✨(api) retrieve mailboxes

add feature to retrieve mailboxes when having the right access

src/backend/mailbox_manager/api/client/serializers.py

@@ -83,7 +83,7 @@ class MailboxUpdateSerializer(MailboxSerializer):
             "secondary_email",
             "status",
         ]
-        read_only_fields = ("id", "status", "local_part", "status")
+        read_only_fields = ("id", "local_part", "status")
 
 
 class MailDomainSerializer(serializers.ModelSerializer):

src/backend/mailbox_manager/api/client/viewsets.py

@@ -232,6 +232,7 @@ class MailBoxViewSet(
     mixins.CreateModelMixin,
     mixins.ListModelMixin,
     mixins.UpdateModelMixin,
+    mixins.RetrieveModelMixin,
 ):
     """MailBox ViewSet
 

src/backend/mailbox_manager/api/permissions.py

@@ -1,5 +1,7 @@
 """Permission handlers for the People mailbox manager app."""
 
+from rest_framework import permissions
+
 from core.api import permissions as core_permissions
 
 from mailbox_manager import models
@@ -24,7 +26,7 @@ class MailBoxPermission(AccessPermission):
         return abilities.get(request.method.lower(), False)
 
 
-class IsMailboxOwnerPermission(core_permissions.IsAuthenticated):
+class IsMailboxOwnerPermission(permissions.BasePermission):
     """Authorize update for domain viewers on their own mailbox."""
 
     def has_permission(self, request, view):

src/backend/mailbox_manager/tests/api/mailboxes/test_api_mailboxes_retrieve.py

@@ -35,3 +35,47 @@ def test_api_mailboxes__retrieve_unauthorized_failure():
 
     assert response.status_code == status.HTTP_403_FORBIDDEN
     # 403 or 404 for confidentiality/security purposes ?
+
+    # response should be the same whether the mailbox exists or not, so that
+    # unauthorized users can't deduce mailbox existence or nonexistence
+    response = client.get(
+        f"/api/v1.0/mail-domains/{mailbox.domain.slug}/mailboxes/thismailboxdoesntexist/"
+    )
+    assert response.status_code == status.HTTP_403_FORBIDDEN
+
+
+def test_api_mailboxes__retrieve_authorized_ok():
+    """Authorized users should be able to retrieve mailboxes."""
+
+    access = factories.MailDomainAccessFactory()
+    mailbox = factories.MailboxFactory(domain=access.domain)
+
+    client = APIClient()
+    client.force_login(access.user)
+    response = client.get(
+        f"/api/v1.0/mail-domains/{mailbox.domain.slug}/mailboxes/{mailbox.pk}/"
+    )
+
+    assert response.status_code == status.HTTP_200_OK
+    assert response.json() == {
+        "id": str(mailbox.id),
+        "first_name": mailbox.first_name,
+        "last_name": mailbox.last_name,
+        "local_part": mailbox.local_part,
+        "secondary_email": mailbox.secondary_email,
+        "status": mailbox.status,
+    }
+
+
+def test_api_mailboxes__owner_not_authorized():
+    """Unauthorized mailbox owner should not be able to retrieve their mailbox."""
+    mailbox = factories.MailboxFactory()
+    user = core_factories.UserFactory(email=str(mailbox))
+
+    client = APIClient()
+    client.force_login(user)
+    response = client.get(
+        f"/api/v1.0/mail-domains/{mailbox.domain.slug}/mailboxes/{mailbox.pk}/"
+    )
+
+    assert response.status_code == status.HTTP_403_FORBIDDEN