Prior to SA-CONTRIB-2018-081, JSON:API permitted users to filter by fields and entities to which a user may not have access. Since versions 8.x-1.24 and 8.x-2.0-rc4, that is no longer possible.
This means that filters cannot be used to deduce restricted data. However, some filtered collections may now return fewer (or no!) results.
To fix this, JSON:API needs additional access information not currently available through Drupal core APIs. Therefore, three new hooks are available:
hook_jsonapi_entity_filter_access(EntityTypeInterface $entity_type, AccountInterface $account)
hook_jsonapi_ENTITY_TYPE_filter_access(EntityTypeInterface $entity_type, AccountInterface $account)
hook_jsonapi_entity_field_filter_access(FieldDefinitionInterface $field_definition, AccountInterface $account)
These hooks are extensively documented in jsonapi.api.php and there are many examples for core entity types in jsonapi.module.
These hooks do not need to be implemented for core entity types, unless custom access restrictions apply to them. Contrib and custom modules are expected to implement these themselves.
These hooks are meant to be a temporary measure and will be deprecated when a core API exists. To follow the core issue, see #777578: Add an entity query access API and deprecate hook_query_ENTITY_TYPE_access_alter() and the Entity module's implementation at #2909970: Implement a query-level entity access API.
