.../src/Plugin/rest/resource/EntityResource.php    | 22 ++++------------------
 1 file changed, 4 insertions(+), 18 deletions(-)

diff --git a/core/modules/rest/src/Plugin/rest/resource/EntityResource.php b/core/modules/rest/src/Plugin/rest/resource/EntityResource.php
index c82637e..d11e44e 100644
--- a/core/modules/rest/src/Plugin/rest/resource/EntityResource.php
+++ b/core/modules/rest/src/Plugin/rest/resource/EntityResource.php
@@ -240,26 +240,12 @@ public function patch(EntityInterface $original_entity, EntityInterface $entity
         continue;
       }
 
-      // If the user has access to view the field, we need to check update
-      // access regardless of the field value to avoid information disclosure.
-      // (Otherwise the user may try PATCHing with value after value, until they
-      // send the current value for the field, and then they won't get a 403
-      // response anymore, which indicates that the value they sent in the PATCH
-      // request body matches the current value.)
-      if (!$original_field->access('view')) {
-        if (!$original_field->access('edit')) {
-          throw new AccessDeniedHttpException("Access denied on updating field '$field_name'.");
-        }
-      }
-      // Check access for all received fields, but only if they are being
-      // changed. The bundle of an entity, for example, must be provided for
-      // denormalization to succeed, but it may not be changed.
-      elseif (!$original_field->equals($field)) {
-        if (!$original_field->access('edit')) {
-          throw new AccessDeniedHttpException("Access denied on updating field '$field_name'.");
-        }
+      if ($original_field->access('edit')) {
         $original_entity->set($field_name, $field->getValue());
       }
+      elseif (!$original_field->access('view') || !$original_field->equals($field)) {
+        throw new AccessDeniedHttpException("Access denied on updating field '$field_name'.");
+      }
     }
 
     // Validate the received data before saving.