numerique-gouv · mjeammet · Sep 27, 2024 · Sep 27, 2024
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -18,6 +18,7 @@ and this project adheres to
 - 🥅(frontend) improve add & update group forms error handling #387
 - ✨(frontend) allow group members filtering #363
 - ✨(mailbox) send new mailbox confirmation email #397
+- ✨(domains) domain accesses update API #423
 
 ### Fixed
 

diff --git a/src/backend/mailbox_manager/api/serializers.py b/src/backend/mailbox_manager/api/serializers.py
@@ -2,11 +2,11 @@
 
 import json
 
-from rest_framework import serializers
+from rest_framework import exceptions, serializers
 
 from core.api.serializers import UserSerializer
 
-from mailbox_manager import enums, models
+from mailbox_manager import models
 from mailbox_manager.utils.dimail import DimailAPIClient
 
 
@@ -94,23 +94,29 @@ class Meta:
         read_only_fields = ["id", "user", "can_set_role_to"]
 
     def get_can_set_role_to(self, access):
-        """Return roles available to set"""
-        roles = list(enums.MailDomainRoleChoices)
-        # get role of authenticated user
-        authenticated_user_role = access.user_role
-        if authenticated_user_role != enums.MailDomainRoleChoices.OWNER:
-            roles.remove(enums.MailDomainRoleChoices.OWNER)
-        # if the user authenticated is a viewer, they can't modify role
-        # and only an owner can change role of an owner
-        if authenticated_user_role == enums.MailDomainRoleChoices.VIEWER or (
-            authenticated_user_role != enums.MailDomainRoleChoices.OWNER
-            and access.role == enums.MailDomainRoleChoices.OWNER
-        ):
-            return []
-        # we only want to return other roles available to change,
-        # so we remove the current role of current access.
-        roles.remove(access.role)
-        return sorted(roles)
+        """Return roles available to set for the authenticated user"""
+        return access.get_can_set_role_to(self.context.get("request").user)
+
+    def validate(self, attrs):
+        """
+        Check access rights specific to writing (update)
+        """
+        request = self.context.get("request")
+        authenticated_user = getattr(request, "user", None)
+        role = attrs.get("role")
+
+        # Update
+        if self.instance:
+            can_set_role_to = self.instance.get_can_set_role_to(authenticated_user)
+
+            if role and role not in can_set_role_to:
+                message = (
+                    f"You are only allowed to set role to {', '.join(can_set_role_to)}"
+                    if can_set_role_to
+                    else "You are not allowed to modify role for this user."
+                )
+                raise exceptions.PermissionDenied(message)
+        return attrs
 
 
 class MailDomainAccessReadOnlySerializer(MailDomainAccessSerializer):

diff --git a/src/backend/mailbox_manager/api/viewsets.py b/src/backend/mailbox_manager/api/viewsets.py
@@ -2,12 +2,12 @@
 
 from django.db.models import Subquery
 
-from rest_framework import filters, mixins, viewsets
+from rest_framework import exceptions, filters, mixins, viewsets
 from rest_framework import permissions as drf_permissions
 
 from core import models as core_models
 
-from mailbox_manager import models
+from mailbox_manager import enums, models
 from mailbox_manager.api import permissions, serializers
 
 
@@ -58,6 +58,7 @@ def perform_create(self, serializer):
 class MailDomainAccessViewSet(
     viewsets.GenericViewSet,
     mixins.ListModelMixin,
+    mixins.UpdateModelMixin,
     mixins.RetrieveModelMixin,
 ):
     """
@@ -66,6 +67,14 @@ class MailDomainAccessViewSet(
     GET /api/v1.0/mail-domains/<domain_slug>/accesses/:<domain_access_id>
         Return list of all domain accesses related to the logged-in user and one
         domain access if an id is provided.
+
+    PUT /api/v1.0/mail-domains/<domain_slug>/accesses/<domain_access_id>/ with expected data:
+        - role: str [owner|admin|viewer]
+        Return updated domain access
+
+    PATCH /api/v1.0/mail-domains/<domain_slug>/accesses/<domain_access_id>/ with expected data:
+        - role: str [owner|admin|viewer]
+        Return partially updated domain access
     """
 
     permission_classes = [drf_permissions.IsAuthenticated]
@@ -90,6 +99,7 @@ def get_serializer_context(self):
         """Extra context provided to the serializer class."""
         context = super().get_serializer_context()
         context["domain_slug"] = self.kwargs["domain_slug"]
+        context["authenticated_user"] = self.request.user
         return context
 
     def get_queryset(self):
@@ -118,6 +128,28 @@ def get_queryset(self):
             )
         return queryset
 
+    def perform_update(self, serializer):
+        """Check that we don't change the role if it leads to losing the last owner."""
+        instance = serializer.instance
+
+        # Check if the role is being updated and the new role is not "owner"
+        if (
+            "role" in self.request.data
+            and self.request.data["role"] != enums.MailDomainRoleChoices.OWNER
+        ):
+            domain = instance.domain
+            # Check if the access being updated is the last owner access for the domain
+            if (
+                instance.role == enums.MailDomainRoleChoices.OWNER
+                and domain.accesses.filter(
+                    role=enums.MailDomainRoleChoices.OWNER
+                ).count()
+                == 1
+            ):
+                message = "Cannot change the role to a non-owner role for the last owner access."
+                raise exceptions.PermissionDenied({"role": message})
+        serializer.save()
+
 
 class MailBoxViewSet(
     mixins.CreateModelMixin,

diff --git a/src/backend/mailbox_manager/models.py b/src/backend/mailbox_manager/models.py
@@ -47,7 +47,6 @@ def get_abilities(self, user):
         """
         Compute and return abilities for a given user on the domain.
         """
-        is_owner_or_admin = False
         role = None
 
         if user.is_authenticated:
@@ -103,6 +102,40 @@ class Meta:
     def __str__(self):
         return f"Access of user {self.user} on domain {self.domain}."
 
+    def get_can_set_role_to(self, user):
+        """Return roles available to set"""
+        if not user.is_authenticated:
+            return []
+        roles = list(MailDomainRoleChoices)
+        authenticated_user_role = None
+
+        # get role of authenticated user
+        if hasattr(self, "user_role"):
+            authenticated_user_role = self.user_role
+        else:
+            try:
+                authenticated_user_role = user.mail_domain_accesses.get(
+                    domain=self.domain
+                ).role
+            except (MailDomainAccess.DoesNotExist, IndexError):
+                return []
+
+        # only an owner can set an owner role
+        if authenticated_user_role != MailDomainRoleChoices.OWNER:
+            roles.remove(MailDomainRoleChoices.OWNER)
+
+        # if the user authenticated is a viewer, they can't modify role
+        # and only an owner can change role of an owner
+        if authenticated_user_role == MailDomainRoleChoices.VIEWER or (
+            authenticated_user_role != MailDomainRoleChoices.OWNER
+            and self.role == MailDomainRoleChoices.OWNER
+        ):
+            return []
+        # we only want to return other roles available to change,
+        # so we remove the current role of current access.
+        roles.remove(self.role)
+        return sorted(roles)
+
 
 class Mailbox(BaseModel):
     """Mailboxes for users from mail domain."""