We are using the RuleBasedAuthorization plugin. We are using the
collection-admin-edit permission to secure the collections API.
What I have found is that if I try to, say, create or delete a
collection using a GET request I am prompted to authenticate as
If I try the same operation using a POST request, it lets me straight
through and I can delete collections without authenticating.
I emailed Noble Paul directly about this initially and he has confirmed this as a bug.