Security issue with document groups?

When I define management-users that have only access to certain document groups, all seems to work fine.
In the manager, they only see, what they are supposed to see.

But when they manually call for example "index.php?a=6&id=xy" they may delete whatever document xy is.
There seems to be no further check of the privileges. (I run 0.961)

Can anybody confirm this behavior?

Just one question: can anybody reproduce this in his/her installation?

Hmm... not sure about it, but thanks for heads up.

I’ll try to make sure this doesnt slip under the radar.

I just tried and it gives me permission error. Though I have checked with 0962 rc2.

Can you confirm if you have proper role assigned to that person and assigned role prohibits the deletion?