check is member in workspace when transfer owner

api/controllers/console/auth/error.py

@@ -105,4 +105,9 @@ class NotOwnerError(BaseHTTPException):
 class CannotTransferOwnerToSelfError(BaseHTTPException):
     error_code = "cannot_transfer_owner_to_self"
     description = "You cannot transfer ownership to yourself."
+    code = 400
+
+class MemberNotInTenantError(BaseHTTPException):
+    error_code = "member_not_in_tenant"
+    description = "The member is not in the workspace."
     code = 400

api/controllers/console/workspace/members.py

@@ -14,6 +14,7 @@ from controllers.console.auth.error import (
     InvalidTokenError,
     NotOwnerError,
     OwnerTransferLimitError,
+    MemberNotInTenantError
 )
 from controllers.console.error import EmailSendIpLimitError, WorkspaceMembersLimitExceeded
 from controllers.console.wraps import (
@@ -178,6 +179,9 @@ class SendOwnerTransferEmailApi(Resource):
         parser = reqparse.RequestParser()
         parser.add_argument("language", type=str, required=False, location="json")
         args = parser.parse_args()
+        ip_address = extract_remote_ip(request)
+        if AccountService.is_email_send_ip_limit(ip_address):
+            raise EmailSendIpLimitError()
 
         # check if the current user is the owner of the workspace
         if not TenantService.is_owner(current_user, current_user.current_tenant):
@@ -185,11 +189,8 @@ class SendOwnerTransferEmailApi(Resource):
 
         if current_user.id == str(member_id):
             raise CannotTransferOwnerToSelfError()
+        
 
-        ip_address = extract_remote_ip(request)
-        if AccountService.is_email_send_ip_limit(ip_address):
-            raise EmailSendIpLimitError()
-            
         if args["language"] is not None and args["language"] == "zh-Hans":
             language = "zh-Hans"
         else:
@@ -201,7 +202,10 @@ class SendOwnerTransferEmailApi(Resource):
             abort(404)
         else:
             member_name = member.name
-
+        # check the member is in the workspace
+        if not TenantService.is_member(member, current_user.current_tenant):
+            raise MemberNotInTenantError()
+        
         token = AccountService.send_owner_transfer_email(
             account=current_user,
             email=email,
@@ -285,6 +289,9 @@ class OwnerTransfer(Resource):
         member = db.session.get(Account, str(member_id))
         if not member:
             abort(404)
+            
+        if not TenantService.is_member(member, current_user.current_tenant):
+            raise MemberNotInTenantError()
 
         try:
             assert member is not None, "Member not found"

api/services/account_service.py

@@ -2,6 +2,7 @@ import base64
 import json
 import logging
 import secrets
+from tkinter import N
 import uuid
 from datetime import UTC, datetime, timedelta
 from hashlib import sha256
@@ -1087,6 +1088,10 @@ class TenantService:
     def is_owner(account: Account, tenant: Tenant) -> bool:
         return TenantService.get_user_role(account, tenant) == TenantAccountRole.OWNER
 
+    @staticmethod
+    def is_member(account: Account, tenant: Tenant) -> bool:
+        """Check if the account is a member of the tenant"""
+        return TenantService.get_user_role(account, tenant) is not None
 
 class RegisterService:
     @classmethod