diff -u b/core/modules/file/file.module b/core/modules/file/file.module
--- b/core/modules/file/file.module
+++ b/core/modules/file/file.module
@@ -665,8 +665,12 @@
     foreach ($field_references as $entity_type => $entities) {
       foreach ($entities as $entity) {
         $field = field_info_field($field_name);
-        // Check if access to this field is not disallowed.
-        if (!$entity->access('view') || !field_access('view', $field, $entity_type, $entity)) {
+        // First check the download operation of the entity, which allows to
+        // implement specific checks. If that returns NULL, fall back to view
+        // operation. Also check if access to this field is allowed.
+        $download_access = $entity->access('download');
+        $entity_access = $download_access !== NULL ? $download_access : $entity->access('view');
+        if (!$entity_access || !field_access('view', $field, $entity_type, $entity)) {
           $denied = TRUE;
           continue;
         }
only in patch2:
unchanged:
--- a/core/lib/Drupal/Core/Entity/EntityAccessController.php
+++ b/core/lib/Drupal/Core/Entity/EntityAccessController.php
@@ -54,7 +54,7 @@ public function access(EntityInterface $entity, $operation, $langcode = LANGUAGE
     }
     else {
       // No result from hook, so entity checks are done.
-      $return = (bool) $this->checkAccess($entity, $operation, $langcode, $account);
+      $return = $this->checkAccess($entity, $operation, $langcode, $account);
     }
     return $this->setCache($return, $entity, $operation, $langcode, $account);
   }
@@ -132,7 +132,7 @@ protected function setCache($access, EntityInterface $entity, $operation, $langc
     $uuid = $entity->uuid();
 
     // Save the given value in the static cache and directly return it.
-    return $this->accessCache[$uid][$uuid][$langcode][$operation] = (bool) $access;
+    return $this->accessCache[$uid][$uuid][$langcode][$operation] = $access;
   }
 
   /**
only in patch2:
unchanged:
--- a/core/modules/comment/lib/Drupal/comment/CommentAccessController.php
+++ b/core/modules/comment/lib/Drupal/comment/CommentAccessController.php
@@ -24,7 +24,7 @@ class CommentAccessController extends EntityAccessController {
   protected function checkAccess(EntityInterface $entity, $operation, $langcode, User $account) {
     switch ($operation) {
       case 'view':
-        return user_access('access comments', $account);
+        return user_access('access comments') && $entity->status->value == COMMENT_PUBLISHED || user_access('administer comments');
         break;
 
       case 'create':
@@ -42,6 +42,16 @@ protected function checkAccess(EntityInterface $entity, $operation, $langcode, U
       case 'approve':
         return user_access('administer comments', $account);
         break;
+
+      case 'download':
+        // Only check access to the parent node for the download operation as
+        // we assume that viewing a comment happens on the node page and access
+        // for that was checked separately.
+        if (user_access('access comments') && $entity->status->value == COMMENT_PUBLISHED || user_access('administer comments')) {
+          return node_access('view', $entity->nid->entity);
+        }
+        return FALSE;
+        break;
     }
   }