Fix corner case for remote object

AlanCoding · AlanCoding · commit 720380ac3c54 · 2025-07-08T13:11:17.000-04:00
diff --git a/ansible_base/rbac/api/views.py b/ansible_base/rbac/api/views.py
@@ -32,6 +32,7 @@
 
 from ..models import DABContentType, DABPermission, get_evaluation_model
 from ..remote import RemoteObject, get_resource_prefix
+from ..policies import check_content_obj_permission
 
 
 def list_combine_values(data: dict[Type[Model], list[str]]) -> list[str]:
@@ -242,8 +243,11 @@ def get_data_from_url(self):
             else:
                 self.related_object = model_cls(content_type=self.content_type, object_id=object_id)
 
-            if not self.request.user.has_obj_perm(self.related_object, 'view'):
-                raise NotFound
+            try:
+                if not self.request.user.has_obj_perm(self.related_object, 'view'):
+                    raise NotFound
+            except RuntimeError:
+                check_content_obj_permission(self.request.user, self.related_object)
 
         return (self.permission, self.content_type, self.related_object)
 
diff --git a/ansible_base/rbac/policies.py b/ansible_base/rbac/policies.py
@@ -7,9 +7,10 @@
 
 from ansible_base.lib.utils.settings import get_setting
 from ansible_base.rbac.evaluations import has_super_permission
-from ansible_base.rbac.models import ObjectRole
+from ansible_base.rbac.models import ObjectRole, DABPermission
 from ansible_base.rbac.permission_registry import permission_registry
 from ansible_base.rbac.validators import permissions_allowed_for_role
+from ansible_base.rbac.remote import RemoteObject
 
 
 def visible_users(request_user, queryset=None, always_show_superusers=True, always_show_self=True) -> QuerySet:
@@ -78,7 +79,17 @@ def check_content_obj_permission(request_user, obj) -> None:
     on objects, so we firstly look to a simple matter of having change permission
     If that is not available, then we check all object-level permissions.
     """
-    if 'change' in obj._meta.default_permissions:
+    if isinstance(obj, RemoteObject):
+        permissions = DABPermission.objects.filter(content_type=obj.content_type)
+        for permission in permissions:
+            if permission.codename.startswith('change'):
+                if not request_user.has_obj_perm(obj, 'change'):
+                    raise PermissionDenied
+                return
+        for permission in permissions:
+            if not request_user.has_obj_perm(obj, permission.codename):
+                raise PermissionDenied
+    elif 'change' in obj._meta.default_permissions:
         # Model has no change permission, so user must have all permissions for the applicable model
         if not request_user.has_obj_perm(obj, 'change'):
             raise PermissionDenied
