Bug description
Entry create/edit screens build their localizations list through EntriesController::getAuthorizedSitesForCollection(), which filters collection sites to only sites the current user can view.
protected function getAuthorizedSitesForCollection($collection)
{
return $collection
->sites()
->filter(fn ($handle) => User::current()->can('view', Site::get($handle)));
}The entry revision preview endpoint does not use that same filtering. EntryRevisionsController builds localizations directly from every collection site:
'localizations' => $entry->collection()->sites()->map(function ($handle) use ($entry) {Proposed fix:
- 'localizations' => $entry->collection()->sites()->map(function ($handle) use ($entry) {
+ 'localizations' => $this->getAuthorizedSitesForCollection($entry->collection())->map(function ($handle) use ($entry) {+ protected function getAuthorizedSitesForCollection($collection)
+ {
+ return $collection
+ ->sites()
+ ->filter(fn ($handle) => User::current()->can('view', Site::get($handle)));
+ }How to reproduce
- Enable multisite.
- Create a collection available on multiple sites.
- Create a user who can view the collection/entry but cannot view every site in the collection.
- Enable revisions for the collection.
- View an entry revision in the Control Panel.
- Inspect the revision preview response.
The localizations array includes all collection sites instead of only sites the user can view.
Logs
Environment
Environment
Laravel Version: 13.9.0
PHP Version: 8.5.5
Composer Version: 2.9.5
Environment: local
Debug Mode: ENABLED
Maintenance Mode: OFF
Timezone: UTC
Locale: en
Cache
Config: NOT CACHED
Events: NOT CACHED
Routes: NOT CACHED
Views: CACHED
Drivers
Broadcasting: log
Cache: file
Database: mariadb
Logs: stack / daily
Mail: log
Queue: database
Session: file
Storage
public/storage: NOT LINKED
Statamic
Addons: 4
License Key: Set
Sites: 1522 (Aardvark, Abbott Group, Abbott, Reichel and Schulist, and 1519 more)
Stache Watcher: Enabled (auto)
Static Caching: Disabled
Version: 6.19.0 PRO
Statamic Addons
ndx/statamic-simple-redirects: 1.1.0
statamic/audit-log: 1.1.0
statamic/collaboration: 2.0.1
statamic/eloquent-driver: 5.8.0
Statamic Eloquent Driver
Addon Settings: file
Asset Containers: eloquent
Assets: eloquent
Blueprints: eloquent
Collection Trees: eloquent
Collections: file
Entries: eloquent
Fieldsets: file
Form Submissions: eloquent
Forms: eloquent
Global Sets: eloquent
Global Variables: eloquent
Navigation Trees: eloquent
Navigations: eloquent
Revisions: eloquent
Sites: eloquent
Taxonomies: eloquent
Terms: eloquent
Tokens: eloquent
Installation
Existing Laravel app
Additional details
No response
Bug description
Entry create/edit screens build their
localizationslist throughEntriesController::getAuthorizedSitesForCollection(), which filters collection sites to only sites the current user can view.The entry revision preview endpoint does not use that same filtering.
EntryRevisionsControllerbuildslocalizationsdirectly from every collection site:Proposed fix:
How to reproduce
The
localizationsarray includes all collection sites instead of only sites the user can view.Logs
Environment
Installation
Existing Laravel app
Additional details
No response