Merge branch 'fix/workspace-permission' into deploy/dev

api/services/account_service.py

@@ -46,6 +46,7 @@ from services.errors.account import (
     LinkAccountIntegrateError,
     MemberNotInTenantError,
     NoPermissionError,
+    RemoveOwnerError,
     RoleAlreadyAssignedError,
     TenantNotFoundError,
 )
@@ -789,6 +790,9 @@ class TenantService:
 
         ta_operator = TenantAccountJoin.query.filter_by(tenant_id=tenant.id, account_id=operator.id).first()
 
+        logging.info(
+            f"Tenant {tenant.id} operator {operator.id} with role {ta_operator.role} is trying to {action} member {member.id if member else None}"
+        )
         if not ta_operator or ta_operator.role not in perms[action]:
             raise NoPermissionError(f"No permission to {action} member.")
 
@@ -800,6 +804,11 @@ class TenantService:
 
         TenantService.check_member_permission(tenant, operator, account, "remove")
         
+        # Additional check to ensure the target account is not owner
+        if TenantService.get_user_role(account, tenant) == TenantAccountRole.OWNER:
+            raise RemoveOwnerError("Cannot remove owner from tenant.")
+            
+
         ta = TenantAccountJoin.query.filter_by(tenant_id=tenant.id, account_id=account.id).first()
         if not ta:
             raise MemberNotInTenantError("Member not in tenant.")

api/services/errors/account.py

@@ -53,6 +53,10 @@ class MemberNotInTenantError(BaseServiceError):
     pass
 
 
+class RemoveOwnerError(BaseServiceError):
+    pass
+
+
 class RoleAlreadyAssignedError(BaseServiceError):
     pass