Restrict User Roles for Viewing Unpublished Documents
Users logged into CMS as siteuser are able to see unpublished documents. The preview/unpublished document should be visible only if users are logged in as a CMS user in the channel manager (previewuser).
There could be some code or configuration settings which are fetching all documents instead of only unpublished ones when the user is logged into CMS.
If there is any part of the code in CMS-Bean class which uses casting, that can be removed.
If the mount is marked as preview mount, then the preview/unpublished document might be returned even if users are logged in as a site (siteuser).
In version 14, go to cms/console:
Select a node from the top menu.
Choose: Node > View Permissions
Type in liveuser in the box and click on Find user.
This will give the roles/domains assigned to liveuser, default project gives these results:
Calling ctx.getSession().getUserID() would provide information on which session/user is used. More information on this can be found here.