Is there a permission I can remove from a role so that the user cannot access @@historyview for Dexterity content types? I have tried "View History", "ATContentTypes: View history" and "CMFEditions: Access previous versions". The last one prevents the 'History' link from appearing on most by lines, but still leaves the "History" button in the toolbar.
The installed products on my site are:
Thanks.
I noted the same issue recently on Plone 5.0.6.
Know that:
View History
is an old Zope2 permission not used by Plone in any wayATContentTypes: View history
was the proper permission (and this permission was working as expected) but for old ATCT/Plone 4 types.Dexterity content types is not using a proper permission for this anymore.
First: the access to the history view is public (you can call /@@historyview
on any accessible content as anonymous). This view call another subview (@@contenthistory
) which is public but someway not callable.
Luckily information you'll see in the history view are protected.
The fullHistory
of the content is composed by two history sets:
Request review
or Review portal content
CMFEditions: Access previous versions
permissionLet's recap:
@@historyview
not accessible you need to override it with new a permission