The Team page as the seeded Manager: the owner row (
owner@lumiere-coffee.com) has no Edit button. Click to zoom.Narong (2026-06-11): “The manager can change the roles and deactivate the owner — shouldn’t let that happen.”
team.edit/team.remove permission — which a
Manager holds for cashier management — but never checked the target’s role. So a Manager could demote,
deactivate, or remove the Owner. nix-cafe 7bc250b · no migration. Now: only an owner may
modify/remove another owner, and only an owner may grant the Owner role (server-enforced in
/cafe/api/team/[userId]), with the Edit affordance hidden from non-owners as defense-in-depth.
| DENY | Manager PATCH owner {isActive:false} | → 403 “Only an owner can modify an owner account.” |
| DENY | Manager PATCH owner {roleId: cashier} | → 403 |
| DENY | Manager DELETE owner | → 403 (managers also lack team.remove) |
| DENY | Manager PATCH {roleId: owner} (escalation) | → 403 “Only an owner can assign the Owner role.” |
| ALLOW | Manager PATCH a cashier {shopIds:[]} | → 200 (still manages non-owners) |
| OK | Owner still active after the blocked attempts | → verified in DB |
owner@lumiere-coffee.com) has no Edit button. Click to zoom.