Issue #3395431 by acbramley, smustgrave, larowlan: BlockContent JSON:API...

Issue #3395431 by acbramley, smustgrave, larowlan: BlockContent JSON:API collection endpoint doesn't return unpublished block when filtered without administer block content permission

core/modules/jsonapi/jsonapi.module

@@ -183,6 +183,7 @@ function jsonapi_jsonapi_block_content_filter_access(EntityTypeInterface $entity
   // \Drupal\jsonapi\Access\TemporaryQueryGuard adds the condition for
   // (isReusable()), so this does not have to.
   return ([
+    JSONAPI_FILTER_AMONG_ALL => AccessResult::allowedIfHasPermission($account, 'access block library'),
     JSONAPI_FILTER_AMONG_PUBLISHED => AccessResult::allowed(),
   ]);
 }

core/modules/jsonapi/tests/src/Functional/BlockContentTest.php

@@ -68,6 +68,11 @@ class BlockContentTest extends ResourceTestBase {
   protected function setUpAuthorization($method) {
     switch ($method) {
       case 'GET':
+        $this->grantPermissionsToTestedRole([
+          'access block library',
+        ]);
+        break;
+
       case 'PATCH':
         $this->grantPermissionsToTestedRole([
           'access block library',
@@ -86,6 +91,14 @@ protected function setUpAuthorization($method) {
     }
   }
 
+  /**
+   * {@inheritdoc}
+   */
+  protected function setUpRevisionAuthorization($method) {
+    parent::setUpRevisionAuthorization($method);
+    $this->grantPermissionsToTestedRole(['view any basic block content history']);
+  }
+
   /**
    * {@inheritdoc}
    */