When a user views the source for a page he can't edit a lock is created. Thus users that can't edit a page can prevent other users from editing pages. There seems to be no protection in the ajax request for creating locks and drafts, i.e. there is no check if the user requesting the page has any permission for viewing or editing the page he wants to lock and save a draft for. Thus users without any permissions can create locks and drafts. I haven't tried out the ajax problem, but I've reproduced the other problem that has already been reported as part of
FS#2262
I think locks should only be created when the current page is writable by the current user ($INFO['writable'] is set) which should be checked both in act_edit() and in the ajax calls. This should fix both problems.
I'll implement and test a fix for both problems during the next day(s).