When publishing a content using the PAPI, an access check is done in content service on version publish. This check is redundant, as it's already done during draft creation time.

Anyway, the call to repository->canUser method in repository->publishVersion() is missing the target argument, which is required for Some Limitations especially Parent*Limitation Types:

To reproduce the issue assign a role with content/create policy that have a limitation with ParentContentType or ParentOwnerLimitation. Then try to publish a content with the corresponding user. You will end with "User does not have access to 'create' 'content'" error