From 745a7e40a6894e9b909c7defcca263e95279ff51 Mon Sep 17 00:00:00 2001
From: Chris Lu <chris.lu@gmail.com>
Date: Wed, 28 Jan 2026 19:42:08 -0800
Subject: [PATCH] s3tables: improve bucket policy error handling in
 DeleteTableBucket

Explicitly handle ErrAttributeNotFound vs other errors when fetching bucket policy.
Return errors for non-expected failures to prevent masking filer issues and
ensure correct authorization decisions.
---
 weed/s3api/s3tables/handler_bucket_get_list_delete.go | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/weed/s3api/s3tables/handler_bucket_get_list_delete.go b/weed/s3api/s3tables/handler_bucket_get_list_delete.go
index 18d2eb716..327834667 100644
--- a/weed/s3api/s3tables/handler_bucket_get_list_delete.go
+++ b/weed/s3api/s3tables/handler_bucket_get_list_delete.go
@@ -257,7 +257,13 @@ func (h *S3TablesHandler) handleDeleteTableBucket(w http.ResponseWriter, r *http
 
 		// Fetch bucket policy if it exists
 		policyData, err := h.getExtendedAttribute(r.Context(), client, bucketPath, ExtendedKeyPolicy)
-		if err == nil {
+		if err != nil {
+			if errors.Is(err, ErrAttributeNotFound) {
+				// No bucket policy set; proceed with empty bucketPolicy
+			} else {
+				return fmt.Errorf("failed to fetch bucket policy: %w", err)
+			}
+		} else {
 			bucketPolicy = string(policyData)
 		}