Now the presence of can_detach_role permission allows executing the DetachRole command without any limitations.
That is incorrect behavior.
We want to introduce two limitations:
It should NOT be possible to detach the last role from an account.
Transaction creator should have at least the same set of permissions as the permissions contained inside the role that is about to be detached. Otherwise, stateful validation should be failed.
Note for the 2nd limitation: the similar mechanism is already implemented for CreateRole and AppendRole commands (transaction creator cannot operate with roles that contain permissions that the transaction creator does not have).
Please cover the basic case and cases with limitations with tests.