ReferenceAccessConstraintValidator check is broken for existing entities

Problem/Motivation

Users get violation errors when trying to add add a file to a field which contains existing files they do not have access to. This could be the case with anonymous users, as they may only have access to files they have uploaded themselves.

Details

\Drupal\Core\Entity\Plugin\Validation\Constraint\ReferenceAccessConstraintValidator::validate is supposed to check whether you have view access to entities being added to an entity reference and is used by ImageItem and FileItem.

The logic is that existing references are skipped, but new references have their access checked. However, I believe there are two bugs in the code:

1. The code assumes $referenced_entities is keyed by entity ID, but it is actually keyed by delta
2. The code checks whether the existing referenced entity is in the array of existing referenced entities, when it should check whether the value being validated is in the array

The combination of both of these bugs means I do not believe this is a security risk, as it will only affect validating existing references, which this check is supposed to ignore entirely.

Specifically the bugs are in:

        $referenced_entities = $existing_entity->{$value->getFieldDefinition()->getName()}->referencedEntities();
        // Check permission if we are not already referencing the entity.
        foreach ($referenced_entities as $ref) {
          if (isset($referenced_entities[$ref->id()])) {

$referenced_entities is keyed by delta, not by entity ID, so checking $referenced_entities[$ref->id()] is the wrong thing to do here.

We are supposed to be checking whether $id is in the list (the item we're validating). However, we're checking whether $ref->id() is in the list, which (aside from the above bug), would always be the case, as we've retrieved it from the list one line above.