currently the interface is set up to set create permissions for cardtypes on the *tform; but the permission that's checked on the backend is on the Cardtype itself. results in anyone having access to ruby cards and other Bad Things.
put the interface in the cardtype options.
Committed revision 681.