hook_node_access_records unexpectedly restricts access when an entity reference doesn't exist

Problem/Motivation

A view with an EntityReference relation does not show all results when a node access module is active. Items with a referenced node are shown depending on whether the user has permissions to view the parent and child node or not. But items without a referenced node are never shown.

Basically the generated SQL looks like this:

SELECT /* columns to select */
FROM {node} node
/* Joins etc. */
WHERE
/* Views generated condition SQL */
AND
  /* node_access checks for the node table */
  EXISTS(
    SELECT na.id AS nid FROM [node_access} na
    WHERE /* conditions */
    AND (node.nid = na.nid) /* node.nid from parent query to check if user has permission for that node */
 )L
AND
  /* node_access checks for the relation table */
  EXISTS(
    SELECT na.id AS nid FROM [node_access} na
    WHERE /* conditions */
    AND (node_field_data_field_relation_name.nid = na.nid) /* node_field_data_field_relation_name.nid from parent query to check if user has permission for that node joined by the EntityReference relation */
 )

If node_field_data_field_relation_name.nid is NULL because the node does not have a relation the whole EXISTS subquery evaluates to false. And as it is combined with the Views filters using AND the whole query filters out all nodes without a relation.

How to reproduce the problem

To reproduce the problem, follow those steps:

• Install a node access module, e. g. node_view_permissions and keep the default configuration
• Create two content types (e. g. blog and page) and add an EntityReference field to one type allowing only nodes of the other type. (Example: the Blog type contains a reference to a page)
  • Create one page and a blog post referencing the page
  • Create a blog post without referencing a page
• Create a view for blog posts and add a relation for the EntityReference field.

Proposed resolution

Change the node_access condition from
node_field_data_field_relation_name.nid = na.nid
to
node_field_data_field_relation_name.nid IS NULL OR node_field_data_field_relation_name.nid = na.nid
if it is not the check for the query base table to not check if the user has permission to view NULL (that does not make sense).