diff --git a/product/ERP5/bootstrap/erp5_core/SkinTemplateItem/portal_skins/erp5_core/Base_getZODBHistoryList.py b/product/ERP5/bootstrap/erp5_core/SkinTemplateItem/portal_skins/erp5_core/Base_getZODBHistoryList.py
index bf17f9ee6f343cbd2b88036286544fe24ba112c3..e768f4a06e17c4cddc7f0f99239a3f95599adecd 100644
--- a/product/ERP5/bootstrap/erp5_core/SkinTemplateItem/portal_skins/erp5_core/Base_getZODBHistoryList.py
+++ b/product/ERP5/bootstrap/erp5_core/SkinTemplateItem/portal_skins/erp5_core/Base_getZODBHistoryList.py
@@ -1,7 +1,12 @@
+from AccessControl import getSecurityManager
+from zExceptions import Unauthorized
 from Products.ERP5Type.Document import newTempBase
 portal = context.getPortalObject()
 result = []
 
+if not getSecurityManager().getUser().has_permission('View History', context):
+  raise Unauthorized()
+
 def beautifyChange(change_dict):
   return ["%s:%s" % (k,change_dict[k]) for k in sorted(change_dict.keys())]
 
diff --git a/product/ERP5/bootstrap/erp5_core/SkinTemplateItem/portal_skins/erp5_core/Base_viewHistory/your_zodb_history.xml b/product/ERP5/bootstrap/erp5_core/SkinTemplateItem/portal_skins/erp5_core/Base_viewHistory/your_zodb_history.xml
index 7b2fefd9596ae04cbc30a45ebc33e544dbb7ed80..4b2f4bb5a412e7211e23b28334db2b4e4318085d 100644
--- a/product/ERP5/bootstrap/erp5_core/SkinTemplateItem/portal_skins/erp5_core/Base_viewHistory/your_zodb_history.xml
+++ b/product/ERP5/bootstrap/erp5_core/SkinTemplateItem/portal_skins/erp5_core/Base_viewHistory/your_zodb_history.xml
@@ -164,7 +164,9 @@
                 </item>
                 <item>
                     <key> <string>enabled</string> </key>
-                    <value> <string></string> </value>
+                    <value>
+                      <persistent> <string encoding="base64">AAAAAAAAAAM=</string> </persistent>
+                    </value>
                 </item>
                 <item>
                     <key> <string>external_validator</string> </key>
@@ -178,6 +180,10 @@
                     <key> <string>hidden</string> </key>
                     <value> <string></string> </value>
                 </item>
+                <item>
+                    <key> <string>input_type</string> </key>
+                    <value> <string></string> </value>
+                </item>
                 <item>
                     <key> <string>link_type</string> </key>
                     <value> <string></string> </value>
@@ -312,4 +318,17 @@
       </dictionary>
     </pickle>
   </record>
+  <record id="3" aka="AAAAAAAAAAM=">
+    <pickle>
+      <global name="TALESMethod" module="Products.Formulator.TALESField"/>
+    </pickle>
+    <pickle>
+      <dictionary>
+        <item>
+            <key> <string>_text</string> </key>
+            <value> <string>python: modules[\'AccessControl\'].getSecurityManager().getUser().has_permission(\'View History\', context)</string> </value>
+        </item>
+      </dictionary>
+    </pickle>
+  </record>
 </ZopeData>
diff --git a/product/ERP5/tests/testZODBHistory.py b/product/ERP5/tests/testZODBHistory.py
index 0a27c6812c9c79f6a4eda2da6217747878bcfac0..30f4c1a1629ce850749a66de4ff7af3d8b1fa6bc 100644
--- a/product/ERP5/tests/testZODBHistory.py
+++ b/product/ERP5/tests/testZODBHistory.py
@@ -122,6 +122,29 @@ class TestZODBHistory(ERP5TypeTestCase):
     # should be: create(1) + edit(60) = 61
     self.assertEqual(len(history_list), 61)
 
+  def test_testZODBHistorySecurity(self):
+    """
+     Make sure ZODB History is not available when user does not have "View History" permission.
+    """
+    self.loginByUserName('tatuya')
+    document = self.addOrganisation('document')
+
+    # by default, users have a link to view ZODB history in history tab
+    self.assertIn(
+        'your_zodb_history',
+        [field.getId() for field in document.Base_viewHistory.get_fields()])
+
+    # when user does not have "View History" permission, the link is not displayed
+    document.manage_permission('View History', [], 0)
+    self.assertNotIn(
+        'your_zodb_history',
+        [field.getId() for field in document.Base_viewHistory.get_fields()])
+
+    # accessing the form directly is not allowed either
+    from zExceptions import Unauthorized
+    self.assertRaises(Unauthorized, document.Base_viewZODBHistory)
+
+
 def test_suite():
   suite = unittest.TestSuite()
   suite.addTest(unittest.makeSuite(TestZODBHistory))