avoid applying system auditor prop if action was association

awx/api/views.py

@@ -768,7 +768,7 @@ class BaseUsersList(SubListCreateAttachDetachAPIView):
     def post(self, request, *args, **kwargs):
         ret = super(BaseUsersList, self).post( request, *args, **kwargs)
         try:
-            if request.data.get('is_system_auditor', False):
+            if ret.data is not None and request.data.get('is_system_auditor', False):
                 # This is a faux-field that just maps to checking the system
                 # auditor role member list.. unfortunately this means we can't
                 # set it on creation, and thus needs to be set here.

awx/main/tests/functional/api/test_create_attach_views.py

@@ -45,3 +45,18 @@ def test_role_team_view_access(rando, team, inventory, mocker, post):
     mock_access.assert_called_once_with(
         inventory.admin_role, team, 'member_role.parents', data,
         skip_sub_obj_read_check=False)
+
+
+@pytest.mark.django_db
+def test_org_associate_with_junk_data(rando, admin_user, organization, post):
+    """
+    Assure that post-hoc enforcement of auditor role
+    will turn off if the action is an association
+    """
+    user_data = {'is_system_auditor': True, 'id': rando.pk}
+    post(url=reverse('api:organization_users_list', args=(organization.pk,)),
+         data=user_data, expect=204, user=admin_user)
+    # assure user is now an org member
+    assert rando in organization.member_role
+    # assure that this did not also make them a system auditor
+    assert not rando.is_system_auditor