Change record status: 
Project: 
Introduced in branch: 
8.2.x
Introduced in version: 
8.2.0
Description: 

When accessing entities via REST, you needed:

  • the restful get entity:node permission to view nodes
  • the restful post entity:node permission to create nodes
  • the restful patch entity:comment permission to update comments
  • and so on

This was actually only meant to be a temporary measure, because we already have an Entity Access API that governs access/operations to/on those entities. And in fact, Entity Access is respected when accessing entities via REST. So, there was no more reason for this to exist in Drupal 8.0.x and Drupal 8.1.x, but it was simply forgotten to be removed before Drupal 8.0.0's release.
The fact that you needed to grant both those permissions as well as Entity Access needing to grant you access, was a source of confusion and frustration with Drupal 8's REST API, which has now been fixed.

So, as of Drupal 8.2.0, new installations no longer need those permissions to access entities via REST. Existing installations continue to have the old behavior. Existing sites can opt out of that behavior, and opt in to the new behavior, by modifying the rest.settings configuration from

bc_entity_resource_permissions: true

to

bc_entity_resource_permissions: false

(The latter is the default on new Drupal 8.2 installations.)

Impacts: 
Module developers
Updates Done (doc team, etc.)
Online documentation: 
Not done
Theming guide: 
Not done
Module developer documentation: 
Module developer documentation done
Examples project: 
Not done
Coder Review: 
Not done
Coder Upgrade: 
Not done
Other: 
Other updates done