From cfbf6f968855057a16d98eb71b0752ee3e89a7da Mon Sep 17 00:00:00 2001
From: Duncan McClean <duncan@duncanmcclean.com>
Date: Thu, 19 Mar 2026 12:03:44 +0000
Subject: [PATCH 1/4] Add authorization to entry revision routes

---
 .../CP/Collections/EntryRevisionsController.php      | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/src/Http/Controllers/CP/Collections/EntryRevisionsController.php b/src/Http/Controllers/CP/Collections/EntryRevisionsController.php
index c1ef85e20f1..f64445f0a5d 100644
--- a/src/Http/Controllers/CP/Collections/EntryRevisionsController.php
+++ b/src/Http/Controllers/CP/Collections/EntryRevisionsController.php
@@ -12,6 +12,10 @@ class EntryRevisionsController extends CpController
 {
     public function index(Request $request, $collection, $entry)
     {
+        if (User::current()->cant('view', $entry)) {
+            abort(403);
+        }
+
         $revisions = $entry
             ->revisions()
             ->reverse()
@@ -39,6 +43,10 @@ public function index(Request $request, $collection, $entry)
 
     public function store(Request $request, $collection, $entry)
     {
+        if (User::current()->cant('edit', $entry)) {
+            abort(403);
+        }
+
         $entry->createRevision([
             'message' => $request->message,
             'user' => User::fromUser($request->user()),
@@ -49,6 +57,10 @@ public function store(Request $request, $collection, $entry)
 
     public function show(Request $request, $collection, $entry, $revision)
     {
+        if (User::current()->cant('view', $entry)) {
+            abort(403);
+        }
+
         $entry = $entry->makeFromRevision($revision);
 
         // TODO: Most of this is duplicated with EntriesController@edit. DRY it off.

From 8295a3852aa447b755fd3f48d6a9213de16281a1 Mon Sep 17 00:00:00 2001
From: Duncan McClean <duncan@duncanmcclean.com>
Date: Thu, 19 Mar 2026 13:30:02 +0000
Subject: [PATCH 2/4] tests

---
 tests/Feature/Entries/EntryRevisionsTest.php | 45 +++++++++++++++++++-
 1 file changed, 44 insertions(+), 1 deletion(-)

diff --git a/tests/Feature/Entries/EntryRevisionsTest.php b/tests/Feature/Entries/EntryRevisionsTest.php
index d9d032ead25..c7c66735a9e 100644
--- a/tests/Feature/Entries/EntryRevisionsTest.php
+++ b/tests/Feature/Entries/EntryRevisionsTest.php
@@ -46,7 +46,7 @@ public function it_gets_revisions()
         $now = Carbon::parse('2017-02-03');
         Carbon::setTestNow($now);
         $this->setTestBlueprint('test', ['foo' => ['type' => 'text']]);
-        $this->setTestRoles(['test' => ['access cp', 'publish blog entries']]);
+        $this->setTestRoles(['test' => ['access cp', 'view blog entries', 'publish blog entries']]);
         $user = User::make()->id('user-1')->assignRole('test')->save();
 
         $entry = EntryFactory::id('1')
@@ -97,6 +97,49 @@ public function it_gets_revisions()
             ->assertJsonPath('1.revisions.1.attributes.item_url', 'http://localhost/cp/collections/blog/entries/1/revisions/'.Carbon::parse('2017-02-03')->timestamp);
     }
 
+    #[Test]
+    public function it_denies_access_to_revisions_without_permission_to_view_entry()
+    {
+        $now = Carbon::parse('2017-02-03');
+        Carbon::setTestNow($now);
+        $this->setTestBlueprint('test', ['foo' => ['type' => 'text']]);
+        $this->setTestRoles(['test' => ['access cp']]);
+        $user = User::make()->id('user-1')->assignRole('test')->save();
+
+        $entry = EntryFactory::id('1')
+            ->slug('test')
+            ->collection('blog')
+            ->published(true)
+            ->date('2010-12-25')
+            ->data([
+                'blueprint' => 'test',
+                'title' => 'Original title',
+                'foo' => 'bar',
+            ])->create();
+
+        tap($entry->makeRevision(), function ($copy) {
+            $copy->message('Revision one');
+            $copy->date(Carbon::parse('2017-02-01'));
+        })->save();
+
+        tap($entry->makeRevision(), function ($copy) {
+            $copy->message('Revision two');
+            $copy->date(Carbon::parse('2017-02-03'));
+        })->save();
+
+        tap($entry->makeWorkingCopy(), function ($copy) {
+            $attrs = $copy->attributes();
+            $attrs['data']['title'] = 'Title modified in working copy';
+            $attrs['data']['foo'] = 'baz';
+            $copy->attributes($attrs);
+        })->save();
+
+        $this
+            ->actingAs($user)
+            ->get($entry->revisionsUrl())
+            ->assertForbidden();
+    }
+
     #[Test]
     public function it_publishes_an_entry()
     {

