From 35d71682f63ea3450bb3907c6660cab4c5d3748e Mon Sep 17 00:00:00 2001
From: Shubhendu <shubhendu@minio.io>
Date: Tue, 13 Jun 2023 23:36:17 +0530
Subject: [PATCH] fix: do not allow removal of inbuilt policies unless they are
 already persisted (#17264)

Dont allow removal of inbuilt policies such as `readwrite, readonly, writeonly and diagnostics`
---
 cmd/iam.go | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/cmd/iam.go b/cmd/iam.go
index e48ba9b5b..5450ef38e 100644
--- a/cmd/iam.go
+++ b/cmd/iam.go
@@ -532,6 +532,14 @@ func (sys *IAMSys) DeletePolicy(ctx context.Context, policyName string, notifyPe
 		return errServerNotInitialized
 	}
 
+	for _, v := range iampolicy.DefaultPolicies {
+		if v.Name == policyName {
+			if err := checkConfig(ctx, globalObjectAPI, getPolicyDocPath(policyName)); err != nil && err == errConfigNotFound {
+				return fmt.Errorf("inbuilt policy `%s` not allowed to be deleted", policyName)
+			}
+		}
+	}
+
 	err := sys.store.DeletePolicy(ctx, policyName)
 	if err != nil {
 		return err