Update to Drupal 8.1.0. For more information, see https://www.drupal.org/drupal-8.1.0-release-notes

core/modules/user/src/UserAccessControlHandler.php

@@ -1,10 +1,5 @@
 <?php
 
-/**
- * @file
- * Contains \Drupal\user\UserAccessControlHandler.
- */
-
 namespace Drupal\user;
 
 use Drupal\Core\Access\AccessResult;
@@ -21,12 +16,26 @@ use Drupal\Core\Session\AccountInterface;
  */
 class UserAccessControlHandler extends EntityAccessControlHandler {
 
+  /**
+   * Allow access to user label.
+   *
+   * @var bool
+   */
+  protected $viewLabelOperation = TRUE;
+
   /**
    * {@inheritdoc}
    */
   protected function checkAccess(EntityInterface $entity, $operation, AccountInterface $account) {
     /** @var \Drupal\user\UserInterface $entity*/
 
+    // We don't treat the user label as privileged information, so this check
+    // has to be the first one in order to allow labels for all users to be
+    // viewed, including the special anonymous user.
+    if ($operation === 'view label') {
+      return AccessResult::allowed();
+    }
+
     // The anonymous user's profile can neither be viewed, updated nor deleted.
     if ($entity->isAnonymous()) {
       return AccessResult::forbidden();
@@ -41,7 +50,7 @@ class UserAccessControlHandler extends EntityAccessControlHandler {
       case 'view':
         // Only allow view access if the account is active.
         if ($account->hasPermission('access user profiles') && $entity->isActive()) {
-          return AccessResult::allowed()->cachePerPermissions()->cacheUntilEntityChanges($entity);
+          return AccessResult::allowed()->cachePerPermissions()->addCacheableDependency($entity);
         }
         // Users can view own profiles at all times.
         elseif ($account->id() == $entity->id()) {