diff --git a/core/modules/user/lib/Drupal/user/UserAccessController.php b/core/modules/user/lib/Drupal/user/UserAccessController.php
index e9f16a7..edeff44 100644
--- a/core/modules/user/lib/Drupal/user/UserAccessController.php
+++ b/core/modules/user/lib/Drupal/user/UserAccessController.php
@@ -28,10 +28,10 @@ public function viewAccess(EntityInterface $entity, $langcode = LANGUAGE_DEFAULT
     // Never allow access to view the anonymous user account.
     if ($uid) {
       // Admins can view all, users can view own profiles at all times.
-      if ($account->uid == $uid || user_access('administer users')) {
+      if ($account->uid == $uid || user_access('administer users', $account)) {
         return TRUE;
       }
-      elseif (user_access('access user profiles')) {
+      elseif (user_access('access user profiles', $account)) {
         // Only allow view access if the account is active.
         return $entity->status;
       }
@@ -55,7 +55,7 @@ public function updateAccess(EntityInterface $entity, $langcode = LANGUAGE_DEFAU
     }
     // Users can always edit their own account. Users with the 'administer
     // users' permission can edit any account except the anonymous account.
-    return (($account->uid == $entity->uid) || user_access('administer users')) && $entity->uid > 0;
+    return (($account->uid == $entity->uid) || user_access('administer users', $account)) && $entity->uid > 0;
   }
 
   /**
@@ -68,7 +68,7 @@ public function deleteAccess(EntityInterface $entity, $langcode = LANGUAGE_DEFAU
     // Users with 'cancel account' permission can cancel their own account,
     // users with 'administer users' permission can cancel any account except
     // the anonymous account.
-    return ((($account->uid == $entity->uid) && user_access('cancel account')) || user_access('administer users')) && $account->uid > 0;
+    return ((($account->uid == $entity->uid) && user_access('cancel account', $account)) || user_access('administer users', $account)) && $entity->uid > 0;
   }
 
 }