Handle team update missing in some cases

AlanCoding · AlanCoding · commit 3e01bb78f83c · 2025-09-17T11:15:27.000-04:00
diff --git a/ansible_base/rbac/triggers.py b/ansible_base/rbac/triggers.py
@@ -110,7 +110,11 @@ def bulk_rbac_caching(memory_safe=False):
                 logger.info(f'Performing bulk RBAC cache update: teams={needs_team_update}, object_roles={len(object_roles_to_update)}')
                 if needs_team_update:
                     compute_team_member_roles()
-                if object_roles_to_update:
+                    # When team memberships change, always recompute object role permissions
+                    # to ensure the permission cache reflects new team relationships
+                    compute_object_role_permissions()
+                elif object_roles_to_update:
+                    # Only object roles changed, no team updates needed
                     compute_object_role_permissions(object_roles=object_roles_to_update)
 
 
diff --git a/test_app/tests/rbac/test_triggers.py b/test_app/tests/rbac/test_triggers.py
@@ -474,3 +474,41 @@ def test_bulk_caching_memory_safe_mixed_operations(self, rando, team, inv_rd, or
 
             # Should call full recomputation since we had net updates
             mock_obj_update.assert_called_once_with()
+
+    def test_bulk_caching_with_removal(self, rando, inv_rd, inventory):
+        """Test bulk caching when object role gets deleted during removal"""
+        # First give permission normally
+        inv_rd.give_permission(rando, inventory)
+
+        with patch('ansible_base.rbac.triggers.compute_object_role_permissions') as mock_obj_update:
+
+            with bulk_rbac_caching():
+                # Remove permission in bulk mode - this will delete the object role
+                inv_rd.remove_permission(rando, inventory)
+                mock_obj_update.assert_not_called()
+
+            # Should not be called since object role was deleted (nothing to update)
+            mock_obj_update.assert_not_called()
+
+    def test_bulk_caching_team_only_updates_fix(self, rando, team, member_rd):
+        """Test that team-only updates properly call compute_object_role_permissions"""
+        with (
+            patch('ansible_base.rbac.triggers.compute_team_member_roles') as mock_team_update,
+            patch('ansible_base.rbac.triggers.compute_object_role_permissions') as mock_obj_update,
+        ):
+
+            with bulk_rbac_caching():
+                # This assignment affects team membership but doesn't create a new object role
+                # that would be added to object_roles_to_update
+                member_rd.give_permission(rando, team)
+
+                # Should not be called during bulk mode
+                mock_team_update.assert_not_called()
+                mock_obj_update.assert_not_called()
+
+            # CRITICAL: Both should be called when team updates happen
+            # This ensures the permission cache reflects new team relationships
+            mock_team_update.assert_called_once()
+            # This is the bug fix - compute_object_role_permissions should be called
+            # even when only team updates occurred (no object_roles_to_update)
+            mock_obj_update.assert_called_once_with()
