A new feature, called "Trash", was implemented so that users were able to retrieve posts that they may have deleted by accident. Any posts that are placed within the trash are viewable by authenticated users, no matter what privileges they have.
Update the WordPress, because since version 2.9
Usually the only protection for a URL is that links to that page are not presented to unauthorized users. But that kind of security is not enough to protect sensitive functions and data. You need to performe access control checks before a request to a function is granted. It will ensure that you are authorized to access that function.