diff --git a/src/Controller/SubscriptionController.php b/src/Controller/SubscriptionController.php
index 279a19219..7ab1f6e62 100644
--- a/src/Controller/SubscriptionController.php
+++ b/src/Controller/SubscriptionController.php
@@ -136,7 +136,9 @@ public function subscribe($entity_type_id, EntityInterface $group, OgMembershipT
       return new RedirectResponse($group->toUrl()->setAbsolute(TRUE)->toString());
     }
 
-    if (!$this->ogAccess->userAccess($group, 'subscribe', $user) && !$this->ogAccess->userAccess($group, 'subscribe without approval', $user)) {
+    $subscribe = $this->ogAccess->userAccess($group, 'subscribe');
+    $subscribe_without_approval = $this->ogAccess->userAccess($group, 'subscribe without approval');
+    if (!$subscribe->isAllowed() && !$subscribe_without_approval->isAllowed()) {
       throw new AccessDeniedHttpException();
     }
 
diff --git a/src/Event/AccessEventBase.php b/src/Event/AccessEventBase.php
index 8723774f1..1eeaf507f 100644
--- a/src/Event/AccessEventBase.php
+++ b/src/Event/AccessEventBase.php
@@ -98,6 +98,8 @@ public function getUser(): AccountInterface {
   public function getAccessResult(): AccessResultInterface {
     $access = $this->access;
 
+    // Enrich the access result object with our cacheability metadata in case it
+    // supports it.
     if ($access instanceof RefinableCacheableDependencyInterface) {
       $access->addCacheableDependency($this);
     }
diff --git a/tests/src/Functional/GroupSubscribeTest.php b/tests/src/Functional/GroupSubscribeTest.php
index 63b1b3295..79d69fd06 100644
--- a/tests/src/Functional/GroupSubscribeTest.php
+++ b/tests/src/Functional/GroupSubscribeTest.php
@@ -62,6 +62,13 @@ class GroupSubscribeTest extends BrowserTestBase {
    */
   protected $group4;
 
+  /**
+   * Test entity group.
+   *
+   * @var \Drupal\node\NodeInterface
+   */
+  protected $group5;
+
   /**
    * A group bundle name.
    *
@@ -76,6 +83,13 @@ class GroupSubscribeTest extends BrowserTestBase {
    */
   protected $groupBundle2;
 
+  /**
+   * A group bundle name.
+   *
+   * @var string
+   */
+  protected $groupBundle3;
+
   /**
    * A membership type bundle name.
    *
@@ -108,6 +122,8 @@ protected function setUp(): void {
     NodeType::create(['type' => $this->groupBundle1])->save();
     $this->groupBundle2 = mb_strtolower($this->randomMachineName());
     NodeType::create(['type' => $this->groupBundle2])->save();
+    $this->groupBundle3 = mb_strtolower($this->randomMachineName());
+    NodeType::create(['type' => $this->groupBundle3])->save();
     $this->nonGroupBundle = mb_strtolower($this->randomMachineName());
     NodeType::create(['type' => $this->nonGroupBundle])->save();
     $this->membershipTypeBundle = mb_strtolower($this->randomMachineName());
@@ -116,11 +132,13 @@ protected function setUp(): void {
     // Define the entities as groups.
     Og::groupTypeManager()->addGroup('node', $this->groupBundle1);
     Og::groupTypeManager()->addGroup('node', $this->groupBundle2);
+    Og::groupTypeManager()->addGroup('node', $this->groupBundle3);
 
     // Create node author user.
     $user = $this->createUser();
 
-    // Create groups.
+    // Create test groups. The first group has the 'subscribe without approval'
+    // permission.
     $this->group1 = Node::create([
       'type' => $this->groupBundle1,
       'title' => $this->randomString(),
@@ -128,6 +146,8 @@ protected function setUp(): void {
     ]);
     $this->group1->save();
 
+    // A group which is using default permissions; it grants the 'subscribe'
+    // permission to non-members.
     $this->group2 = Node::create([
       'type' => $this->groupBundle2,
       'title' => $this->randomString(),
@@ -135,7 +155,7 @@ protected function setUp(): void {
     ]);
     $this->group2->save();
 
-    // Create an unpublished node.
+    // An unpublished group.
     $this->group3 = Node::create([
       'type' => $this->groupBundle1,
       'title' => $this->randomString(),
@@ -152,12 +172,26 @@ protected function setUp(): void {
     ]);
     $this->group4->save();
 
-    $role = OgRole::getRole('node', $this->groupBundle1, OgRoleInterface::ANONYMOUS);
+    // A group which is closed for subscription. It grants neither 'subscribe'
+    // nor 'subscribe without approval'.
+    $this->group5 = Node::create([
+      'type' => $this->groupBundle3,
+      'title' => $this->randomString(),
+      'uid' => $user->id(),
+    ]);
+    $this->group5->save();
 
-    $role
+    // Grant the permission to 'subscribe without approval' to the first group
+    // type.
+    OgRole::getRole('node', $this->groupBundle1, OgRoleInterface::ANONYMOUS)
       ->grantPermission('subscribe without approval')
       ->save();
 
+    // Revoke the permission to subscribe from the third group type.
+    OgRole::getRole('node', $this->groupBundle3, OgRoleInterface::ANONYMOUS)
+      ->revokePermission('subscribe')
+      ->save();
+
     // Create a new membership type.
     $membership_type = OgMembershipType::create([
       'type' => $this->membershipTypeBundle,
@@ -222,6 +256,13 @@ public function testSubscribeAccess() {
         'entity' => $this->group4,
         'code' => 403,
       ],
+
+      // A group which doesn't allow new subscriptions.
+      [
+        'entity' => $this->group5,
+        'code' => 403,
+      ],
+
       // A non existing entity type.
       [
         'entity_type_id' => mb_strtolower($this->randomMachineName()),