The code you pasted is not from the wiki. My guess is that this is your code? I don't see a problem with the wiki search engine, if it isReadAccessChecked(), the access will be restricted.
In any case, you should look at CVS.
You are correct the code above is not exactly the code from wiki, but on the similar implementation. We think we have found the source of the problem.
If the FilterredQueries are Not implemented correctly and I pass multiple entities to createFullTextQuery, my entitymanager will return everyting regardless of access level.
If the FilterredQueries are Not implemented correctly and I pass signle entities to createFullTextQuery, FullTextQuery will return results, but the entitymanager will apply the access level filtering.
We found that our FilteredQuery is not working so we replaced it with TermQuery, However we like to know as to why the above senario has happend, my guess is that If FullTextQuery returns records of different entities, the entitymanager is unable to filter them.