This is a serious security concern, defining group access rights on menu items is not enough to restrict access to actions

How do you protect against this ? someone could just try action ids one by one until they find an existing action that gives him/her access to potentially private information.

I restricted access to a window action to a specific group, but I was still able to see it with a user that doesn't belong to that group.

Is this a bug? or am I missing something?