diff --git a/core/modules/rest/src/Plugin/ResourceBase.php b/core/modules/rest/src/Plugin/ResourceBase.php
index ef16078..d0d22a3 100644
--- a/core/modules/rest/src/Plugin/ResourceBase.php
+++ b/core/modules/rest/src/Plugin/ResourceBase.php
@@ -207,7 +207,11 @@ protected function getBaseRoute($canonical_path, $method) {
       '_method' => $method,
       '_permission' => "restful $lower_method $this->pluginId",
     ), array(
-      '_access_mode' => AccessManagerInterface::ACCESS_MODE_ANY,
+      // All access restrictions on this route must grant access because the
+      // permission AND the CSRF protection added in
+      // \Drupal\rest\Routing\ResourceRoutes::alterRoutes() must be taken into
+      // account.
+      '_access_mode' => AccessManagerInterface::ACCESS_MODE_ALL,
     ));
     return $route;
   }
diff --git a/core/modules/rest/src/Tests/CreateTest.php b/core/modules/rest/src/Tests/CreateTest.php
index 9a6b66e..d125f1b 100644
--- a/core/modules/rest/src/Tests/CreateTest.php
+++ b/core/modules/rest/src/Tests/CreateTest.php
@@ -76,6 +76,30 @@ public function testCreateResourceRestApiNotEnabled() {
   }
 
   /**
+   * Ensure that an entity cannot be created without the restful permission.
+   */
+  public function testCreateWithoutPermission() {
+    $entity_type = 'entity_test';
+    // Enables the REST service for 'entity_test' entity type.
+    $this->enableService('entity:' . $entity_type, 'POST');
+    $permissions = $this->entityPermissions($entity_type, 'create');
+    // Create a user without the 'restful post entity:entity_test permission.
+    $account = $this->drupalCreateUser($permissions);
+    $this->drupalLogin($account);
+    // Populate some entity properties before create the entity.
+    $entity_values = $this->entityValues($entity_type);
+    $entity = EntityTest::create($entity_values);
+
+    // Serialize the entity before the POST request.
+    $serialized = $this->serializer->serialize($entity, $this->defaultFormat, ['account' => $account]);
+
+    // Create the entity over the REST API.
+    $this->httpRequest('entity/' . $entity_type, 'POST', $serialized, $this->defaultMimeType);
+    $this->assertResponse(403);
+    $this->assertFalse(EntityTest::loadMultiple(), 'No entity has been created in the database.');
+  }
+
+  /**
    * Tests several valid and invalid create requests for 'entity_test' entity type.
    */
   public function testCreateEntityTest() {