From b32126fee0bee1dcc63c3319a9aa7c0fba54fa47 Mon Sep 17 00:00:00 2001
From: Duncan McClean <duncan@duncanmcclean.com>
Date: Thu, 19 Mar 2026 13:45:53 +0000
Subject: [PATCH 3/4] abort from unused term revision routes

---
 .../Controllers/CP/Taxonomies/TermRevisionsController.php   | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/src/Http/Controllers/CP/Taxonomies/TermRevisionsController.php b/src/Http/Controllers/CP/Taxonomies/TermRevisionsController.php
index dafc0af0488..41543f1ef26 100644
--- a/src/Http/Controllers/CP/Taxonomies/TermRevisionsController.php
+++ b/src/Http/Controllers/CP/Taxonomies/TermRevisionsController.php
@@ -12,6 +12,8 @@ class TermRevisionsController extends CpController
 {
     public function index(Request $request, $taxonomy, $term)
     {
+        abort(403);
+
         $revisions = $term
             ->revisions()
             ->reverse()
@@ -34,6 +36,8 @@ public function index(Request $request, $taxonomy, $term)
 
     public function store(Request $request, $taxonomy, $term)
     {
+        abort(403);
+
         $term->createRevision([
             'message' => $request->message,
             'user' => User::fromUser($request->user()),
@@ -44,6 +48,8 @@ public function store(Request $request, $taxonomy, $term)
 
     public function show(Request $request, $taxonomy, $term, $site, $revision)
     {
+        abort(403);
+
         $term = $term->makeFromRevision($revision);
 
         // TODO: Most of this is duplicated with EntriesController@edit. DRY it off.

From f0e3611fcdd1f6a1240e73430a1f26e6477c0262 Mon Sep 17 00:00:00 2001
From: Jason Varga <jason@pixelfear.com>
Date: Thu, 19 Mar 2026 19:57:36 -0400
Subject: [PATCH 4/4] Remove unused term revision controllers, routes, and
 commented-out UI

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 resources/js/components/terms/PublishForm.vue |  39 ------
 routes/cp.php                                 |   8 --
 .../RestoreTermRevisionController.php         |  26 ----
 .../CP/Taxonomies/TermRevisionsController.php | 124 ------------------
 4 files changed, 197 deletions(-)
 delete mode 100644 src/Http/Controllers/CP/Taxonomies/RestoreTermRevisionController.php
 delete mode 100644 src/Http/Controllers/CP/Taxonomies/TermRevisionsController.php

diff --git a/resources/js/components/terms/PublishForm.vue b/resources/js/components/terms/PublishForm.vue
index 9adebbd8013..81208100f4b 100644
--- a/resources/js/components/terms/PublishForm.vue
+++ b/resources/js/components/terms/PublishForm.vue
@@ -131,45 +131,6 @@
                                     </div>
                                 </div>
 
