Guest user can seemingly check in/check out any asset without permissions

Steps to reproduce:

1. Add a DM portlet to site page
2. Enable actions for documents
3. Add a couple of assets, granting only VIEW permissions to guest
4. Log out
5. As guest, assert assets can be viewed

Expected result:
Assets can be viewed but cannot be checked in or checked out.

Actual result:
Assets can be viewed but can be checked in/checked out using the management toolbar.

While checking in/checking out any asset results in a success message, the asset is not actually checked in.

Reproduced on:
Tomcat 9.0.7 + MySQL 5.7.
Portal master GIT ID: d3c3dc6e3afd69606cbe2ad1f9642c1066ac756d