and a comment should be added with the following syntax:
+# #@deprecated new.key.name
+# old.key.name=Some translation
+###############################################################################
+
+rendering.macro.code.requiredRights.scriptSource=Referencing a script variable in the source parameter \
+ of the code macro requires script right.
diff --git a/xwiki-platform-core/xwiki-platform-rendering/xwiki-platform-rendering-macros/xwiki-platform-rendering-macro-code/src/main/resources/META-INF/components.txt b/xwiki-platform-core/xwiki-platform-rendering/xwiki-platform-rendering-macros/xwiki-platform-rendering-macro-code/src/main/resources/META-INF/components.txt
index 47ce7e21afc1..5c85312804d7 100644
--- a/xwiki-platform-core/xwiki-platform-rendering/xwiki-platform-rendering-macros/xwiki-platform-rendering-macro-code/src/main/resources/META-INF/components.txt
+++ b/xwiki-platform-core/xwiki-platform-rendering/xwiki-platform-rendering-macros/xwiki-platform-rendering-macro-code/src/main/resources/META-INF/components.txt
@@ -1,4 +1,5 @@
org.xwiki.rendering.internal.macro.code.CodeMacro
+org.xwiki.rendering.internal.macro.code.CodeMacroRequiredRightsAnalyzer
org.xwiki.rendering.internal.macro.code.source.DefaultCodeMacroSourceFactory
org.xwiki.rendering.internal.macro.code.source.ScriptCodeMacroSourceFactory
org.xwiki.rendering.internal.macro.code.source.StringCodeMacroSourceFactory
diff --git a/xwiki-platform-core/xwiki-platform-rendering/xwiki-platform-rendering-macros/xwiki-platform-rendering-macro-code/src/test/java/org/xwiki/rendering/internal/macro/code/CodeMacroRequiredRightsAnalyzerTest.java b/xwiki-platform-core/xwiki-platform-rendering/xwiki-platform-rendering-macros/xwiki-platform-rendering-macro-code/src/test/java/org/xwiki/rendering/internal/macro/code/CodeMacroRequiredRightsAnalyzerTest.java
new file mode 100644
index 000000000000..de255a75bd3d
--- /dev/null
+++ b/xwiki-platform-core/xwiki-platform-rendering/xwiki-platform-rendering-macros/xwiki-platform-rendering-macro-code/src/test/java/org/xwiki/rendering/internal/macro/code/CodeMacroRequiredRightsAnalyzerTest.java
@@ -0,0 +1,118 @@
+/*
+ * See the NOTICE file distributed with this work for additional
+ * information regarding copyright ownership.
+ *
+ * This is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU Lesser General Public License as
+ * published by the Free Software Foundation; either version 2.1 of
+ * the License, or (at your option) any later version.
+ *
+ * This software is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this software; if not, write to the Free
+ * Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
+ * 02110-1301 USA, or see the FSF site: http://www.fsf.org.
+ */
+package org.xwiki.rendering.internal.macro.code;
+
+import java.util.List;
+import java.util.stream.Stream;
+
+import org.junit.jupiter.api.Test;
+import org.junit.jupiter.params.ParameterizedTest;
+import org.junit.jupiter.params.provider.MethodSource;
+import org.junit.jupiter.params.provider.NullSource;
+import org.mockito.Mock;
+import org.xwiki.platform.security.requiredrights.MacroRequiredRight;
+import org.xwiki.platform.security.requiredrights.MacroRequiredRightReporter;
+import org.xwiki.properties.BeanManager;
+import org.xwiki.properties.PropertyException;
+import org.xwiki.rendering.block.MacroBlock;
+import org.xwiki.rendering.macro.code.CodeMacroParameters;
+import org.xwiki.rendering.macro.source.MacroContentSourceReference;
+import org.xwiki.test.junit5.mockito.ComponentTest;
+import org.xwiki.test.junit5.mockito.InjectMockComponents;
+import org.xwiki.test.junit5.mockito.MockComponent;
+
+import static org.mockito.ArgumentMatchers.any;
+import static org.mockito.ArgumentMatchers.anyMap;
+import static org.mockito.Mockito.doAnswer;
+import static org.mockito.Mockito.doThrow;
+import static org.mockito.Mockito.verify;
+import static org.mockito.Mockito.verifyNoInteractions;
+import static org.xwiki.rendering.macro.source.MacroContentSourceReference.TYPE_SCRIPT;
+import static org.xwiki.rendering.macro.source.MacroContentSourceReference.TYPE_STRING;
+
+/**
+ * Unit test for {@link CodeMacroRequiredRightsAnalyzer}.
+ *
+ * @version $Id$
+ */
+@ComponentTest
+class CodeMacroRequiredRightsAnalyzerTest
+{
+ @InjectMockComponents
+ private CodeMacroRequiredRightsAnalyzer analyzer;
+
+ @MockComponent
+ private BeanManager beanManager;
+
+ @Mock
+ private MacroRequiredRightReporter reporter;
+
+ @Mock
+ private MacroBlock macroBlock;
+
+ private void setupMock(MacroContentSourceReference source) throws PropertyException
+ {
+ doAnswer(invocation -> {
+ CodeMacroParameters params = invocation.getArgument(0);
+ params.setSource(source);
+ return null;
+ }).when(this.beanManager).populate(any(), anyMap());
+ }
+
+ @Test
+ void analyzeWithScriptSource() throws PropertyException
+ {
+ setupMock(new MacroContentSourceReference(TYPE_SCRIPT, "script"));
+
+ this.analyzer.analyze(this.macroBlock, this.reporter);
+
+ verify(this.reporter).report(this.macroBlock, List.of(MacroRequiredRight.SCRIPT),
+ "rendering.macro.code.requiredRights.scriptSource");
+ }
+
+ @ParameterizedTest
+ @MethodSource("provideSourceReferences")
+ @NullSource
+ void analyzeWithSource(MacroContentSourceReference source) throws PropertyException
+ {
+ setupMock(source);
+
+ this.analyzer.analyze(this.macroBlock, this.reporter);
+
+ verifyNoInteractions(this.reporter);
+ }
+
+ private static Stream provideSourceReferences()
+ {
+ return Stream.of(
+ new MacroContentSourceReference(TYPE_STRING, "non-script")
+ );
+ }
+
+ @Test
+ void analyzeWithPropertyException() throws PropertyException
+ {
+ doThrow(PropertyException.class).when(this.beanManager).populate(any(), anyMap());
+
+ this.analyzer.analyze(this.macroBlock, this.reporter);
+
+ verifyNoInteractions(this.reporter);
+ }
+}