CMS session is not always used in cms rest endpoints but the anonymous live hst user session

For example, org.hippoecm.hst.cmsrest.services.ResourceUtil#getNode does this with the jcr session that comes from the HstRequestContext. This is just the plain live session in general. Thus for example DocumentsResource which is used for the 'view' button in cms for a document does this with the live anonymous hst user. What if the live user is not allowed to read the content? What if there is no live variant? Turns out in general to go right, because the handle is used. Either way, it is brittle.

In ChannelManager whenever a safe is done, the session is fetched via CmsJcrSessionThreadLocal. This is also brittle, as lots of code uses HstRequestContext.getSession().

Hence, we should get rid of CmsJcrSessionThreadLocal altogether, and make sure that via the HstRequestContext, the correct session is returned, whether we are rendering the preview site in channel manager (with or without security delegation), whether we have a cms rest call, etc