Picture rotation buttons available with read-only rights

1. install Nuxeo
2. install nuxeo-jsf-ui
3. install nuxeo-dam
4. login to Nuxeo as Administrator
5. create a user named robert
6. create a workspace
7. create a Picture document and attach a picture file to it
8. give Read permissions to the robert user
9. copy the permalink
10. logout
11. paste the permalink in the browser
12. login as robert user
13. observe the rotation buttons are visible
14. click a button (rotate left or right)
15. observe the following error being displayed:

    Privilege 'WriteProperties' is not granted to 'robert'
    
                    javax.servlet.ServletException: On requestURL: http://localhost:8080/nuxeo/view_documents.faces
    	at org.nuxeo.ecm.platform.ui.web.rest.FancyURLFilter.doFilter(FancyURLFilter.java:140)
    	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
    	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
    	at org.nuxeo.ecm.platform.web.common.requestcontroller.filter.NuxeoRequestControllerFilter.doFilter(NuxeoRequestControllerFilter.java:148)
    	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
    	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
    	at org.nuxeo.ecm.webdav.service.WIRequestFilter.doFilter(WIRequestFilter.java:61)
    	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
    	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
    

A read-only user should not see the buttons since they modify the document by rotating the attached picture and thus performing a write operation.