Permission denied when using `ostree import-all` CLI command.

[decko]

Version pulpcore 3.54.0 pulp_ostree 2.3.1

Describe the bug After creating a role with all core and ostree permissions, an user is not able to use import-all commits of an ostree repo into a pulp repo. It is possible to use the same command as an super-user and get the content uploaded without errors.

To Reproduce The role is created using the following payload:

{
  "name": "ostree.admin",
  "description": "Role for ostree administrative tasks.",
  "permissions": [
    "core.add_compositecontentguard",
    "core.add_domain",
    "core.add_headercontentguard",
    "ostree.add_ostreedistribution",
    "ostree.add_ostreeremote",
    "ostree.add_ostreerepository",
    "ostree.view_ostreerepository",
    "ostree.change_ostreerepository",
    "ostree.delete_ostreerepository",
    "ostree.import_commits_ostreerepository",
    "ostree.manage_roles_ostreerepository",
    "ostree.modify_ostreerepository",
    "ostree.repair_ostreerepository",
    "ostree.sync_ostreerepository",
    "ostree.view_ostreerepository",
    "ostree.add_ostreerepository",
    "ostree.view_ostreeremote",
    "ostree.change_ostreeremote",
    "ostree.delete_ostreeremote",
    "ostree.manage_roles_ostreeremote",
    "ostree.view_ostreeremote",
    "ostree.add_ostreeremote",
    "ostree.view_ostreedistribution",
    "ostree.change_ostreedistribution",
    "ostree.delete_ostreedistribution",
    "ostree.manage_roles_ostreedistribution",
    "ostree.view_ostreedistribution",
    "ostree.add_ostreedistribution",
    "core.replicate_upstreampulp",
    "core.view_upstreampulp",
    "core.view_upstreampulp",
    "core.change_upstreampulp",
    "core.delete_upstreampulp",
    "core.manage_roles_upstreampulp",
    "core.replicate_upstreampulp",
    "core.view_upstreampulp",
    "core.add_upstreampulp",
    "core.view_upload",
    "core.change_upload",
    "core.delete_upload",
    "core.manage_roles_upload",
    "core.view_upload",
    "core.add_upload",
    "core.view_task",
    "core.change_task",
    "core.delete_task",
    "core.manage_roles_task",
    "core.view_task",
    "core.view_taskschedule",
    "core.manage_roles_taskschedule",
    "core.view_taskschedule",
    "core.download_rbaccontentguard",
    "core.view_rbaccontentguard",
    "core.change_rbaccontentguard",
    "core.delete_rbaccontentguard",
    "core.manage_roles_rbaccontentguard",
    "core.view_rbaccontentguard",
    "core.add_rbaccontentguard",
    "core.view_headercontentguard",
    "core.change_headercontentguard",
    "core.delete_headercontentguard",
    "core.manage_roles_headercontentguard",
    "core.view_headercontentguard",
    "core.add_headercontentguard",
    "core.view_group",
    "core.change_group",
    "core.delete_group",
    "core.manage_roles_group",
    "core.view_group",
    "core.add_group",
    "core.view_domain",
    "core.change_domain",
    "core.delete_domain",
    "core.manage_roles_domain",
    "core.view_domain",
    "core.add_domain",
    "core.view_contentredirectcontentguard",
    "core.change_contentredirectcontentguard",
    "core.delete_contentredirectcontentguard",
    "core.manage_roles_contentredirectcontentguard",
    "core.view_contentredirectcontentguard",
    "core.add_contentredirectcontentguard",
    "core.view_compositecontentguard",
    "core.change_compositecontentguard",
    "core.delete_compositecontentguard",
    "core.manage_roles_compositecontentguard",
    "core.view_compositecontentguard",
    "core.add_compositecontentguard"
  ]
}

Then you assign this role to a non-admin user.

pulp user role-assignment add --username <non-admin-user> --role edge_ostree.admin --object ""

after that, try to import an repo:

pulp ostree repository import-all --name fedora-iot --repository_name repo --file repo.tar --ref fedora/stable/x86_64/iot

and you'll receive a message about an operation that is not permited.