For reproducing the bug you need a cookie in your browser to auto-login into Zabbix Frontend and the browser must be configured to open last session tabs. Steps to reproduce:

1) Disable SMS action and then close your browser (not the window of browser, or private session of your browser).
2) Ask somebody else to log into same Zabbix and enable the action that you just disabled
3) Start your browser

Once the browser started it re-get's the 'actionconf.php?go=disable&g_actionid%5B%5D=3&eventsource=0&sid=052f5e3678b92ca3' path and the action is being disabled while it wasn't supposed to be disabled by browser start.

Such behaviour is present in 1.8.16 and 2.0.9