With the changes in !1271 the access check happens too late in the handling of auto-save items publishing request. If a user submits a list to `ApiAutoSaveController::post()` of entities they have no access to, the entities get filtered out in `ApiAutoSaveController::getPublishableAutoSaves()` via: ``` $access = $item['entity']->access('view label', return_as_object: TRUE); ... return $access->isAllowed() && ($item['is_default_translation'] ?? TRUE); ``` This results in a s set of "publishable auto-save items" that misses the entities the user has submitted. This then fails validation in `ApiAutoSaveController::validateExpectedAutoSaves()` with the HTTP 409 response and error message of `An unexpected item was found in the publish request. Please refresh your page and try again.` The check performing whether the user actually has permissions to perform `update` operation on the entities in the request is never reached (`ApiAutoSaveController` lines 346-371) and therefore no expected `CacheableAccessDeniedHttpException` response returned.