Issue #2272081 by Wim Leers: BlockAccessController::checkAccess() should run...

Issue #2272081 by Wim Leers: BlockAccessController::checkAccess() should run the block plugin's access check last.

core/modules/block/lib/Drupal/block/BlockAccessController.php

@@ -64,13 +64,6 @@ protected function checkAccess(EntityInterface $entity, $operation, $langcode, A
       return FALSE;
     }
 
-    // If the plugin denies access, then deny access.
-    if (!$entity->getPlugin()->access($account)) {
-      return FALSE;
-    }
-
-    // Otherwise, check for other access restrictions.
-
     // User role access handling.
     // If a block has no roles associated, it is displayed for every role.
     // For blocks with roles associated, if none of the user's roles matches
@@ -121,6 +114,14 @@ protected function checkAccess(EntityInterface $entity, $operation, $langcode, A
         return FALSE;
       }
     }
+
+    // If the plugin denies access, then deny access. Apply plugin access checks
+    // last, because it's almost certainly cheaper to first apply Block's own
+    // visibility checks.
+    if (!$entity->getPlugin()->access($account)) {
+      return FALSE;
+    }
+
     return TRUE;
   }