Scope distribution content access to registry-pushed repos only.

Model-level view_containerdistribution must not grant repository_version
filtering on synced container repositories that have a remote.

Co-authored-by: Cursor <cursoragent@cursor.com>

Author: gerrod3

pulp_container/app/viewsets.py

@@ -173,16 +173,19 @@ def _repo_query_params(self, request, view, push_perm, mirror_perm):
                         mirror_perm, repo
                     ):
                         repo_pks.append(repo.pk)
-                    elif request.user.has_perm(push_perm) or any(
-                        request.user.has_perm(push_perm, dist.cast())
-                        or (
-                            dist.cast().namespace
-                            and request.user.has_perm(
-                                "container.namespace_view_containerdistribution",
-                                dist.cast().namespace,
+                    elif not repo.remote and (
+                        request.user.has_perm(push_perm)
+                        or any(
+                            request.user.has_perm(push_perm, dist.cast())
+                            or (
+                                dist.cast().namespace
+                                and request.user.has_perm(
+                                    "container.namespace_view_containerdistribution",
+                                    dist.cast().namespace,
+                                )
                             )
+                            for dist in repo.distributions.all()
                         )
-                        for dist in repo.distributions.all()
                     ):
                         repo_pks.append(repo.pk)
         return repo_pks