fix: Add proper constraints to RoleUserAssignmentViewSet OpenAPI spec

      Implements complete schema override using allOf + $ref pattern to document
      mutually exclusive field requirements for POST /role_user_assignments:
      - Exactly one of 'user' or 'user_ansible_id' must be provided
      - At most one of 'object_id' or 'object_ansible_id' can be provided

      Uses extend_schema_if_available with full content type support (JSON,
      form-encoded, multipart). Preserves auto-generated schema via $ref while
      adding oneOf constraints for MCP consumption.

      Documentation-only fix - no API behavior changes.

      This prevents MCP clients from submitting invalid requests and improves
      API documentation accuracy for automated consumption.

      Co-Authored-By: Claude <[email protected]>
      Vibe-Coder: Andrew Potozniak <[email protected]>
      AIA: Entirely AI, Human-initiated, Reviewed, Claude Code [Sonnet 4] v1.0
      https://aiattribution.github.io/statements/AIA-EAI-Hin-R-?model=Claude%20Code%20%5BSonnet%204%5D-v1.0

Author: tyraziel

ansible_base/rbac/api/views.py

@@ -14,6 +14,7 @@
 from rest_framework.viewsets import GenericViewSet, ModelViewSet, mixins
 
 from ansible_base.lib.utils.auth import get_team_model, get_user_model
+from ansible_base.lib.utils.schema import extend_schema_if_available
 from ansible_base.lib.utils.views.django_app_api import AnsibleBaseDjangoAppApiView
 from ansible_base.lib.utils.views.permissions import try_add_oauth2_scope_permission
 from ansible_base.rbac.api.permissions import RoleDefinitionPermissions
@@ -236,17 +237,34 @@ class RoleTeamAssignmentViewSet(BaseAssignmentViewSet):
     ]
 
 
-class RoleUserAssignmentViewSet(BaseAssignmentViewSet):
-    """
-    Use this endpoint to give a user permission to a resource or an organization.
-    The needed data is the user, the role definition, and the object id.
-    The object must be of the type specified in the role definition.
-    The type given in the role definition and the provided object_id are used
-    to look up the resource.
+# Schema fragments for RoleUserAssignmentViewSet OpenAPI spec
+_USER_ACTOR_ONEOF = {
+    'oneOf': [
+        {'required': ['user'], 'not': {'required': ['user_ansible_id']}},
+        {'required': ['user_ansible_id'], 'not': {'required': ['user']}},
+    ]
+}
+
+_OBJECT_ID_ONEOF = {
+    'oneOf': [
+        {'properties': {'object_id': {'oneOf': [{'type': 'integer'}, {'type': 'string', 'format': 'uuid'}]}, 'object_ansible_id': False}},
+        {'properties': {'object_ansible_id': {'type': 'string', 'format': 'uuid'}, 'object_id': False}},
+        {'not': {'anyOf': [{'required': ['object_id']}, {'required': ['object_ansible_id']}]}},
+    ]
+}
+
+_ROLE_USER_ASSIGNMENT_REQUEST_SCHEMA = {
+    'schema': {
+        'allOf': [
+            {'$ref': '#/components/schemas/RoleUserAssignment'},
+            _USER_ACTOR_ONEOF,
+            _OBJECT_ID_ONEOF,
+        ]
+    }
+}
 
-    After creation, the assignment cannot be edited, but can be deleted to
-    remove those permissions.
-    """
+
+class RoleUserAssignmentViewSet(BaseAssignmentViewSet):
 
     resource_purpose = "RBAC role grants assigning permissions to users for specific resources"
 
@@ -257,6 +275,21 @@ class RoleUserAssignmentViewSet(BaseAssignmentViewSet):
         ansible_id_backend.RoleAssignmentFilterBackend,
     ]
 
+    @extend_schema_if_available(
+        request={
+            'application/json': _ROLE_USER_ASSIGNMENT_REQUEST_SCHEMA,
+            'application/x-www-form-urlencoded': _ROLE_USER_ASSIGNMENT_REQUEST_SCHEMA,
+            'multipart/form-data': _ROLE_USER_ASSIGNMENT_REQUEST_SCHEMA,
+        },
+        description="Give a user permission to a resource, an organization, or globally (when allowed)."
+        "Must specify 'role_definition' and exactly one of 'user' or 'user_ansible_id'."
+        "Can specify at most one of 'object_id' or 'object_ansible_id' (omit both for global roles)."
+        "The content_type of the role definition and the provided object_id are used to look up the resource."
+        "After creation, the assignment cannot be edited, but can be deleted to remove those permissions.",
+    )
+    def create(self, request, *args, **kwargs):
+        return super().create(request, *args, **kwargs)
+
 
 class AccessURLMixin:
     def get_actor_model(self):