Fix DetachRole command behavior

Description

Now the presence of can_detach_role permission allows executing the DetachRole command without any limitations.
That is incorrect behavior.

We want to introduce two limitations:

  • It should NOT be possible to detach the last role from an account.

  • Transaction creator should have at least the same set of permissions as the permissions contained inside the role that is about to be detached. Otherwise, stateful validation should be failed.

Note for the 2nd limitation: the similar mechanism is already implemented for CreateRole and AppendRole commands (transaction creator cannot operate with roles that contain permissions that the transaction creator does not have).

Acceptance criteria

Please cover the basic case and cases with limitations with tests.

Status

Assignee

Minibaev Evgenii

Reporter

Igor Egorov

Labels

None

Reviewer

None

Severity

None

Epic Link

Priority

Should have