Sorry to drag on about this, but I have another problem with the readeracl branch.
As far as I can tell, it's impossible to test in validate_doc_update whether the user is listed in the database-level _admins resource. Example: $ curl http://brianadmin:[email protected]:5984/briantest/_admins {"names":["brianadmin"],"roles":[]} $ curl -X PUT -d'{"validate_doc_update":"function(newDoc,oldDoc,userCtx,secObj) {if (userCtx.roles.indexOf(\"_admin\") == -1) {throw {unauthorized: \"You are not an admin\"+toJSON(userCtx)};}}"}' 'http://brianadmin:[email protected]:5984/briantest/_design/testadmin' {"ok":true,"id":"_design/testadmin","rev":"1-3a33960e65f156773478f357aaf67471"} $ curl -X PUT -d "{}" http://brianadmin:[email protected]:5984/briantest/foo {"error":"unauthorized","reason":"You are not an admin{\"db\":\"briantest\",\"name\":\"brianadmin\",\"roles\":[]}"} That is, the "_admin" role is only visible here if you are a server-wide admin, not if you are a database-level admin. As a result, if you want database-level admins to have any special privileges with regards to updating documents, you have to list them again in the _security document. I don't think this is clear in the security_validation.js test, because it uses X-Couch-Test-Auth, which gives _admin role when not logged in as any particular user. So T(db.setDbProperty("_security", {admin_override : true}).ok); T(db.save(doc).ok); only works because the _admin role is set here, not because the user is in _admins. Regards, Brian.