-                                <!--
-                                TODO
-                                <div class="flex items-center border-t justify-between px-4 py-2" v-if="!revisionsEnabled">
-                                    <label v-text="__('Published')" class="publish-field-label font-medium" />
-                                    <toggle-input v-model="published" />
-                                </div>
-
-                                <div class="border-t p-4" v-if="revisionsEnabled">
-                                    <label class="publish-field-label font-medium mb-2" v-text="__('Revisions')"/>
-                                    <div class="mb-1 flex items-center" v-if="published">
-                                        <span class="text-green-600 w-6 text-center">&check;</span>
-                                        <span class="text-2xs" v-text="__('Entry has a published version')"></span>
-                                    </div>
-                                    <div class="mb-1 flex items-center" v-else="published">
-                                        <span class="text-orange w-6 text-center">!</span>
-                                        <span class="text-2xs" v-text="__('Entry has not been published')"></span>
-                                    </div>
-                                    <div class="mb-1 flex items-center" v-if="isWorkingCopy && isDirty">
-                                        <span class="text-orange w-6 text-center">!</span>
-                                        <span class="text-2xs" v-text="__('Working copy has unsaved changes')"></span>
-                                    </div>
-                                    <div class="mb-1 flex items-center" v-else-if="isWorkingCopy">
-                                        <span class="text-orange w-6 text-center">!</span>
-                                        <span class="text-2xs" v-text="__('Entry has unpublished changes')"></span>
-                                    </div>
-                                    <div class="mb-1 flex items-center" v-if="!isWorkingCopy && published">
-                                        <span class="text-green-600 w-6 text-center">&check;</span>
-                                        <span class="text-2xs" v-text="__('This is the published version')"></span>
-                                    </div>
-                                    <button
-                                            class="flex items-center justify-center mt-4 btn-flat px-2 w-full"
-                                            v-if="!isCreating && revisionsEnabled"
-                                            @click="showRevisionHistory = true">
-                                            <svg-icon name="history" class="h-4 w-4 rtl:ml-2 ltr:mr-2" />
-                                            <span>{{ __('View History') }}</span>
-                                        </button>
-                                </div>
-                                -->
-
                                 <div class="p-4 border-t dark:border-dark-900" v-if="localizations.length > 1">
                                     <label class="publish-field-label font-medium mb-2" v-text="__('Sites')" />
                                     <div
diff --git a/routes/cp.php b/routes/cp.php
index 15c26304afc..dbc6601d612 100644
--- a/routes/cp.php
+++ b/routes/cp.php
@@ -83,12 +83,10 @@
 use Statamic\Http\Controllers\CP\StartPageController;
 use Statamic\Http\Controllers\CP\Taxonomies\PublishedTermsController;
 use Statamic\Http\Controllers\CP\Taxonomies\ReorderTaxonomyBlueprintsController;
-use Statamic\Http\Controllers\CP\Taxonomies\RestoreTermRevisionController;
 use Statamic\Http\Controllers\CP\Taxonomies\TaxonomiesController;
 use Statamic\Http\Controllers\CP\Taxonomies\TaxonomyBlueprintsController;
 use Statamic\Http\Controllers\CP\Taxonomies\TermActionController;
 use Statamic\Http\Controllers\CP\Taxonomies\TermPreviewController;
-use Statamic\Http\Controllers\CP\Taxonomies\TermRevisionsController;
 use Statamic\Http\Controllers\CP\Taxonomies\TermsController;
 use Statamic\Http\Controllers\CP\Updater\UpdateProductController;
 use Statamic\Http\Controllers\CP\Updater\UpdaterController;
@@ -202,12 +200,6 @@
             Route::post('/', [PublishedTermsController::class, 'store'])->name('taxonomies.terms.published.store');
             Route::delete('/', [PublishedTermsController::class, 'destroy'])->name('taxonomies.terms.published.destroy');
 
