From 8a6120a6e406f7f371c2041380935ea5d7291220 Mon Sep 17 00:00:00 2001
From: Ernesto Rico Schmidt <ernesto@helsinki.at>
Date: Tue, 13 Feb 2024 21:42:07 -0400
Subject: [PATCH] feat: check field level permission to display internal note

---
 program/serializers.py | 7 ++-----
 1 file changed, 2 insertions(+), 5 deletions(-)

diff --git a/program/serializers.py b/program/serializers.py
index 831802fd..e837ae4e 100644
--- a/program/serializers.py
+++ b/program/serializers.py
@@ -530,14 +530,11 @@ class ShowSerializer(serializers.HyperlinkedModelSerializer):
         ) + read_only_fields
 
     def get_internal_note(self, obj) -> str:
-        """Only members of the privileged group can see the internal note."""
+        """Only users with the permission can see the internal note."""
 
         user = self.context.get("request").user
 
-        if user.groups.filter(name=settings.PRIVILEGED_GROUP).exists():
-            return obj.internal_note
-        else:
-            return ""
+        return obj.internal_note if user and user.has_perm("display__show__internal_note") else ""
 
     def create(self, validated_data):
         """
-- 
GitLab