diff --git a/src/Resources/contao/dca/tl_user.php b/src/Resources/contao/dca/tl_user.php
index 2c66d80ab2..8f88615157 100644
--- a/src/Resources/contao/dca/tl_user.php
+++ b/src/Resources/contao/dca/tl_user.php
@@ -731,9 +731,11 @@ public function sessionField(DataContainer $dc)
 	/**
 	 * Return all modules except profile modules
 	 *
+	 * @param DataContainer $dc
+	 *
 	 * @return array
 	 */
-	public function getModules()
+	public function getModules(DataContainer $dc)
 	{
 		$arrModules = array();
 
@@ -741,11 +743,24 @@ public function getModules()
 		{
 			if (!empty($v))
 			{
-				unset($v['undo']);
 				$arrModules[$k] = array_keys($v);
 			}
 		}
 
+		// Unset the undo module as it is always allowed
+		if (($key = array_search('undo', $arrModules['system'])) !== false)
+		{
+			unset($arrModules['system'][$key]);
+		}
+
+		$modules = Contao\StringUtil::deserialize($dc->activeRecord->modules);
+
+		// Unset the template editor unless the user is an administrator or has been granted access to the template editor
+		if (!$this->User->isAdmin && (!is_array($modules) || !in_array('tpl_editor', $modules)) && ($key = array_search('tpl_editor', $arrModules['design'])) !== false)
+		{
+			unset($arrModules['design'][$key]);
+		}
+
 		return $arrModules;
 	}
 
diff --git a/src/Resources/contao/dca/tl_user_group.php b/src/Resources/contao/dca/tl_user_group.php
index dae2d80025..3181308f04 100644
--- a/src/Resources/contao/dca/tl_user_group.php
+++ b/src/Resources/contao/dca/tl_user_group.php
@@ -293,9 +293,11 @@ public function addIcon($row, $label)
 	/**
 	 * Return all modules except profile modules
 	 *
+	 * @param DataContainer $dc
+	 *
 	 * @return array
 	 */
-	public function getModules()
+	public function getModules(DataContainer $dc)
 	{
 		$arrModules = array();
 
@@ -303,11 +305,24 @@ public function getModules()
 		{
 			if (!empty($v))
 			{
-				unset($v['undo']);
 				$arrModules[$k] = array_keys($v);
 			}
 		}
 
+		// Unset the undo module as it is always allowed
+		if (($key = array_search('undo', $arrModules['system'])) !== false)
+		{
+			unset($arrModules['system'][$key]);
+		}
+
+		$modules = Contao\StringUtil::deserialize($dc->activeRecord->modules);
+
+		// Unset the template editor unless the user is an administrator or has been granted access to the template editor
+		if (!$this->User->isAdmin && (!is_array($modules) || !in_array('tpl_editor', $modules)) && ($key = array_search('tpl_editor', $arrModules['design'])) !== false)
+		{
+			unset($arrModules['design'][$key]);
+		}
+
 		return $arrModules;
 	}