Unpublished nodes returning 200 without content instead of 403 or 404

I noticed that when trying to access an unpublished node it will give return a HTTP code 200 without any content.

Example

Currently the module will check if the user has the permission 'access content' but it seems that this will not guarantee the denying to the node as the module will load the node 'manually'. So extra checking needs to be done to see if the node is unpublished or if the user has access to that node/path.

I was wondering which is the best way to approach this problem.Definitely access should be checked in the beginning to prevent to deliver a cached version (by other user). This means we can't create a AccessResolver and include in the normal Resolver loop as it would be called too late. This could be one solution:

if (!Url::fromUserInput('/' . trim($path, '/'))->access()) {
      $path = $this->config->get('system.site')->get('page.403');
      $status = 403;
}

Instead of

if (!$this->currentUser->hasPermission('access content')) {
      $path = $this->config->get('system.site')->get('page.403');
      $status = 403;
}

It will check with Drupal for the right permissions for the entered route and not only nodes. But for this solution I found a problem when invoking the 403 system page it will load the module and return status = 200 as it was load without problems. I think we

I am providing a possible patch in the next comment with these changes but I believe it really needs work.

Marcos.