You are right, it is confusing. Please see the 0.11 "breaking" changes for more information.
Per-document read control is not possible; the readers
field is for access to the entire DB. For more information, load your database in Futon and click the Security...
link at the top.
The reason read control is not possible is because views (map and reduce) can draw information from all documents in the database, so it is generally impossible to prevent users from seeing private data in some form.
For detailed access control, you have two major choices:
- Have an application between your users and the DB. 99% of web applications using MySQL do this already (e.g. Ruby on Rails). Keep ACL information in the DB and your application grants/rejects access based on the ACL.
- Keep a dedicated database per user. You may have to modify your architecture but maybe not. You can use replication with a filter to copy only a user's data into his database. Then he reads from his database and writes to the central database.