EntityResource::patchIndividual() should allow fields that the user is not allowed to change, as long as they match the current value

There's no need for any warning at all when sending unchanged values for fields. That means you don't intend to change anything. Receiving warnings for things that are fine and safe seems unnecessarily scary?

In that same issue, we ran into #2824851-157: EntityResource::patch() makes an incorrect assumption about entity keys, hence results in incorrect behavior:

[…] UserResourceTestBase::testPatchDxForSecuritySensitiveBaseFields() REST tests are failing […]

This is because \Drupal\user\Plugin\Validation\Constraint\ProtectedUserFieldConstraintValidator::validate() calls \Drupal\user\Entity\User::checkExistingPassword() which checks $user->get('pass')->existing … which … no longer gets set since #148 because it now only sets a value if it is different from the current value. Before, it was always being set.

And then in #2824851-194: EntityResource::patch() makes an incorrect assumption about entity keys, hence results in incorrect behavior:

[…]
Well … I actually investigated it a bit more, but still wanted to post that. The original reason for introducing that is at #157. And that reasoning was correct: the pass field was no longer being set for fields whose value hadn't changed.
But! Thanks to @cburschka's analysis, we ended up with a different implementation, which does always set the value. So actually, we didn't need the special casing of User's pass field anymore!

The patch in #3 also fixes this case: it ensures that User's pass field always gets set.

This issue should therefore also re-activate the test coverage that #2930028-54: Comprehensive JSON API integration test coverage phase 1: for every entity type, individual resources only is adding in \Drupal\Tests\jsonapi\Functional\UserTest::testPatchSecurityOtherUser()

Rebased.

#2930028: Comprehensive JSON API integration test coverage phase 1: for every entity type, individual resources only (and #2932031: Comprehensive JSON API integration test coverage phase 2: for every entity type, complex use-cases) landed, this can now be worked on.

Rebased #7 (had to fix some conflicts).

That worked … for everything except File. Same exact failure on 8.4 and 8.6. Investigating…

That failed because jsonapi is adding a url computed field (which we'll deprecate in #2926463: [>=8.5] Remove JSON API's "file URL" field work-around now that Drupal core 8.5 fixed it), and the class corresponding to it does not compute it at all necessary times. This is similar to what we saw in Drupal core with Node's path field. To solve that, we did #2392845: Add a trait to standardize handling of computed item lists, which introduced a trait to standardize how computed field classes should behave, to prevent the same class of bugs from appearing everywhere.

In this case, it's failing because comparing the stored File entity's url field value with the value in the PATCH request concluded that the stored and received values were not the same. But they really are.

The solution is simple: updating \Drupal\jsonapi\Field\FileDownloadUrl to use the trait that #2392845 introduced.

#12 is green on both 8.4 and 8.6!

❤️🎉 — this was a very important one to land!