I am working with a deployment of Apostrophe-Headless and Next.js. Everything is working like a dream, but I'm currently trying to set up a staging environment and would like to display unpublished items on that stage. I've seen the documentation for published=any and it works when I am logged in, but when my application calls the API on the server-side, the unpublished items do not get returned. I'm assuming it's because the server isn't logged in. I've been digging around for quite a bit and I've noticed some mention of a safeFilter Array, but it doesn't seem to affect published. I'd hate to have to filter on another "published-like" variable when this one already exists.
in order to see unpublished content you need to have editing privileges for that content. This is the definition of "unpublished" in Apostrophe.
I think this actually makes sense because if someone isn't allowed to edit they probably shouldn't be allowed to see things that aren't for the public to see yet, either.
If you were to fetch this information using a headless API key for the content type in question, you'd see it, but you'd also have editing privileges.
Marking the filter safe doesn't matter because Apostrophe's security model still applies at all times — the final MongoDB query will include the user's request for the filter, but it will also include a restriction on unpublished content since the user isn't permitted to see it. This is generally a good thing.
So if you are using "unpublished" to mean something else, like "not interesting enough for the regular output but maybe interesting to some people," then I think it is actually a good idea to introduce a different way of representing that information.
If you're reading this answer and thinking "but I'm not creating a public API here, this is just for my privileged application that should have the same privileges I do," then an API key or a bearer token is what you want: