Steps to reproduce the issue:
- Create a user firstname.lastname@example.org without any special permission or role.
- With admin (email@example.com) add a Documents and Media widget to a site and configure it to Show Actions.
- Add a document to Documents and Media and set viewable only to the owner (nobody else should see it)
- Check that when user firstname.lastname@example.org access to the page containing Documents and Media widget cannot see the document.
- With admin (email@example.com) share the document with firstname.lastname@example.org, and mark that the document CANNOT be shared and grant him UPDATE permissions when sharing.
- Check that user email@example.com can now see the document. If you see the actions that user can do on the document you'll see that he has the SHARE action even though he was not supposed to be able to share it.