From b79e12b4be82a25ad23814d7d05f67b17f207d70 Mon Sep 17 00:00:00 2001
From: Marie PUPO JEAMMET <marie.pupojeammet@numerique.gouv.fr>
Date: Mon, 13 Oct 2025 19:26:55 +0200
Subject: [PATCH] =?UTF-8?q?=E2=9C=A8(aliases)=20list=20aliases?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Can GET a list of all aliases of a domain
---
 .../mailbox_manager/api/client/viewsets.py    |  1 +
 .../api/aliases/test_api_aliases_list.py      | 62 +++++++++++++++++++
 2 files changed, 63 insertions(+)
 create mode 100644 src/backend/mailbox_manager/tests/api/aliases/test_api_aliases_list.py

diff --git a/src/backend/mailbox_manager/api/client/viewsets.py b/src/backend/mailbox_manager/api/client/viewsets.py
index c7d81be..9b28fdc 100644
--- a/src/backend/mailbox_manager/api/client/viewsets.py
+++ b/src/backend/mailbox_manager/api/client/viewsets.py
@@ -396,6 +396,7 @@ class MailDomainInvitationViewset(
 
 class AliasViewSet(
     mixins.CreateModelMixin,
+    mixins.ListModelMixin,
     viewsets.GenericViewSet,
 ):
     """API ViewSet for aliases.
diff --git a/src/backend/mailbox_manager/tests/api/aliases/test_api_aliases_list.py b/src/backend/mailbox_manager/tests/api/aliases/test_api_aliases_list.py
new file mode 100644
index 0000000..cf50b13
--- /dev/null
+++ b/src/backend/mailbox_manager/tests/api/aliases/test_api_aliases_list.py
@@ -0,0 +1,62 @@
+"""
+Tests for aliases API endpoint in People's app mailbox_manager.
+Focus on "list" action.
+"""
+
+import pytest
+from rest_framework import status
+from rest_framework.test import APIClient
+
+from core import factories as core_factories
+
+from mailbox_manager import enums, factories
+
+pytestmark = pytest.mark.django_db
+
+
+def test_api_aliases_list__anonymous():
+    """Anonymous user should not be able to list aliases"""
+    domain = factories.MailDomainEnabledFactory()
+    factories.AliasFactory.create_batch(3, domain=domain)
+
+    response = APIClient().get(
+        f"/api/v1.0/mail-domains/{domain.slug}/aliases/",
+    )
+    assert response.status_code == status.HTTP_401_UNAUTHORIZED
+
+
+def test_api_aliases_list__no_access_forbidden():
+    """User authenticated but not having domain permission should not list aliases."""
+    factories.MailDomainAccessFactory()  # access to another domain
+    domain = factories.MailDomainEnabledFactory()
+    factories.AliasFactory.create_batch(3, domain=domain)
+
+    client = APIClient()
+    client.force_login(core_factories.UserFactory())
+    response = client.get(
+        f"/api/v1.0/mail-domains/{domain.slug}/aliases/",
+    )
+    assert response.status_code == status.HTTP_403_FORBIDDEN
+
+
+@pytest.mark.parametrize(
+    "role",
+    [
+        enums.MailDomainRoleChoices.OWNER,
+        enums.MailDomainRoleChoices.ADMIN,
+        enums.MailDomainRoleChoices.VIEWER,
+    ],
+)
+def test_api_aliases_list__authorized_ok(role):
+    """Domain viewers and admins should be able to list aliases."""
+    access = factories.MailDomainAccessFactory(role=role)
+    factories.AliasFactory.create_batch(2, local_part="support", domain=access.domain)
+    factories.AliasFactory.create_batch(3, domain=access.domain)
+
+    client = APIClient()
+    client.force_login(access.user)
+    response = client.get(
+        f"/api/v1.0/mail-domains/{access.domain.slug}/aliases/",
+    )
+    assert response.status_code == status.HTTP_200_OK
+    assert response.json()["count"] == 5