It's easy: just create a project document with validate_doc_update in the database where you want to manage documents that do something like this
function(newDoc, oldDoc, userCtx, secObj){ if('_admin' in userCtx.roles) return; // skip anonymous in Admin Party case; if(!userCtx.name && newDoc._deleted){ throw({'forbidden': 'auth first before delete something'}); } }
The idea is simple: if userCtx does not have the specified name, this means that the user is anonymous, and if our new version of the document has a special _deleted field set to true , the document will be deleted (but the changes have not yet been saved to disk). Therefore, we check these fields and throw a prohibited exception if the condition is met. We also make an exception for the case of the administrator, each of which is anonymous, but has the role of _admin , so we need to skip them. And now, any attempt to delete a regular document by an anonymous user, he will receive the following HTTP response:
HTTP/1.1 403 Forbidden Server: CouchDB/1.3.0 (Erlang OTP/R15B03) Date: Thu, 25 Apr 2013 18:48:51 GMT Content-Type: application/json Content-Length: 68 Cache-Control: must-revalidate {"error":"forbidden","reason":"auth first before delete something"}