From e071723f851bcafc27ddf3cec4dafaee1e9598f2 Mon Sep 17 00:00:00 2001
From: webchick <webchick@24967.no-reply.drupal.org>
Date: Wed, 21 May 2014 20:54:37 -0700
Subject: [PATCH] Issue #2272081 by Wim Leers:
 BlockAccessController::checkAccess() should run the block plugin's access
 check last.

---
 .../lib/Drupal/block/BlockAccessController.php    | 15 ++++++++-------
 1 file changed, 8 insertions(+), 7 deletions(-)

diff --git a/core/modules/block/lib/Drupal/block/BlockAccessController.php b/core/modules/block/lib/Drupal/block/BlockAccessController.php
index 9e4e472eef08..3bd9fb3d4d45 100644
--- a/core/modules/block/lib/Drupal/block/BlockAccessController.php
+++ b/core/modules/block/lib/Drupal/block/BlockAccessController.php
@@ -64,13 +64,6 @@ protected function checkAccess(EntityInterface $entity, $operation, $langcode, A
       return FALSE;
     }
 
-    // If the plugin denies access, then deny access.
-    if (!$entity->getPlugin()->access($account)) {
-      return FALSE;
-    }
-
-    // Otherwise, check for other access restrictions.
-
     // User role access handling.
     // If a block has no roles associated, it is displayed for every role.
     // For blocks with roles associated, if none of the user's roles matches
@@ -121,6 +114,14 @@ protected function checkAccess(EntityInterface $entity, $operation, $langcode, A
         return FALSE;
       }
     }
+
+    // If the plugin denies access, then deny access. Apply plugin access checks
+    // last, because it's almost certainly cheaper to first apply Block's own
+    // visibility checks.
+    if (!$entity->getPlugin()->access($account)) {
+      return FALSE;
+    }
+
     return TRUE;
   }
 
-- 
GitLab