Access control is implemented on the client-side by only displaying the permitted actions in the browser.
vulners.com/securityvulns/securityvulns:doc:6835
vulners.com/securityvulns/securityvulns:doc:6837