Step 1 redefines the create() method. Before calling the base implementation of create(), our method uses the user_has_groups() method to check whether the user belongs to the library.group_library_manager group (this is the XML ID of the group). If this is not the case and a value is passed for manager_remarks, a UserError exception is raised, preventing the creation of the record. This check is performed before the base implementation is called.

Step 2 does the same thing for the write() method; before writing, we check the group and the presence of the field in the values to write and raise UserError if there is a problem.

Step 3 is a small bonus; the fields_get() method is used by the web client to query for the fields of the model and their properties. It returns a Python dictionary mapping field names to a dictionary of field attributes, such as the display or the help string. What interests us is the readonly attribute, which we force to True if the user is not a library manager. This will make the field read only in the web client, which will avoid unauthorized users from trying to edit it only to be faced with an error message.