From a2c5ad0faf975462791d28c9f508877623a38a6f Mon Sep 17 00:00:00 2001
From: 7y-9 <121850020+7y-9@users.noreply.github.com>
Date: Mon, 19 Feb 2024 16:38:05 +0800
Subject: [PATCH] fix: only admin auth can delete S3 bucket (#5312)

---
 weed/s3api/s3api_server.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/weed/s3api/s3api_server.go b/weed/s3api/s3api_server.go
index 30e2e6bb6..40783ea73 100644
--- a/weed/s3api/s3api_server.go
+++ b/weed/s3api/s3api_server.go
@@ -239,7 +239,7 @@ func (s3a *S3ApiServer) registerRouter(router *mux.Router) {
 		// PutBucket
 		bucket.Methods("PUT").HandlerFunc(track(s3a.PutBucketHandler, "PUT"))
 		// DeleteBucket
-		bucket.Methods("DELETE").HandlerFunc(track(s3a.iam.Auth(s3a.cb.Limit(s3a.DeleteBucketHandler, ACTION_WRITE)), "DELETE"))
+		bucket.Methods("DELETE").HandlerFunc(track(s3a.iam.Auth(s3a.cb.Limit(s3a.DeleteBucketHandler, ACTION_ADMIN)), "DELETE"))
 
 		// ListObjectsV1 (Legacy)
 		bucket.Methods("GET").HandlerFunc(track(s3a.Auth(withAcl(s3a.cb.Limit, s3a.ListObjectsV1Handler, ACTION_LIST)), "LIST"))