For consistency, &action=protect and &action=unprotect should give "permission denied" errors and not show the interface if the user doesn't have appropriate permissions. This is the way &action=delete and Special:MovePage work.
Version: unspecified
Severity: enhancement