Update resource permission check for DELETE request only

deps/rabbitmq_management/src/rabbit_mgmt_wm_queue.erl

@@ -96,10 +96,15 @@ delete_resource(ReqData, Context = #context{user = #user{username = ActingUser}}
    end.
 
 is_authorized(ReqData, Context) ->
-    VHost = rabbit_mgmt_util:id(vhost, ReqData),
-    QName = rabbit_mgmt_util:id(queue, ReqData),
-    QRes  = rabbit_misc:r(VHost, queue, QName),
-    rabbit_mgmt_util:is_authorized_vhost_and_has_resource_permission(ReqData, Context, QRes, configure).
+    case cowboy_req:method(ReqData) of
+        <<"DELETE">> ->
+            VHost = rabbit_mgmt_util:id(vhost, ReqData),
+            QName = rabbit_mgmt_util:id(queue, ReqData),
+            QRes  = rabbit_misc:r(VHost, queue, QName),
+            rabbit_mgmt_util:is_authorized_vhost_and_has_resource_permission(ReqData, Context, QRes, configure);
+        _ ->
+            rabbit_mgmt_util:is_authorized_vhost(ReqData, Context)
+    end.
 
 %%--------------------------------------------------------------------
 

deps/rabbitmq_web_dispatch/src/rabbit_web_dispatch_access_control.erl

@@ -218,8 +218,7 @@ is_authorized_vhost_and_has_resource_permission(ReqData, Context, Resource, Perm
                   <<"User not authorised to access this resource">>,
                   fun(User) ->
                       try
-                          AuthzData = get_authz_data_as_map(ReqData),
-                          ok =:= rabbit_access_control:check_resource_access(User, Resource, Permission, AuthzData)
+                          ok =:= rabbit_access_control:check_resource_access(User, Resource, Permission, #{})
                       catch
                           exit:Err:_Stacktrace ->
                               #amqp_error{explanation = Msg} = Err,