Steps to reproduce the issue:
- Create a user email@example.com without any special permission or role.
- With admin (firstname.lastname@example.org) add a Documents and Media widget to a site and configure it to Show Actions.
- Add a document to Documents and Media and set viewable only to the owner (nobody else should see it)
- Check that when user email@example.com access to the page containing Documents and Media widget cannot see the document.
- With admin (firstname.lastname@example.org) share the document with email@example.com, and mark that the document CANNOT be shared and grant him UPDATE permissions when sharing.
- Check that user firstname.lastname@example.org can now see the document. If you see the actions that user can do on the document you'll see that he has the SHARE action even though he was not supposed to be able to share it.