A user who has only read access in the authorizations tab of the user object definition is still able to search for objects, right-click in the search bar, choose replace, and replace those objects in workflows.

Steps to reproduce:

1. Create at least 2 timezone objects
2. Create a user with read-only to everything
3. Create script or job object
4. Create a WorkFlow and put the task from #3 into it
5. Go to properties in the WorkFlow for the task, define earliest start time, put in a time zone and save
6. Log in as the user from #2 above
7. Run a search for the the timezone from #5
8. Right-click the timezone from the search bar and choose replace
9. Select the WorkFlow from #4, choose a different timezone for replace with, click Replace

Expected behavior:
There should be an error with access denied

Actual behavior:
The timezone is replaced in the workflow

Release : 12.3

Component :

This is planned to be fixed in 12.3.8 (planned by Spring of 2022) and 21.0.2 (planned by Spring of 2022)