An authz error for a batch in a bulk operation will make the whole batch fail and throw an exception if using write commands.

The expected behavior is to report the error correctly and finish execution as is done for write or writeConcern errors.

Problem number 2 is that unordered operations behaves like ordered and not all permitted actions are actually being executed. In the example below we do the following with permissions to do insert but not remove.

insert({a:1})
insert({a:2})
remove({a:1})
insert({a:3})

but only the two first inserts are being acknowledged.

Please note that this only occurs if the shell is run in --write-mode commands or equivalently smoke.py is invoked with --use-write-commands. The actual shell error is

2014-03-05T15:32:06.976-0500 Error: batch failed, cannot aggregate results: not authorized on test to execute command { delete: "bulk_api_auth_failure_cases", deletes: [ { q: { a: 1.0 }, limit: 1.0 } ], ordered: false, writeConcern: { w: 1.0 } } at src/mongo/shell/bulk_api.js:696

Note: Previously users were required to call getLastError to check and there was no exception generated. In most other languages this is not the same behavior because getLastError was not suggested since writes took a write-concern (either via a default set at the client/db/collection level).