Make sure to add primary repo permissions under a transaction

Should prevent a repository from being created under a user's namespace without a corresponding admin permission

Fixes https://jira.coreos.com/browse/QUAY-826

data/model/repository.py

@@ -38,6 +38,7 @@ def create_repository(namespace, name, creating_user, visibility='private', repo
   namespace_user = User.get(username=namespace)
   yesterday = datetime.now() - timedelta(days=1)
 
+  with db_transaction():
     repo = Repository.create(name=name, visibility=Repository.visibility.get_id(visibility),
                             namespace_user=namespace_user,
                             kind=Repository.kind.get_id(repo_kind),
@@ -46,12 +47,13 @@ def create_repository(namespace, name, creating_user, visibility='private', repo
     RepositoryActionCount.create(repository=repo, count=0, date=yesterday)
     RepositorySearchScore.create(repository=repo, score=0)
 
+    # Note: We put the admin create permission under the transaction to ensure it is created.
     if creating_user and not creating_user.organization:
       admin = Role.get(name='admin')
       RepositoryPermission.create(user=creating_user, repository=repo, role=admin)
 
-    if creating_user.username != namespace:
+  # Apply default permissions (only occurs for repositories under organizations)
-      # Permission prototypes only work for orgs
+  if creating_user and not creating_user.organization and creating_user.username != namespace:
     permission.apply_default_permissions(repo, creating_user)
 
   return repo