A developer sets up a dedicated staging machine on an intranet/lan. Ie access is restricted by physical access, either to the machine, or the lan.
Users, or editors, may still need an account, (set up by a developer) and for ultimate safely the machine can be made to listen on localhost only. Ie a normal developer machine, and only that machine may be used to edit the content.
The developers reviews changes, if branches are used merges, and deploys. Ie the developer always deploys.
