"You are not allowed..." sets $doc to the actual document, regardless of the rights

This is a major security issue, since a user can create a custom skin which outputs $doc.content, and thus can view the contents of a page he would not have access to.

The proper way of doing this:

1. if the user has view rights, then $doc, $cdoc and $tdoc should all be set (right now – b2 – $tdoc is not set)
2. otherwise, $doc, $cdoc and $tdoc should exist, but as shallow copies of the real document, holding only non-relevant information, such as name and web, and phony values for the other fields, like empty content, now() as creation and update dates, 1.1 as the version, etc.