I created a custom role "Viewer" created in AGOL from the "Viewer Template". This is supposed to limit who can edit my editable feature services. It works as expected in a Web Map. The Viewer can not edit the feature service. But guess what?! Once you create a Web App from Web AppBuilder with that feature service and Web Map and add in the Edit Widget - the Viewer can edit! I found a forum post that says the Viewer can also edit in the Mobile Apps - such as Collector - I haven't tried that yet but would also be a problem if this was the case. https://community.esri.com/message/91046
Web App does not read the roles of the named users in AGOL. This is a HUGE oversight and a serious software problem.
I have created an Idea post for this - vote it up please! http://ideas.arcgis.com/ideaView?id=087E0000000kBsBIAU
Tech support told me today that it's a logged bug: # BUG-000092277: The Web AppBuilder Edit widget will allow users to edit ArcGIS Server feature service features, even if their AGOL role restricts it
With no workaround.
Yet another Web AppBuilder bug that I have found.
I cant replicate this, so I assume the bug was resolved.