✨(api) retrieve mailboxes

add feature to retrieve mailboxes when having the right access

src/backend/mailbox_manager/tests/api/mailboxes/test_api_mailboxes_retrieve.py

@@ -35,3 +35,47 @@ def test_api_mailboxes__retrieve_unauthorized_failure():
 
     assert response.status_code == status.HTTP_403_FORBIDDEN
     # 403 or 404 for confidentiality/security purposes ?
+
+    # response should be the same whether the mailbox exists or not, so that
+    # unauthorized users can't deduce mailbox existence or nonexistence
+    response = client.get(
+        f"/api/v1.0/mail-domains/{mailbox.domain.slug}/mailboxes/thismailboxdoesntexist/"
+    )
+    assert response.status_code == status.HTTP_403_FORBIDDEN
+
+
+def test_api_mailboxes__retrieve_authorized_ok():
+    """Authorized users should be able to retrieve mailboxes."""
+
+    access = factories.MailDomainAccessFactory()
+    mailbox = factories.MailboxFactory(domain=access.domain)
+
+    client = APIClient()
+    client.force_login(access.user)
+    response = client.get(
+        f"/api/v1.0/mail-domains/{mailbox.domain.slug}/mailboxes/{mailbox.pk}/"
+    )
+
+    assert response.status_code == status.HTTP_200_OK
+    assert response.json() == {
+        "id": str(mailbox.id),
+        "first_name": mailbox.first_name,
+        "last_name": mailbox.last_name,
+        "local_part": mailbox.local_part,
+        "secondary_email": mailbox.secondary_email,
+        "status": mailbox.status,
+    }
+
+
+def test_api_mailboxes__owner_not_authorized():
+    """Unauthorized mailbox owner should not be able to retrieve their mailbox."""
+    mailbox = factories.MailboxFactory()
+    user = core_factories.UserFactory(email=str(mailbox))
+
+    client = APIClient()
+    client.force_login(user)
+    response = client.get(
+        f"/api/v1.0/mail-domains/{mailbox.domain.slug}/mailboxes/{mailbox.pk}/"
+    )
+
+    assert response.status_code == status.HTTP_403_FORBIDDEN