If a user with protect permission protects a page using APISandbox they can protect the page to a higher protection level than they can edit. If action=edit and action=protect are not restricted, the user can also unprotect the page
How to reproduce
- Add the following to LocalSettings.php:
$wgGroupPermissions['protect']['protect'] = true;
- Create an account and assign it to the protect group (for example, using maintenance scripts, php maintenance/createAndPromote.php --custom-groups protect TestUser TestPassword)
- Login as the newly created user
- Go to index.php?title=TestPage&action=protect
- see that user can't protect to "allow only administrators"
- Go to index.php?title=Special:ApiSandbox#action=protect&format=json&title=TestPage&protections=create%3Dsysop
- you can also choose other protection levels and types from $wgRestrictionLevels and $wgRestrictionTypes respectively
- click action=protect
- hit "auto-fill the token"
- hit "make request"
- Go to index.php?title=TestPage&action=history
- see that page is protected so that only administrators may create it
- You can also remove the protection level again by going to Special:ApiSandbox#action=protect&format=json&title=TestPage&protections=create%3Dall
- this doesn't work if you've previously restricted the edit and/or protect types
(Credit for finding this goes to my friend Magiczocker10)