If a user with `protect` permission protects a page using APISandbox they can protect the page to a higher protection level than they can edit. If action=edit and action=protect are not restricted, the user can also unprotect the page
=== How to reproduce
- Add the following to `LocalSettings.php`:
```lang=php
$wgGroupPermissions['protect']['protect'] = true;
```
- Create an account and assign it to the `protect` group (for example, using maintenance scripts, `php maintenance/createAndPromote.php --custom-groups protect TestUser TestPassword`)
- Login as the newly created user
- Go to `index.php?title=TestPage&action=protect`
- see that user can't protect to "allow only administrators"
- {F33984557}
- Go to `index.php?title=Special:ApiSandbox#action=protect&format=json&title=TestPage&protections=create%3Dsysop`
- you can also choose other protection levels and types from `$wgRestrictionLevels` and `$wgRestrictionTypes` respectively
- {F33984567}
- Go to `index.php?title=TestPage&action=history`
- see that page is protected so that only administrators may create it
- {F33984569}
- You can also remove the protection level again by going to `Special:ApiSandbox#action=protect&format=json&title=TestPage&protections=create%3Dall`
- this doesn't work if you've previously restricted the `edit` and/or `protect` types
(Credit for finding this goes to my friend Magiczocker10)