After patch #1890878: Add modular authentication system, including Http Basic; deprecate global $user got in we introduced
if (!isset($account)) {
// In the installer request session is not set, so we have to fall back
// to the global $user. In all other cases the session key is preferred.
$account = Drupal::request()->attributes->get('account') ?: $user;
}This is pretty bad because if you have 'account' parameter in your route (for example /user/{account}/contact) simple user_access('some permission') won't work as expected. You would expect global user to be checked when do not mention account argument for user_access() but it will check for account in path.