Move user.roles:authenticated cache context around.

core/modules/node/src/NodeAccessControlHandler.php

@@ -207,6 +207,14 @@ protected function checkViewAccess(NodeInterface $node, AccountInterface $accoun
     // we need to add the node as a cacheable dependency.
     $cacheability->addCacheableDependency($node);
 
+    // Due to the check below, it is not possible to rely only on account
+    // permissions to determine whether the 'view own unpublished content'
+    // permission can be checked, instead we also need to check if the user has
+    // the authenticated role. Just in case anonymous and authenticated users
+    // are both granted the 'view own unpublished content' permission and also
+    // have otherwise identical permissions.
+    $cacheability->addCacheContext(['user.roles.authenticated']);
+
     if ($node->isPublished()) {
       return NULL;
     }
@@ -216,7 +224,6 @@ protected function checkViewAccess(NodeInterface $node, AccountInterface $accoun
       return NULL;
     }
 
-    $cacheability->addCacheContexts(['user.roles:authenticated']);
     // The "view own unpublished content" permission must not be granted
     // to anonymous users for security reasons.
     if (!$account->isAuthenticated()) {

core/modules/node/src/NodeGrantDatabaseStorage.php

@@ -121,7 +121,6 @@ public function access(NodeInterface $node, $operation, AccountInterface $accoun
     // know it for a fact.
     $set_cacheability = function (AccessResult $access_result) use ($operation) {
       $access_result->addCacheContexts(['user.node_grants:' . $operation]);
-      $access_result->addCacheContexts(['user.roles.authenticated']);
       if ($operation !== 'view') {
         $access_result->setCacheMaxAge(0);
       }