From 50f5e360e4ca216f785abb3c7dc7886798716ced Mon Sep 17 00:00:00 2001
From: Zhi <zhi@dev.hangman-lab.top>
Date: Thu, 12 Mar 2026 12:47:15 +0000
Subject: [PATCH] fix: prevent deleting project owner

---
 app/api/routers/projects.py | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/app/api/routers/projects.py b/app/api/routers/projects.py
index 799b0a2..0424275 100644
--- a/app/api/routers/projects.py
+++ b/app/api/routers/projects.py
@@ -304,6 +304,18 @@ def remove_project_member(
     member = db.query(models.ProjectMember).filter(
         models.ProjectMember.project_id == project_id, models.ProjectMember.user_id == user_id
     ).first()
+    
+    # Prevent removing project owner (admin role)
+    if member.role_id:
+        role = db.query(Role).filter(Role.id == member.role_id).first()
+        if role and role.name == "admin":
+            # Check if this is the only admin
+            admin_count = db.query(models.ProjectMember).filter(
+                models.ProjectMember.project_id == project_id,
+                models.ProjectMember.role_id == member.role_id
+            ).count()
+            if admin_count <= 1:
+                raise HTTPException(status_code=400, detail="Cannot remove the last owner of the project")
     if not member:
         raise HTTPException(status_code=404, detail="Member not found")
     db.delete(member)