Troubleshooting Tips
If you are running a URL rewriter (or an error handler), you need to give the ReadsStuff role to the nobody user or whichever user is the default user for your app server. When the URL rewriter executes, the request has not yet been authenticated, so it runs as the default user. The default user is nobody unless you have specified a different default for your app server. The best practice is to create another role, for example my-app-user and add an execute permission for the URL rewriter and your error handler (if any) for the my-app-user role. This is better because you do not want the nobody user to have access to your database.