-            Route::resource('revisions', TermRevisionsController::class, [
-                'as' => 'taxonomies.terms',
-                'only' => ['index', 'store', 'show'],
-            ]);
-
-            Route::post('restore-revision', RestoreTermRevisionController::class)->name('taxonomies.terms.restore-revision');
             Route::post('preview', [TermPreviewController::class, 'edit'])->name('taxonomies.terms.preview.edit');
             Route::get('preview', [TermPreviewController::class, 'show'])->name('taxonomies.terms.preview.popout');
             Route::patch('/', [TermsController::class, 'update'])->name('taxonomies.terms.update');
diff --git a/src/Http/Controllers/CP/Taxonomies/RestoreTermRevisionController.php b/src/Http/Controllers/CP/Taxonomies/RestoreTermRevisionController.php
deleted file mode 100644
index 35290002784..00000000000
--- a/src/Http/Controllers/CP/Taxonomies/RestoreTermRevisionController.php
+++ /dev/null
@@ -1,26 +0,0 @@
-<?php
-
-namespace Statamic\Http\Controllers\CP\Taxonomies;
-
-use Illuminate\Http\Request;
-use Statamic\Http\Controllers\CP\CpController;
-use Statamic\Revisions\WorkingCopy;
-
-class RestoreTermRevisionController extends CpController
-{
-    public function __invoke(Request $request, $collection, $entry)
-    {
-        if (! $target = $entry->revision($request->revision)) {
-            dd('no such revision', $request->revision);
-            // todo: handle invalid revision reference
-        }
-
-        if ($entry->published()) {
-            WorkingCopy::fromRevision($target)->date(now())->save();
-        } else {
-            $entry->makeFromRevision($target)->published(false)->save();
-        }
-
-        session()->flash('success', __('Revision restored'));
-    }
-}
diff --git a/src/Http/Controllers/CP/Taxonomies/TermRevisionsController.php b/src/Http/Controllers/CP/Taxonomies/TermRevisionsController.php
deleted file mode 100644
index 41543f1ef26..00000000000
--- a/src/Http/Controllers/CP/Taxonomies/TermRevisionsController.php
+++ /dev/null
@@ -1,124 +0,0 @@
-<?php
-
-namespace Statamic\Http\Controllers\CP\Taxonomies;
-
-use Illuminate\Http\Request;
-use Statamic\Facades\Site;
-use Statamic\Facades\User;
-use Statamic\Http\Controllers\CP\CpController;
-use Statamic\Http\Resources\CP\Taxonomies\Term as TermResource;
-
-class TermRevisionsController extends CpController
-{
-    public function index(Request $request, $taxonomy, $term)
-    {
-        abort(403);
-
-        $revisions = $term
-            ->revisions()
-            ->reverse()
-            ->prepend($this->workingCopy($term))
-            ->filter();
-
-        // The first non manually created revision would be considered the "current"
-        // version. It's what corresponds to what's in the content directory.
-        optional($revisions->first(function ($revision) {
-            return $revision->action() != 'revision';
-        }))->attribute('current', true);
-
-        return $revisions
-            ->groupBy(function ($revision) {
-                return $revision->date()->clone()->startOfDay()->format('U');
-            })->map(function ($revisions, $day) {
-                return compact('day', 'revisions');
-            })->reverse()->values();
-    }
-
-    public function store(Request $request, $taxonomy, $term)
-    {
-        abort(403);
-
-        $term->createRevision([
-            'message' => $request->message,
-            'user' => User::fromUser($request->user()),
-        ]);
-
-        return new TermResource($term);
-    }
-
-    public function show(Request $request, $taxonomy, $term, $site, $revision)
-    {
-        abort(403);
-
-        $term = $term->makeFromRevision($revision);
-
-        // TODO: Most of this is duplicated with EntriesController@edit. DRY it off.
-
-        $blueprint = $term->blueprint();
-
-        $fields = $blueprint
-            ->fields()
-            ->addValues($term->data())
-            ->preProcess();
-
-        $values = array_merge($fields->values()->all(), [
-            'title' => $term->get('title'),
-            'slug' => $term->slug(),
-        ]);
-
-        return [
-            'title' => $term->value('title'),
-            'editing' => true,
-            'actions' => [
-                'save' => $term->updateUrl(),
-                'publish' => $term->publishUrl(),
-                'unpublish' => $term->unpublishUrl(),
-                'revisions' => $term->revisionsUrl(),
-                'restore' => $term->restoreRevisionUrl(),
-                'createRevision' => $term->createRevisionUrl(),
-            ],
-            'values' => $values,
-            'meta' => $fields->meta(),
-            'taxonomy' => $this->taxonomyToArray($term->taxonomy()),
-            'blueprint' => $blueprint->toPublishArray(),
-            'readOnly' => User::fromUser($request->user())->cant('edit', $term),
-            'published' => $term->published(),
-            'locale' => $term->locale(),
-            'localizations' => $term->taxonomy()->sites()->map(function ($handle) use ($term) {
-                $localized = $term->in($handle);
-                $exists = $localized !== null;
-
-                return [
-                    'handle' => $handle,
-                    'name' => Site::get($handle)->name(),
-                    'active' => $handle === $term->locale(),
-                    'exists' => $exists,
-                    'root' => $exists ? $localized->isRoot() : false,
-                    'origin' => $exists ? $localized->id() === optional($term->origin())->id() : null,
-                    'published' => $exists ? $localized->published() : false,
-                    'url' => $exists ? $localized->editUrl() : null,
-                ];
-            })->all(),
-        ];
-    }
-
-    protected function workingCopy($term)
-    {
-        if ($term->published()) {
-            return $term->workingCopy();
-        }
-
-        return $term
-            ->makeWorkingCopy()
-            ->date($term->lastModified())
-            ->user($term->lastModifiedBy());
-    }
-
-    protected function taxonomyToArray($taxonomy)
-    {
-        return [
-            'title' => $taxonomy->title(),
-            'url' => cp_route('taxonomies.show', $taxonomy->handle()),
-        ];
-    }
-}