diff --git a/app/policies/entry_policy.rb b/app/policies/entry_policy.rb
index ddc70a0..1e19f27 100644
--- a/app/policies/entry_policy.rb
+++ b/app/policies/entry_policy.rb
@@ -36,19 +36,16 @@ def show?
   class Scope < Scope
     def resolve
       base_scope = scope.where(deleted: false) # Only show non-deleted entries by default
+      admin_role_ids = Role.where(kind: ['Collection Administrator', 'Collection Manager']).pluck(:id)
+      admin_container_ids = user.present? ? user.assignments.where(role_id: admin_role_ids).pluck(:container_id).uniq : []
 
       if user.nil?
         scope.none
       elsif user.axis_mundi?
         # Axis mundi can see all entries
         base_scope
-      elsif user.administrator? || user.manager?
-        # Collection administrators and managers can see entries from their containers
-        admin_role_ids = Role.where(kind: ['Collection Administrator', 'Collection Manager']).pluck(:id)
-        admin_container_ids = user.assignments
-                                  .where(role_id: admin_role_ids)
-                                  .pluck(:container_id)
-
+      elsif admin_container_ids.any?
+        # Collection administrators and managers (by container assignment) can see entries from their containers
         base_scope.joins(contest_instance: { contest_description: :container })
                  .where(containers: { id: admin_container_ids })
       elsif user.judge?
diff --git a/spec/controllers/entries_controller_spec.rb b/spec/controllers/entries_controller_spec.rb
index c61b020..b1aff19 100644
--- a/spec/controllers/entries_controller_spec.rb
+++ b/spec/controllers/entries_controller_spec.rb
@@ -21,6 +21,43 @@
       end
     end
 
+    context "when user is a Container Administrator for the entry's container" do
+      let(:container) { contest_instance.contest_description.container }
+      let(:admin_user) { create(:user) }
+      let(:admin_role) { create(:role, kind: 'Collection Administrator') }
+
+      before do
+        create(:assignment, user: admin_user, container: container, role: admin_role)
+        sign_in admin_user
+        get :modal_details, params: { id: entry.id }
+      end
+
+      it "returns a successful response" do
+        expect(response).to be_successful
+      end
+
+      it "renders the details partial" do
+        expect(response).to render_template('entries/modal_details')
+      end
+    end
+
+    context "when user is a Collection Administrator for a different container" do
+      let(:other_container) { create(:container) }
+      let(:other_admin_user) { create(:user) }
+      let(:admin_role) { create(:role, kind: 'Collection Administrator') }
+
+      before do
+        create(:assignment, user: other_admin_user, container: other_container, role: admin_role)
+        sign_in other_admin_user
+        get :modal_details, params: { id: entry.id }
+      end
+
+      it "redirects with unauthorized message" do
+        expect(response).to redirect_to(root_path)
+        expect(flash[:alert]).to eq("!!! Not authorized !!!")
+      end
+    end
+
     context "when user is not authorized" do
       let(:other_user) { create(:user) }