From 76e4afbea5353a0773f89b4329b10f646092b56f Mon Sep 17 00:00:00 2001
From: George Katsikas <giorgakis.katsikas@gmail.com>
Date: Tue, 26 Mar 2024 09:37:01 +0100
Subject: [PATCH] use manager in notes list to handle visibility

---
 scipost_django/pins/views.py | 6 ++----
 1 file changed, 2 insertions(+), 4 deletions(-)

diff --git a/scipost_django/pins/views.py b/scipost_django/pins/views.py
index ebc7e54eb..1f56bd61c 100644
--- a/scipost_django/pins/views.py
+++ b/scipost_django/pins/views.py
@@ -69,10 +69,8 @@ def _hx_notes_list(request, regarding_content_type, regarding_object_id):
     # Handle permission checks for viewing and creating notes
     can_create_notes = request.user.has_perm("pins.can_add_notes")
 
-    # Filter non-author users from viewing private notes
-    notes = notes.exclude(
-        Q(visibility=Note.VISIBILITY_PRIVATE) & ~Q(author=request.user.contributor)
-    )
+    # Filter according to the visibility of the notes
+    notes = notes.visible_to(request.user, object)
 
     # Filter out internal notes unless the user has the default "manager"
     # permission for the given object, e.g. "can_manage_subsidies"
-- 
GitLab