Sync Function and shared_bucket_access


I have a Sync Gateway the has shared_bucket_access enabled and import_docs set to continuous. I use the sync function to assign channels to the documents and to authorize write operations.

Documents are inserted/modified/deleted from the backnend into the Couchbase bucket directly. Mobile devices use Couchbase Lite to synchronize data.

Most documents are read-only for mobile devices, only a few documents can be changed. In the Sync function i check for certain conditions e.g.:

 if (oldDoc == null) {
    throw({forbidden: "Mobile device cannot create new documents."});

What I do not understad is what happens for documents that are created through the Couchbase server and then imported to the Sync Gateway:
I would expect that the channels are assigned to documents according to the sync function but the access restrictions are ignored. But how does this work if I throw() exceptions in my sync function for certain conditions to restrict writes from mobile devices.

Or to phrase the question differently. How do I differentiate between mobile devices (SG users) and the Couchbase server in the sync frunction.

Edit 2:
After taking a look at they Sync Gateway source and playing around with it I found the “shouldValidate” bool variable that is available in the sync function. It is set to false if no user exists (which is the case for changes triggered by imported documents from the Couchbase server).
Is my conclusion correct and is it safe to use shouldValidate?

I would not recommend using shouldValidate directly. That’s an internal implementation detail, so there’s no guarantee it won’t change.

The authorization APIs become null operations when in an administrator context (as opposed to an authenticated user session). So one approach is to use something like a non-existent role. Take a look at this post for more: Sync Gateway check if admin call(superuser)