Fix USE_CONFIG_APPROVE_CONFIRMATION and USE_CONFIG_REJECT_CONFIRMATION

They still showed UI in case of signed macros.
Two decisions were made, to improve security of USE_CONFIG_APPROVE_CONFIRMATION:
1. In case of High macro security mode, valid but untrusted certificate will be
   automatically rejected (because it is not safe to automatically add trusted
   certificates) - so in this mode, USE_CONFIG_APPROVE_CONFIRMATION is the same
   as USE_CONFIG_REJECT_CONFIRMATION;
2. In case of Medium macro security mode, valid but untrusted certificate will
   not automatically allow macros execution, but will proceed to the following
   checks - which on Windows will try to check the source's Security Zone, and
   may disallow macros based on that. Only after Security Zone check the macros
   will be automatically allowed.

Change-Id: I1a9c92c6b940b689599c5d106798ecfc691dad46
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/159214
Tested-by: Jenkins
Reviewed-by: Mike Kaganski <mike.kaganski@collabora.com>

sfx2/source/doc/docmacromode.cxx

@@ -213,9 +213,12 @@ namespace sfx2
                 // should not ask any confirmations. FROM_LIST_AND_SIGNED_WARN should only allow
                 // trusted signed macros at this point; so it may only ask for confirmation to add
                 // certificates to trusted, and shouldn't show UI when trusted list is read-only.
-                const bool bAllowUI = nMacroExecutionMode != MacroExecMode::FROM_LIST_AND_SIGNED_NO_WARN
-                                                 && (nMacroExecutionMode == MacroExecMode::ALWAYS_EXECUTE
-                                                     || !SvtSecurityOptions::IsReadOnly(SvtSecurityOptions::EOption::MacroTrustedAuthors));
+                const bool bAllowUI
+                    = nMacroExecutionMode != MacroExecMode::FROM_LIST_AND_SIGNED_NO_WARN
+                      && eAutoConfirm == eNoAutoConfirm
+                      && (nMacroExecutionMode == MacroExecMode::ALWAYS_EXECUTE
+                          || !SvtSecurityOptions::IsReadOnly(
+                              SvtSecurityOptions::EOption::MacroTrustedAuthors));
                 const bool bHasTrustedMacroSignature = m_xData->m_rDocumentAccess.hasTrustedScriptingSignature(bAllowUI ? rxInteraction : nullptr);
 
                 if (bHasTrustedMacroSignature)
@@ -227,9 +230,20 @@ namespace sfx2
                        || nSignatureState == SignatureState::NOTVALIDATED )
                 {
                     // there is valid signature, but it is not from the trusted author
-                    // this case includes explicit reject from user in the UI in cases of
-                    // FROM_LIST_AND_SIGNED_WARN and ALWAYS_EXECUTE
-                    return disallowMacroExecution();
+                    if (eAutoConfirm == eAutoConfirmApprove
+                        && nMacroExecutionMode == MacroExecMode::ALWAYS_EXECUTE)
+                    {
+                        // For ALWAYS_EXECUTE + eAutoConfirmApprove (USE_CONFIG_APPROVE_CONFIRMATION
+                        // in Medium security mode), do not approve it right here; let Security Zone
+                        // check below do its job first.
+                    }
+                    else
+                    {
+                        // All other cases of valid but untrusted signatures should result in denied
+                        // macros here. This includes explicit reject from user in the UI in cases
+                        // of FROM_LIST_AND_SIGNED_WARN and ALWAYS_EXECUTE
+                        return disallowMacroExecution();
+                    }
                 }
                 // Other values of nSignatureState would result in either rejected macros
                 // (FROM_LIST_AND_SIGNED_*), or a confirmation.