diff --git a/src/backend/mailbox_manager/api/client/serializers.py b/src/backend/mailbox_manager/api/client/serializers.py index 7ac92e6..5a84596 100644 --- a/src/backend/mailbox_manager/api/client/serializers.py +++ b/src/backend/mailbox_manager/api/client/serializers.py @@ -83,7 +83,7 @@ class MailboxUpdateSerializer(MailboxSerializer): "secondary_email", "status", ] - read_only_fields = ("id", "status", "local_part", "status") + read_only_fields = ("id", "local_part", "status") class MailDomainSerializer(serializers.ModelSerializer): diff --git a/src/backend/mailbox_manager/api/client/viewsets.py b/src/backend/mailbox_manager/api/client/viewsets.py index 443f61c..3072d65 100644 --- a/src/backend/mailbox_manager/api/client/viewsets.py +++ b/src/backend/mailbox_manager/api/client/viewsets.py @@ -232,6 +232,7 @@ class MailBoxViewSet( mixins.CreateModelMixin, mixins.ListModelMixin, mixins.UpdateModelMixin, + mixins.RetrieveModelMixin, ): """MailBox ViewSet diff --git a/src/backend/mailbox_manager/api/permissions.py b/src/backend/mailbox_manager/api/permissions.py index 6d54fd8..cdab4a7 100644 --- a/src/backend/mailbox_manager/api/permissions.py +++ b/src/backend/mailbox_manager/api/permissions.py @@ -1,5 +1,7 @@ """Permission handlers for the People mailbox manager app.""" +from rest_framework import permissions + from core.api import permissions as core_permissions from mailbox_manager import models @@ -24,7 +26,7 @@ class MailBoxPermission(AccessPermission): return abilities.get(request.method.lower(), False) -class IsMailboxOwnerPermission(core_permissions.IsAuthenticated): +class IsMailboxOwnerPermission(permissions.BasePermission): """Authorize update for domain viewers on their own mailbox.""" def has_permission(self, request, view): diff --git a/src/backend/mailbox_manager/tests/api/mailboxes/test_api_mailboxes_retrieve.py b/src/backend/mailbox_manager/tests/api/mailboxes/test_api_mailboxes_retrieve.py index 3ca0fe6..cd17d0e 100644 --- a/src/backend/mailbox_manager/tests/api/mailboxes/test_api_mailboxes_retrieve.py +++ b/src/backend/mailbox_manager/tests/api/mailboxes/test_api_mailboxes_retrieve.py @@ -35,3 +35,47 @@ def test_api_mailboxes__retrieve_unauthorized_failure(): assert response.status_code == status.HTTP_403_FORBIDDEN # 403 or 404 for confidentiality/security purposes ? + + # response should be the same whether the mailbox exists or not, so that + # unauthorized users can't deduce mailbox existence or nonexistence + response = client.get( + f"/api/v1.0/mail-domains/{mailbox.domain.slug}/mailboxes/thismailboxdoesntexist/" + ) + assert response.status_code == status.HTTP_403_FORBIDDEN + + +def test_api_mailboxes__retrieve_authorized_ok(): + """Authorized users should be able to retrieve mailboxes.""" + + access = factories.MailDomainAccessFactory() + mailbox = factories.MailboxFactory(domain=access.domain) + + client = APIClient() + client.force_login(access.user) + response = client.get( + f"/api/v1.0/mail-domains/{mailbox.domain.slug}/mailboxes/{mailbox.pk}/" + ) + + assert response.status_code == status.HTTP_200_OK + assert response.json() == { + "id": str(mailbox.id), + "first_name": mailbox.first_name, + "last_name": mailbox.last_name, + "local_part": mailbox.local_part, + "secondary_email": mailbox.secondary_email, + "status": mailbox.status, + } + + +def test_api_mailboxes__owner_not_authorized(): + """Unauthorized mailbox owner should not be able to retrieve their mailbox.""" + mailbox = factories.MailboxFactory() + user = core_factories.UserFactory(email=str(mailbox)) + + client = APIClient() + client.force_login(user) + response = client.get( + f"/api/v1.0/mail-domains/{mailbox.domain.slug}/mailboxes/{mailbox.pk}/" + ) + + assert response.status_code == status.HTTP_403_FORBIDDEN