Upgrading to 1.7.1 is important since CVE-2017-12635 is a serious hole. However, there exist an interim way. Below design doc just rejects .roles dupes. You can check it putting into any other db first and trying to put new doc like {"roles":[],"roles":[1]}. If validator is ok, rejection reason is ‘You can't hack roles’.
{ "_id": "_design/X12635", "language": "erlang", "validate_doc_update": "fun ({NewDoc}, OldDoc, UserCtx, SecObj)->\n\t%% Covers CVE-2017-12635\n\tRoles = proplists:lookup_all(<<\"roles\">>, NewDoc),\n\tcase length(Roles) < 2 of\n\t\ttrue -> ok;\n\t\tfalse -> throw({[{<<\"forbidden\">>, <<\"You can’t hack roles, sorry\">>}]})\n\tend,\n\t1\nend." } Since ability to save json with double entry of .roles array is a key of the 12635 vulnerability, the ddoc seems to fix it, if put into /_users bucket. Nothing comes without price: you need to set native_query_servers / erlang = {couch_native_process, start_link, []} in DB config. Since enabling erlang might affect security, each case should be carefully assessed. Although this trick is acceptable if you postponing upgrade to 1.7.1 for reasons not under your control, I highly recommend upgrade as soon as possible. ermouth