statamic · jasonvarga · Jun 8, 2026 · Jun 8, 2026 · Jun 8, 2026 · Jun 8, 2026
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -32,7 +32,7 @@ jobs:
 
       - name: Get Changelog
         id: changelog
-        uses: statamic/changelog-action@5d112d0d790cdeeb5adca3e584e37edc474ab51b # v1
+        uses: statamic/changelog-action@5d112d0d790cdeeb5adca3e584e37edc474ab51b # v1.0.2
         with:
           version: ${{ github.ref }}
 

diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml
@@ -77,7 +77,7 @@ jobs:
         run: sudo apt-get install language-pack-fr
 
       - name: Setup PHP
-        uses: shivammathur/setup-php@7c071dfe9dc99bdf297fa79cb49ea005b9fcadbc # v2
+        uses: shivammathur/setup-php@7c071dfe9dc99bdf297fa79cb49ea005b9fcadbc # 2.37.1
         if: steps.should-run-tests.outputs.result == 'true'
         with:
           php-version: ${{ matrix.php }}
@@ -164,7 +164,7 @@ jobs:
       actions: read # required by workflow-conclusion-action to determine overall workflow status
     if: always()
     steps:
-      - uses: technote-space/workflow-conclusion-action@45ce8e0eb155657ab8ccf346ade734257fd196a5 # v3
+      - uses: technote-space/workflow-conclusion-action@45ce8e0eb155657ab8ccf346ade734257fd196a5 # v3.0.3
       - name: Send Slack notification
         uses: slackapi/slack-github-action@45a88b9581bfab2566dc881e2cd66d334e621e2c # v3.0.3
         if: env.WORKFLOW_CONCLUSION == 'failure' && github.event_name == 'schedule'

diff --git a/resources/js/components/entries/PublishForm.vue b/resources/js/components/entries/PublishForm.vue
@@ -457,7 +457,7 @@ export default {
         },
 
         showLivePreviewButton() {
-            return !this.isCreating && this.isBase && this.livePreviewUrl;
+            return !this.readOnly && !this.isCreating && this.isBase && this.livePreviewUrl;
         },
 
         showVisitUrlButton() {

diff --git a/resources/js/components/terms/PublishForm.vue b/resources/js/components/terms/PublishForm.vue
@@ -271,7 +271,7 @@ export default {
         },
 
         showLivePreviewButton() {
-            return !this.isCreating && this.isBase && this.livePreviewUrl && this.showVisitUrlButton;
+            return !this.readOnly && !this.isCreating && this.isBase && this.livePreviewUrl && this.showVisitUrlButton;
         },
 
         showVisitUrlButton() {

diff --git a/src/Http/Controllers/CP/PreviewController.php b/src/Http/Controllers/CP/PreviewController.php
@@ -18,7 +18,7 @@ public function show()
 
     public function edit(Request $request, $_, $data)
     {
-        $this->authorize('view', $data);
+        $this->authorize('update', $data);
 
         $fields = $data->blueprint()
             ->fields()

diff --git a/tests/Feature/Entries/PreviewEntryTest.php b/tests/Feature/Entries/PreviewEntryTest.php
@@ -181,6 +181,33 @@ public function it_sets_live_preview_to_true_if_theres_no_additional_data()
         );
     }
 
+    #[Test]
+    public function it_doesnt_create_a_token_without_edit_permission()
+    {
+        Collection::make('blog')->routes('/blog/{slug}')->save();
+
+        EntryFactory::id('the-entry')
+            ->collection('blog')
+            ->slug('the-existing-entry')
+            ->data(['title' => 'The Existing Entry'])
+            ->create();
+
+        LivePreview::shouldReceive('tokenize')->never();
+
+        $this->setTestRoles(['viewer' => ['access cp', 'view blog entries']]);
+        $user = User::make()->assignRole('viewer')->save();
+
+        $this
+            ->actingAs($user)
+            ->postJson('/cp/collections/blog/entries/the-entry/preview', [
+                'preview' => [
+                    'title' => 'Edited title',
+                    'slug' => 'edited-slug',
+                ],
+            ])
+            ->assertForbidden();
+    }
+
     private function user()
     {
         $this->setTestRoles(['test' => ['access cp', 'create blog entries', 'edit blog entries']]);