How do I prevent logged in user access to @@historyview in Plone-5.X?

Is there a permission I can remove from a role so that the user cannot access @@historyview for Dexterity content types? I have tried "View History", "ATContentTypes: View history" and "CMFEditions: Access previous versions". The last one prevents the 'History' link from appearing on most by lines, but still leaves the "History" button in the toolbar.

The installed products on my site are:

• Content-types (plone.app.contenttypes) 1.2.16
• Dexterity versioning support 1.2.8

Thanks.

I noted the same issue recently on Plone 5.0.6.

Know that:

• View History is an old Zope2 permission not used by Plone in any way
• ATContentTypes: View history was the proper permission (and this permission was working as expected) but for old ATCT/Plone 4 types.

Dexterity content types is not using a proper permission for this anymore.

First: the access to the history view is public (you can call /@@historyview on any accessible content as anonymous). This view call another subview (@@contenthistory) which is public but someway not callable.

Luckily information you'll see in the history view are protected. The fullHistory of the content is composed by two history sets:

• workflow history, which is protected by permission Request review or Review portal content
• content revision history, which is protected by CMFEditions: Access previous versions permission

Let's recap:

• to let links disappear from Plone UI you must probably change permissions somewhere
• to let the @@historyview not accessible you need to override it with new a permission
• ...but you still need to take care of permissions needed for accessing history sets.