We recently discovered a loophole which allowed a site member without appropriate permissions to open any post on their site in the editor, however a back end permission check would prevent changes from being saved.

This loophole has been patched; now the permission check is performed when the post is opened in addition to when it is saved.