The changes in the following commit in file BaseEditorController.php: https://github.com/collectiveaccess/providence/commit/e68311239d833f61cecf45c86baa17a6628ba2b7
Will indeed block access to an object through URL if the object source doesn't match the user's source (edit or read permissions).
However, if the user has multiple edit/read sources, it will always update the source value to the users default source upon entering the edit screen, neglecting the original value (unintentional). It should ignore the user's default source if the object source is one of the user's sources.
This should be closed as it's solved.