Process remote objects in attached methods

AlanCoding · AlanCoding · commit 3b72a3e5688a · 2025-07-02T14:29:53.000-04:00
diff --git a/ansible_base/rbac/evaluations.py b/ansible_base/rbac/evaluations.py
@@ -1,3 +1,4 @@
+import inspect
 from typing import Iterable, Optional, Type
 
 from django.conf import settings
@@ -120,7 +121,9 @@ def remote_obj_id_qs(actor, remote_cls: Type[RemoteObject], codename: str = 'vie
 
 
 def bound_has_obj_perm(self, obj, codename) -> bool:
-    if not permission_registry.is_registered(obj):
+    if (inspect.isclass(obj) and issubclass(obj, RemoteObject)) or isinstance(obj, RemoteObject):
+        pass  # no need to validate remote content type, assumed we have content type entry already
+    elif not permission_registry.is_registered(obj):
         raise ValidationError(f'Object of {obj._meta.model_name} type is not registered with DAB RBAC')
     full_codename = validate_codename_for_model(codename, obj)
     if has_super_permission(self, full_codename):
diff --git a/ansible_base/rbac/models/__init__.py b/ansible_base/rbac/models/__init__.py
@@ -1,6 +1,7 @@
-from django.db import connection
 import inspect
 
+from django.db import connection
+
 from ..remote import RemoteObject
 from .content_type import DABContentType
 from .permission import DABPermission
@@ -20,8 +21,11 @@
 
 
 def get_evaluation_model(cls):
-    if (inspect.isclass(cls) and issubclass(cls, RemoteObject)) or isinstance(cls, RemoteObject):
+    if isinstance(cls, RemoteObject):
         # For remote models, we save the pk type in the database specifically for use here
+        pk_db_type = cls.content_type.pk_field_type
+    elif inspect.isclass(cls) and issubclass(cls, RemoteObject):
+        # Weirdness when passed a remote class but not a remote object, get type first
         pk_db_type = cls.get_ct_from_type().pk_field_type
     else:
         pk_field = cls._meta.pk
diff --git a/ansible_base/rbac/remote.py b/ansible_base/rbac/remote.py
@@ -19,12 +19,21 @@
 """
 
 
+class StandinMeta:
+    def __init__(self, ct: models.Model, abstract=False):
+        self.service = ct.service
+        self.model_name = ct.model
+        self.app_label = ct.app_label
+        self.abstract = abstract
+
+
 class RemoteObject:
     """Placeholder for objects that live in another project."""
 
     def __init__(self, content_type: models.Model, object_id: Union[int, str]):
         self.content_type = content_type
         self.object_id = object_id
+        self._meta = StandinMeta(content_type, abstract=True)
 
     def __repr__(self):
         return f"<RemoteObject {self.content_type} id={self.object_id}>"
@@ -48,6 +57,10 @@ def access_ids_qs(cls, actor, codename: str = 'view', content_types=None, cast_f
 
         return remote_obj_id_qs(actor, remote_cls=cls, codename=codename, content_types=content_types, cast_field=cast_field)
 
+    @property
+    def pk(self):
+        return self.object_id
+
 
 def get_remote_base_class() -> Type[RemoteObject]:
     """Return the class which represents remote objects.
@@ -120,12 +133,6 @@ def get_remote_standin_class(content_type: models.Model) -> Type:
         base = get_remote_base_class()
         name = f"Remote[{content_type.service}:{content_type.app_label}.{content_type.model}]"
 
-        class StandinMeta:
-            def __init__(self, ct: models.Model):
-                self.service = ct.service
-                self.model_name = ct.model
-                self.app_label = ct.app_label
-
         standin = type(
             name,
             (base,),
diff --git a/ansible_base/rbac/validators.py b/ansible_base/rbac/validators.py
@@ -30,7 +30,10 @@ def prnt_codenames(codename_set: set[str]) -> str:
 
 def codenames_for_remote_cls(cls: Union[Type[RemoteObject], RemoteObject]) -> list[str]:
     """For remote objects, we have to use the database to get its known permissions"""
-    ct = cls.get_ct_from_type()
+    if inspect.isclass(cls):
+        ct = cls.get_ct_from_type()
+    else:
+        ct = cls.content_type
     return [permission.codename for permission in ct.dab_permissions.all()]
 
 
diff --git a/test_app/tests/rbac/remote/test_remote_models.py b/test_app/tests/rbac/remote/test_remote_models.py
@@ -18,3 +18,9 @@ def test_give_remote_permission(rando):
 
     # We can do evaluation querysets, but these can not return objects, just id values
     assert set(foo_type.model_class().access_ids_qs(actor=rando, codename='foo')) == {(int(assignment.object_id),)}
+
+    # Test that user-attached methods also work
+    assert rando.has_obj_perm(a_foo, 'foo')
+    with pytest.raises(RuntimeError) as exc:
+        assert not rando.has_obj_perm(a_foo, 'bar')  # not a valid permission
+    assert 'The permission bar_foo is not valid for model foo' in str(exc)
