In the navigation lib, add_front_page_course_essentials(), it is passed a course (which actually in the code is always SITE), but it uses the current page context for permission checks.

This leads to situations where links show up, but the user has no permissions to access them.

The most blatant case is that Notes shows up to teachers in a course under Site pages>Notes, but when they click it they get a broken page (MDL-37377). This shows up in completely stock Moodle install with no config changes.

But the problem can also happen with badges if you don't have moodle/badges:viewbadges set at the site level.