Do not allow editors/backend users to load the SF desktop app if you have custom modules you have denied access to them as the Desktop App ignores the SF Permissions and gives them view functions regardless!
To recreate the problem:
- Create a custom module as an administrator, activate it.
- Set permission on this to be administrators only across the board of options via permissions.
- Create a new user with basic permissions to backend.
- Login as new user to sitefinity browser backend and see the custom module does not appear in the content drop down.
- Install latest version of Sitefinity Desktop Application
- Login as the same new user, you will be able to see the custom module you created as well as the data regardless of the security settings in Sitefinity being not set for the user.
If you try and create, modify or delete it will say you are not authorised but this is secondary to the fact you can actually see the module and more importantly the data in the first place, when sitefinity has permissions set to stop this from occurring.
Version 7.0.5100.0, don't see mention of a fix in 7.1