I tried to request an object over the REST API v2 as anonymous user with content/read permission.
"errorDescription": "User does not have access to 'versionread' 'content'",
Usually, you don't want to give the anonymous user full versionread permission so i tried it with a versionread permission limited to status/published.
With this permission in place, i got the following response:
"errorMessage": "Not Found",
"errorDescription": "Could not find 'Limitation' with identifier 'Status'",
After removing the limitation, it worked as expected, but the user had also access to the version list of the object (/content/objects/57/versions).
However, i think that a user with the content/read permission should have access to the current published version of an object. Actually, it seems to be impossible to provide the published content of an object to a user, without giving the user the permission to view all object versions.
EZP-21625 ContentService::loadRelations( VersionInfo $versionInfo ) does not check if given VersionInfo is about currently published version