fix: crash observed for anonymous deletes from UI (#9107)

cmd/web-handlers.go

@@ -690,6 +690,17 @@ next:
 				}
 			}
 			if authErr == errNoAuthToken {
+				// Check if object is allowed to be deleted anonymously
+				if !globalPolicySys.IsAllowed(policy.Args{
+					Action:          policy.DeleteObjectAction,
+					BucketName:      args.BucketName,
+					ConditionValues: getConditionValues(r, "", "", nil),
+					IsOwner:         false,
+					ObjectName:      objectName,
+				}) {
+					return toJSONError(ctx, errAccessDenied)
+				}
+
 				// Check if object is allowed to be deleted anonymously
 				if globalPolicySys.IsAllowed(policy.Args{
 					Action:          policy.BypassGovernanceRetentionAction,
@@ -710,6 +721,18 @@ next:
 			continue
 		}
 
+		if authErr == errNoAuthToken {
+			// Check if object is allowed to be deleted anonymously
+			if !globalPolicySys.IsAllowed(policy.Args{
+				Action:          iampolicy.DeleteObjectAction,
+				BucketName:      args.BucketName,
+				ConditionValues: getConditionValues(r, "", "", nil),
+				IsOwner:         false,
+				ObjectName:      objectName,
+			}) {
+				return toJSONError(ctx, errAccessDenied)
+			}
+		} else {
 			if !globalIAMSys.IsAllowed(iampolicy.Args{
 				AccountName:     claims.AccessKey,
 				Action:          iampolicy.DeleteObjectAction,
@@ -721,6 +744,7 @@ next:
 			}) {
 				return toJSONError(ctx, errAccessDenied)
 			}
+		}
 
 		// For directories, list the contents recursively and remove.
 		marker := ""