Add migration-safe utility function for global permission assignment (ansible#870)

Fix AttributeError in migrations where fake models lack custom methods
like give_global_permission. This addresses Django's migration system
creating __fake__ models that only include database fields and basic ORM
methods, not custom instance methods.

Solution:
- Add give_global_permission_to_actor() utility function in _utils.py
- Function replicates RoleDefinition.give_global_permission() logic
- Works with migration fake models using apps.get_model()
- Enhanced team detection for migration context using model_name check
- Enables sharing code between models and migrations (Django best
practice)

The utility function handles:
- User and team assignment creation via get_or_create()
- Settings validation for singleton roles
- Cache clearing for permission updates
- Proper error handling with descriptive messages

This fix allows migrations to perform global permission assignments
without relying on custom model methods that don't exist on fake models.

Signed-off-by: Fabricio Aguiar <[email protected]>

Author: fao89

ansible_base/rbac/migrations/_utils.py

@@ -105,6 +105,57 @@ def cleanup_orphaned_permissions(apps):
     return deleted_count
 
 
+def give_global_permission_to_actor(role_definition, actor, apps):
+    """
+    Migration-safe utility function to give global permission to an actor (user or team).
+
+    This function replicates the logic from RoleDefinition.give_global_permission()
+    but works with migration fake models that don't have custom methods.
+
+    Args:
+        role_definition: RoleDefinition instance (can be fake model from migration)
+        actor: User or Team instance to grant permission to
+        apps: Django apps registry from migration context
+    """
+    from django.conf import settings
+    from rest_framework.exceptions import ValidationError
+
+    if role_definition.content_type is not None:
+        raise ValidationError('Role definition content type must be null to assign globally')
+
+    # Get the assignment classes through apps registry (migration-safe)
+    RoleUserAssignment = apps.get_model('dab_rbac', 'RoleUserAssignment')
+    RoleTeamAssignment = apps.get_model('dab_rbac', 'RoleTeamAssignment')
+
+    if actor._meta.model_name == 'user':
+        if not settings.ANSIBLE_BASE_ALLOW_SINGLETON_USER_ROLES:
+            raise ValidationError('Global roles are not enabled for users')
+        kwargs = {'object_role': None, 'user': actor, 'role_definition': role_definition}
+        cls = RoleUserAssignment
+    elif hasattr(actor, '_meta') and actor._meta.model_name == 'team':
+        # In migration context, check by model name since isinstance checks might fail
+        if not settings.ANSIBLE_BASE_ALLOW_SINGLETON_TEAM_ROLES:
+            raise ValidationError('Global roles are not enabled for teams')
+        kwargs = {'object_role': None, 'team': actor, 'role_definition': role_definition}
+        cls = RoleTeamAssignment
+    else:
+        raise RuntimeError(f'Cannot give permission for {actor} (type: {type(actor)}, model_name: {getattr(actor._meta, "model_name", "unknown")}), must be a user or team')
+
+    assignment, _ = cls.objects.get_or_create(**kwargs)
+
+    # Clear any cached permissions
+    if actor._meta.model_name == 'user':
+        if hasattr(actor, '_singleton_permissions'):
+            delattr(actor, '_singleton_permissions')
+    else:
+        # when team permissions change, users in memory may be affected by this
+        # but there is no way to know what users, so we use a global flag
+        from ansible_base.rbac.evaluations import bound_singleton_permissions
+        bound_singleton_permissions._team_clear_signal = True
+
+    return assignment
+
+
 def migrate_content_type(apps, schema_editor):
     """
     Migrate content type references from Django ContentType to DABContentType.