Update api/services/account_service.py

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
fix: allow admin to remove and update non-privlige users.
1 changed files with 11 additions and 2 deletions
--- a/api/services/account_service.py
+++ b/api/services/account_service.py
@ -777,8 +777,8 @@ class TenantService:
        """Check member permission"""
        perms = {
            "add": [TenantAccountRole.OWNER, TenantAccountRole.ADMIN],
-            "remove": [TenantAccountRole.OWNER],
-            "update": [TenantAccountRole.OWNER],
+            "remove": [TenantAccountRole.OWNER, TenantAccountRole.ADMIN],
+            "update": [TenantAccountRole.OWNER, TenantAccountRole.ADMIN],
        }
        if action not in {"add", "remove", "update"}:
            raise InvalidActionError("Invalid action.")
@ -792,6 +792,15 @@ class TenantService:
        if not ta_operator or ta_operator.role not in perms[action]:
            raise NoPermissionError(f"No permission to {action} member.")
        
+        # Restriction: Admins cannot remove or update other admins or the owner
+        if action in {"remove", "update"}:
+            if ta_operator.role == TenantAccountRole.ADMIN:
+                if member:
+                    ta_member = TenantAccountJoin.query.filter_by(tenant_id=tenant.id, account_id=member.id).first()
+                    if not ta_member or ta_member.role in {TenantAccountRole.OWNER, TenantAccountRole.ADMIN}:
+                        raise NoPermissionError(f"No permission to {action} member.")
+            
+
    @staticmethod
    def remove_member_from_tenant(tenant: Tenant, account: Account, operator: Account) -> None:
        """Remove member from tenant"""
Author	SHA1	Message	Date
Xiyuan Chen	98e9cc5275	Update api/services/account_service.py Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>	9 months ago
GareArc	1e5bf958ec	fix: allow admin to remove and update non-privlige users.	9 months ago