✨(api) give update rights to domain viewer on own mailbox

Introduces the notion of self in permissions allowing a domain viewer to update their own mailbox.
2025-07-09 16:00:00 +02:00
parent e45cf8dd8b
commit 72e73bff45
6 changed files with 126 additions and 67 deletions
--- a/src/backend/mailbox_manager/api/client/viewsets.py
+++ b/src/backend/mailbox_manager/api/client/viewsets.py
@@ -274,6 +274,17 @@ class MailBoxViewSet(
            return self.queryset.filter(domain__slug=domain_slug)
        return self.queryset

+    def get_permissions(self):
+        """Add a specific permission for domain viewers to update their own mailbox."""
+        if self.action in ["update", "partial_update"]:
+            permission_classes = [
+                permissions.MailBoxPermission | permissions.IsMailboxOwnerPermission
+            ]
+        else:
+            return super().get_permissions()
+
+        return [permission() for permission in permission_classes]
+
    def get_serializer_class(self):
        """Chooses list or detail serializer according to the action."""
        if self.action in {"update", "partial_update"}:
--- a/src/backend/mailbox_manager/api/permissions.py
+++ b/src/backend/mailbox_manager/api/permissions.py
@@ -14,7 +14,7 @@ class AccessPermission(core_permissions.IsAuthenticated):
        return abilities.get(request.method.lower(), False)


-class MailBoxPermission(core_permissions.IsAuthenticated):
+class MailBoxPermission(AccessPermission):
    """Permission class to manage mailboxes for a mail domain"""

    def has_permission(self, request, view):
@@ -23,10 +23,19 @@ class MailBoxPermission(core_permissions.IsAuthenticated):
        abilities = domain.get_abilities(request.user)
        return abilities.get(request.method.lower(), False)

+
+class IsMailboxOwnerPermission(core_permissions.IsAuthenticated):
+    """Authorize update for domain viewers on their own mailbox."""
+
+    def has_permission(self, request, view):
+        """This permission is specifically about updates"""
+        domain = models.MailDomain.objects.get(slug=view.kwargs.get("domain_slug", ""))
+        abilities = domain.get_abilities(request.user)
+        return abilities["get"]
+
    def has_object_permission(self, request, view, obj):
-        """Check permission for a given object."""
-        abilities = obj.get_abilities(request.user)
-        return abilities.get(request.method.lower(), False)
+        """If the user is trying to update their own mailbox."""
+        return obj.get_email() == request.user.email


 class MailDomainAccessRolePermission(core_permissions.IsAuthenticated):