Signs with clickEvents only check permission in spawn-protection

The bug

Signs that contain a clickEvent are only checked for operator permissions if clicked inside of spawn-protection area set by server.properties.

Note: Signs being able to execute commands regardless of executor permissions is likely widely used in adventure maps. It does not directly impose a security vulnerability because placing such signs with clickEvent requires operator permissions. It is similar to placing a command block containing a command: Placing the command block requires operator permissions, but anyone can afterwards place redstone next to it to activate it.

How to reproduce

1. Start a Minecraft server.
2. Set the spawn-protection field in the server.properties file to 10.
3. Run:

   /give @p oak_sign[custom_name='{"text":"MC-59653"}',block_entity_data={id:"minecraft:oak_sign",front_text:{messages:['{"text":"Click me","clickEvent":{"action":"run_command","value":"fill ~ ~1 ~ ~ ~2 ~ redstone_block"}}','{"text":""}','{"text":""}','{"text":""}']}}] 2

4. Place one sign inside the spawn-protection area and one sign outside the spawn-protection area.
5. Deop yourself, but make sure theres atleast one other player opped, so spawn protection is active.
6. Click the sign inside the spawn protection area.
   → Sign unsuccessfully used, no blocks were placed
7. Click the sign outside the spawn protection area.
   → Sign succesfully used, two redstone blocks are placed above the sign