You should sanitize the request URI. I was able to bypass this by adding an additional slash to the URL. For example:
wp-admin/widgets.php
That request displays a blank page (as it should).
wp-admin//widgets.php
That request bypasses the restriction.
It’s hard, bordering on impossible, to answer this question in the affirmative (ie “Yes, this works as expected”). As of right now there is at least one way to bypass the restrictions, but I cannot say if there are more.
A better way to do this would probably be to use WordPress’ capabilities management. There are a few plugins that provide an interface for managing capabilities. Ex: