It can be very risky to use the built-in theme and plugin editors – especially it you (or your client) don’t really know what you’re doing. Fortunately we can disable that pretty easily.
define( 'DISALLOW_FILE_EDIT', true );
Or, take it a step further and disable update abilities too
define( 'DISALLOW_FILE_MODS', true );