✨(api) retrieve mailboxes

add feature to retrieve mailboxes when having the right access
2025-08-27 18:40:56 +02:00
parent 72e73bff45
commit 1bfad507ef
4 changed files with 49 additions and 2 deletions
--- a/src/backend/mailbox_manager/api/client/serializers.py
+++ b/src/backend/mailbox_manager/api/client/serializers.py
@@ -83,7 +83,7 @@ class MailboxUpdateSerializer(MailboxSerializer):
            "secondary_email",
            "status",
        ]
-        read_only_fields = ("id", "status", "local_part", "status")
+        read_only_fields = ("id", "local_part", "status")


 class MailDomainSerializer(serializers.ModelSerializer):
--- a/src/backend/mailbox_manager/api/client/viewsets.py
+++ b/src/backend/mailbox_manager/api/client/viewsets.py
@@ -232,6 +232,7 @@ class MailBoxViewSet(
    mixins.CreateModelMixin,
    mixins.ListModelMixin,
    mixins.UpdateModelMixin,
+    mixins.RetrieveModelMixin,
 ):
    """MailBox ViewSet

--- a/src/backend/mailbox_manager/api/permissions.py
+++ b/src/backend/mailbox_manager/api/permissions.py
@@ -1,5 +1,7 @@
 """Permission handlers for the People mailbox manager app."""

+from rest_framework import permissions
+
 from core.api import permissions as core_permissions

 from mailbox_manager import models
@@ -24,7 +26,7 @@ class MailBoxPermission(AccessPermission):
        return abilities.get(request.method.lower(), False)


-class IsMailboxOwnerPermission(core_permissions.IsAuthenticated):
+class IsMailboxOwnerPermission(permissions.BasePermission):
    """Authorize update for domain viewers on their own mailbox."""

    def has_permission(self, request, view):
--- a/src/backend/mailbox_manager/tests/api/mailboxes/test_api_mailboxes_retrieve.py
+++ b/src/backend/mailbox_manager/tests/api/mailboxes/test_api_mailboxes_retrieve.py
@@ -35,3 +35,47 @@ def test_api_mailboxes__retrieve_unauthorized_failure():

    assert response.status_code == status.HTTP_403_FORBIDDEN
    # 403 or 404 for confidentiality/security purposes ?
+
+    # response should be the same whether the mailbox exists or not, so that
+    # unauthorized users can't deduce mailbox existence or nonexistence
+    response = client.get(
+        f"/api/v1.0/mail-domains/{mailbox.domain.slug}/mailboxes/thismailboxdoesntexist/"
+    )
+    assert response.status_code == status.HTTP_403_FORBIDDEN
+
+
+def test_api_mailboxes__retrieve_authorized_ok():
+    """Authorized users should be able to retrieve mailboxes."""
+
+    access = factories.MailDomainAccessFactory()
+    mailbox = factories.MailboxFactory(domain=access.domain)
+
+    client = APIClient()
+    client.force_login(access.user)
+    response = client.get(
+        f"/api/v1.0/mail-domains/{mailbox.domain.slug}/mailboxes/{mailbox.pk}/"
+    )
+
+    assert response.status_code == status.HTTP_200_OK
+    assert response.json() == {
+        "id": str(mailbox.id),
+        "first_name": mailbox.first_name,
+        "last_name": mailbox.last_name,
+        "local_part": mailbox.local_part,
+        "secondary_email": mailbox.secondary_email,
+        "status": mailbox.status,
+    }
+
+
+def test_api_mailboxes__owner_not_authorized():
+    """Unauthorized mailbox owner should not be able to retrieve their mailbox."""
+    mailbox = factories.MailboxFactory()
+    user = core_factories.UserFactory(email=str(mailbox))
+
+    client = APIClient()
+    client.force_login(user)
+    response = client.get(
+        f"/api/v1.0/mail-domains/{mailbox.domain.slug}/mailboxes/{mailbox.pk}/"
+    )
+
+    assert response.status_code == status.HTTP_403_FORBIDDEN