Fix missing role membership when giving creator permissions (#15058)

awx/main/models/rbac.py

@@ -602,13 +602,37 @@ def give_or_remove_permission(role, actor, giving=True):
     rd.give_or_remove_permission(actor, obj, giving=giving)
 
 
+class SyncEnabled(threading.local):
+    def __init__(self):
+        self.enabled = True
+
+
+rbac_sync_enabled = SyncEnabled()
+
+
+@contextlib.contextmanager
+def disable_rbac_sync():
+    try:
+        previous_value = rbac_sync_enabled.enabled
+        rbac_sync_enabled.enabled = False
+        yield
+    finally:
+        rbac_sync_enabled.enabled = previous_value
+
+
 def give_creator_permissions(user, obj):
-    RoleDefinition.objects.give_creator_permissions(user, obj)
+    assignment = RoleDefinition.objects.give_creator_permissions(user, obj)
+    if assignment:
+        with disable_rbac_sync():
+            old_role = get_role_from_object_role(assignment.object_role)
+            old_role.members.add(user)
 
 
 def sync_members_to_new_rbac(instance, action, model, pk_set, reverse, **kwargs):
     if action.startswith('pre_'):
         return
+    if not rbac_sync_enabled.enabled:
+        return
 
     if action == 'post_add':
         is_giving = True

awx/main/tests/functional/dab_rbac/test_translation_layer.py

@@ -1,6 +1,6 @@
 import pytest
 
-from awx.main.models.rbac import get_role_from_object_role
+from awx.main.models.rbac import get_role_from_object_role, give_creator_permissions
 from awx.main.models import User, Organization, WorkflowJobTemplate, WorkflowJobTemplateNode
 from awx.api.versioning import reverse
 
@@ -74,3 +74,10 @@ def test_workflow_approval_list(get, post, admin_user):
 
     r = get(url=reverse('api:workflow_approval_list'), user=admin_user, expect=200)
     assert r.data['count'] >= 1
+
+
+@pytest.mark.django_db
+def test_creator_permission(rando, admin_user, inventory):
+    give_creator_permissions(rando, inventory)
+    assert rando in inventory.admin_role
+    assert rando in inventory.admin_role.members.all()