The check to determine whether to add the callback functions for
_users DB operations was only checking the raw database name. When
using the authentication DB on the clustered database this meant
that this check would fail and the callbacks would not be added.

This commit checks the DB name (rather than the shard name) against
the value of chttpd_auth/authentication_db so that shards for
clustered authentication DBs have the appropriate callbacks added.

COUCHDB-2452 1/3

Documents in the authentication DB were being updated directly
from couch_httpd_auth via couch_db:update_doc/3. This meant that
updates to documents with the authentication DB on the clustered
interface (5984) would fail.

This commit makes the auth module responsible for the document
update via a ?MODULE:update_auth_doc/1 function and add
couch_auth_cache:update_auth_doc/1 which proxies to
couch_db:update_doc/3.

COUCHDB-2452 2/3

In order to restrict access to design documents in the
authentication DB to admins only we were checking whether a user
was admin in the couch_server callback. When running the auth DB
on the clustered interface this meant that admins could not read
the design doc because the user context was not being passed to
any of the calls to open the design doc.

One possible fix is to add the user context to all the clustering
code involving design doc access however given the amount of
plumbing here is fairly substantial the chances of getting it wrong
are rather high. The alternative is to move this check into the
http layer where we already have access to the user context.

This commit moves the admin check when accessing design docs in the
auth DB into couch_httpd_db (for the admin port).

A separate commit in couchdb-chttpd adds a similar check for
requests through the clustered port.

COUCHDB-2452 3/3

The chain of orelse statements combined with the indentation was
pretty hard to read. This commit moves the checks into their own
function and uses lists:any (which also shortcircuits).