According to new docs, AccessControl now uses deny rule by default (whitelisting).
Here’s the funny thing: if I have explicitly defined ‘allow’ => false at the end of the rules array, everything works as expected.
But if I’m not - AccessRule::allows() will return NULL instead of FALSE so no denyCallback() will be fired (because of triple === in AccessControl::beforeAction). This causes blank screen instead of 403.
I wonder if it is by design.