Issue
Users logged into CMS as siteuser are able to see unpublished documents. The preview/unpublished document should be visible only if users are logged in as a CMS user in the channel manager (previewuser).
Possible Reasons
-
There could be some code or configuration settings which are fetching all documents instead of only unpublished ones when the user is logged into CMS.
Possible Solution
-
If there is any part of the code in CMS-Bean class which uses casting, that can be removed.
-
If the mount is marked as preview mount, then the preview/unpublished document might be returned even if users are logged in as a site (siteuser).
-
In version 14, go to cms/console:
-
Select a node from the top menu.
-
Choose: Node > View Permissions
-
Type in liveuser in the box and click on Find user.
This will give the roles/domains assigned to liveuser, default project gives these results:
Alternative Solution:
Calling ctx.getSession().getUserID() would provide information on which session/user is used. More information on this can be found here.