Gézapeti from Cloudera kindly reported this to me:
Hi Ishan! I’d like to raise (yet an other) issue with SOLR-13971 and the Velocity templates. I’m working at Cloudera on Solr and have taken the time to test out whether the fix in 8.3.1 is sufficient to mitigate the issue. The sad thing is: It’s possible to upload a properties file into ZK and add the resource loaders in that file. I think we should add yet-an-other option to make the init-from-property file functionality off by default.
Seems like our mitigation wasn't good enough, there's another way to load resources.
I've requested him to follow procedure here (https://cwiki.apache.org/confluence/display/solr/SolrSecurity). Meanwhile, I opened this JIRA anyway.