Test failures on 8.7 since #2869426

Okay, this first fix is sort of indirect. We were throwing an AccessDenied where we shouldn't have been because of a misreading of the spec. We had this:

if (isset($document['data']['id']) && !Uuid::isValid($document['data']['id'])) {
  // This should be a 422 response, but the JSON:API specification dictates
  // a 403 Forbidden response. We follow the specification.
  throw new EntityAccessDeniedHttpException(NULL, AccessResult::forbidden(), '/data/id', 'IDs should be properly generated and formatted UUIDs as described in RFC 4122.');
}

But the spec actually says:

A server MUST return 403 Forbidden in response to an unsupported request to create a resource with a client-generated ID.

The operative phrase that was misread was "in response to an unsupported request". We do support client-generated UUIDs. Later in the spec it says:

A server MAY respond with other HTTP status codes. ... A server MUST prepare responses, and a client MUST interpret responses, in accordance with HTTP semantics.

What this means is that because we do support client-generated UUIDs and since the UUID was malformed, 422 Unprocessable Entity is the semantically correct response.

This avoids inappropriately throwing an AccessDeniedException which led to one of the test failures.

More to come.

Next, it looks like access denied $reason is now being appropriately bubbled up. We just need to update test expectations for those.

More expectations updates. These will need Drupal::VERSION conditions added, but for now I just want to get 8.7 passing.

This should get 8.7 green.

It did! So, here are the version conditions. This interdiff will need to reverted in #3015325: [ignore] support issue for the core patch.

Green on 8.5, 8.6 & 8.7. Committing.

I'll open a backport for the 1.x branch next.