Preview does not show the latest saved content for a custom backoffice user type in Umbraco 17

IcDaan · May 11, 2026, 12:41pm

Hi everyone,

I’ve created a custom user type in Umbraco that can only view content in the backoffice. This user does not have save permissions, but because they are logged in, they can still open a preview URL.

The problem is that this user does not seem to see the most up-to-date version of the latest saved content. I’ve tested this on several websites in Umbraco 17, and it appears to happen consistently.

Has anyone else experienced this?

Could it be that the preview functionality only works properly when the user also has save and preview permissions together?

Any insights would be appreciated.

IcDaan · May 11, 2026, 12:43pm

Here are some screenshot that provide more information about the custom type:

justin-nevitech · May 11, 2026, 2:41pm

Hi @IcDaan

What you’re seeing is by design rather than an Umbraco 17 regression. The Preview button doesn’t just open a URL - it first fires an autosave of the current draft via the Management API, then sets the UMB_PREVIEW cookie and opens the preview tab. The page you then see is rendered from the latest saved draft.

A user without Update permission can’t trigger that autosave, so step 1 is silently denied. Steps 2 and 3 still happen, which is why preview opens but shows whatever was last saved by someone who did have save rights. From the user’s perspective it looks stale, but preview is doing exactly what it always does - they just can’t be the one to commit the draft.

A few ways to handle it depending on what you actually want that user to be able to do:

If they genuinely only need to see draft content, give them Update on the nodes in question but no Publish. Update is the minimum for the autosave-then-preview flow to work end to end.
If they must stay strictly read-only, the cleaner UX is to hide the Preview button for that group altogether via a UI extension / condition, so it doesn’t appear to work but mislead. A button that silently shows stale state is worse than no button.

Justin

IcDaan · May 12, 2026, 8:15am

Thanks for the explanation, but I think I might be missing something. The viewer (read-only user) isn’t making any changes or clicking Preview themselves, they don’t have permission for that. The editor sends them a direct Preview URL, and they just want to see Editor A’s latest draft there, not the published version.

Why does accessing that Preview URL still require Update permission? I’m lookin for a way to give read-only users a way to view the latest draft. Without them beeing able to update or save drafts.

When hiding the preview button how do does that change the issue i’m having? They still need to access the most recent draft version.

ShekharTarare · May 12, 2026, 8:55am

Hi @IcDaan ,

When the read-only user opens that shared URL, they still don’t see the latest draft.

It seems like Umbraco’s core rendering pipeline ties access to the unpublished draft state directly to the Update permission, not just the UI action. If they only have Read access, the system denies them the draft view and falls back to an older state.

I noticed there’s a GitHub issue (#22797) raised by you for this exact Umbraco 17 behavior, so it looks like a known architectural limitation right now rather than just a UI quirk.

Since native Umbraco blocks this, it looks like the only real solution is either building a custom token-based endpoint to bypass the backoffice auth checks entirely (similar to what the TruePeople SharePreview package does), or giving the group Update rights and using Bellissima extensions to hide the save buttons.

I dug into this a bit more and found a few official resources that prove this is a core architectural rule, not just a UI issue. Here is what I found:

1. Umbraco Workflow’s “Offline Approval” is a paid feature for this exact problem If you look at the docs for Approval Groups (Approval Groups | Workflow 13.latest (LTS) | Umbraco Documentation), Umbraco HQ sells a licensed, paid feature to handle this. The docs say: “By enabling Offline Approval, all email notifications sent to the group members will include a personalized link to a preview page… It is not possible to edit the content from the offline approval view.” If standard preview URLs worked for read-only users, they wouldn’t need to build and sell a custom tokenized link system just for this use case.

2. Content Delivery API Documentation The headless API docs (Content Delivery API | CMS | Umbraco Documentation) back up this security philosophy. Under the Preview section, it explicitly states: “Accessing unpublished versions of your content nodes requires authorization via an API key.” This shows the core system treats draft data as strictly protected. A basic backoffice Read permission just isn’t enough to query the unpublished database cache.

3. Stack Overflow Precedent This isn’t a new Umbraco 17 bug; the permission architecture has worked this way for years. There’s an older Stack Overflow thread (https://stackoverflow.com/questions/49488545/umbraco-using-preview-functionality-with-user-who-doesnt-have-access-to-conte) dealing with the exact same thing. The accepted explanation there is: “There’s not really a fix for this one, as it’s correctly applying the permissions to the preview functionality… another option would be to write your own custom preview function.”

So it looks like the Update requirement is deeply baked into how Umbraco protects unpublished states. We definitely can’t do this natively without writing custom routing or buying a paid add-on.

Hope it helps!

justin-nevitech · May 12, 2026, 9:21am

Hi @IcDaan

I assumed you were clicking preview from the back-office, not sharing a back-office URL, so I maybe misunderstood your original issue.

As @ShekharTarare says, it is most likely a bug (or possibly by design) so could be worth you raising on the Umbraco issue tracker.

Most likely, Umbraco is still checking for write permissions before allowing the content to be previewed by a user with read-only permissions.

Also, there is a cookie set in the user’s browser when they click Save and Preview which puts them into Preview mode, so sharing the preview URL is not going to set that cookie on the read-only user’s device. They would need to also be in preview mode before they can see preview content. Can you confirm if they are in preview mode already or not?

Justin

IcDaan · May 12, 2026, 12:01pm

hi @justin-nevitech and @ShekharTarare ,

Thank you both for helping me with my question. As you both pointed out, I believe this is a design choice, read-only users are not able to view draft versions of content.

I think the easiest solution is to give users the “Writes” role, or to use the paid Umbraco Workflow package.

I’ve raised an issue on Github, but I will close it and reference this topic for others who encounter the same problem in the future.

Thanks again for your help.

Daan