AdminAuth Default Group Read Only access

I'm wondering if you can give users (everyone who isn't logged in into admin) permissions to only read the file.
If I follow the Securing Node-RED file I don't get the right thing because the default user group can still make changes, but they can't manage the palette etc.

This is what I have in my settings.js:

adminAuth: {
        type: "credentials",
        users: [
            username: "loran",
            password: "$2b$08$BqucBnG7WuGzs.lhSmmnmeL7X80G4Igin8IvMzZ95qsJ/0aWwdUky",
            permissions: "*"
            default: {
        permissions: "read"

Have you tried deploying any changes as a default user?

read-only permission doesn't stop them from making changes in the editor... they just can't deploy those changes to the runtime.

Yes, i found that.
Is there an option that they can't make changes in the editor?

No, permissions are enforced on deploy