In ContentLockController only the update access is checked, which is generally okay and its not a security issue. As the only thing which happens is that no content lock is created. Which then could lead to an issue because you expected it to be created ;)
But this is fixed to:
return $entity->access('update', $account, TRUE);
Now there could be a second form operation, e.g to manage workflow on this node or to manage only some partial fields of the node.
These form operations can have separate permissions.
If a user without "node.update" permission is on the workflow form the content lock module tries to create a lock, which fails as the user doesn't have the "node.update" permission. In this case we do not need to check "node.update" we need to check permission of the form.
The problem is already the edit form. As the form operation is named "edit" the permission for $entity->access() is called "update". So there is no clear way to get from the form operation to the access operation. Or do I miss something here?
Active
2.0
Code
Not all content is available!
It's likely this issue predates Contrib.social: some issue and comment data are missing.
Curious if you are still experiencing this in 8.x-2.x?
The route that uses this access check no longer exists. We do not offer locking via a route via JS anymore due to lots of complex issues. See π Remove the JS route for locking an entity Active