Security hole
Scenario: Logged in as a user with backend access, but only permission granted is View for a custom module created with the module builder.
Issue: When viewing the content items, there is a "Content types" link in the sidebar. Clicking this link launches the module builder, and from here I am able to deactivate the module.
Regards,
Gary