For one of the sites I’ve worked on, I found myself faced with a problem: having given access, through registration, to a role that can only insert posts and put them pending review, once the post is published by an administrator the user can easily modify the published post.
Wanting to limit this functionality, I found the following trick:

add_filter (‘wp_insert_post_data’, ‘always_pending’, ’99’, 2);

function always_pending ($ data, $ postarr) {
    if (! current_user_can (‘moderate_comments’)) {
           $ data [‘post_status’] = ‘pending’;
    }
    return $ data;
}

Each time the user changes the post, the post returns to the pending status, and an administrator will have to publish it again.