.../src/Plugin/rest/resource/EntityResource.php    | 32 ++++++++++++++++------
 1 file changed, 24 insertions(+), 8 deletions(-)

diff --git a/core/modules/rest/src/Plugin/rest/resource/EntityResource.php b/core/modules/rest/src/Plugin/rest/resource/EntityResource.php
index c15ee3d..00a0270 100644
--- a/core/modules/rest/src/Plugin/rest/resource/EntityResource.php
+++ b/core/modules/rest/src/Plugin/rest/resource/EntityResource.php
@@ -155,6 +155,10 @@ public function post(EntityInterface $entity = NULL) {
       throw new BadRequestHttpException('No entity content received.');
     }
 
+    $entity_access = $entity->access('create', NULL, TRUE);
+    if (!$entity_access->isAllowed()) {
+      throw new AccessDeniedHttpException($entity_access->getReason() ?: $this->generateFallbackAccessDeniedMessage($entity, 'create'));
+    }
     $definition = $this->getPluginDefinition();
     // Verify that the deserialized entity is of the type that we expect to
     // prevent security issues.
@@ -308,6 +312,26 @@ public function delete(EntityInterface $entity) {
   }
 
   /**
+   * Generates a fallback access denied message, when no specific reason is set.
+   *
+   * @param \Drupal\Core\Entity\EntityInterface $entity
+   *   The entity object.
+   * @param string $operation
+   *   The disallowed entity operation.
+   *
+   * @return string
+   *   The proper message to display in the AccessDeniedHttpException.
+   */
+  protected function generateFallbackAccessDeniedMessage(EntityInterface $entity, $operation) {
+    $message = "You are not authorized to {$operation} this {$entity->getEntityTypeId()} entity";
+
+    if ($entity->bundle() !== $entity->getEntityTypeId()) {
+      $message .= " of bundle {$entity->bundle()}";
+    }
+    return "{$message}.";
+  }
+
+  /**
    * {@inheritdoc}
    */
   public function permissions() {
@@ -332,14 +356,6 @@ protected function getBaseRoute($canonical_path, $method) {
       case 'GET':
         $route->setRequirement('_entity_access', $this->entityType->id() . '.view');
         break;
-      case 'POST':
-        if ($this->entityType->getBundleEntityType()) {
-          $route->setRequirement('_entity_create_access', $this->entityType->id() . ':{' . $this->entityType->getBundleEntityType() . '}');
-        }
-        else {
-          $route->setRequirement('_entity_create_access', $this->entityType->id());
-        }
-        break;
       case 'PATCH':
         $route->setRequirement('_entity_access', $this->entityType->id() . '.update');
         break;