Step 1 redefines the create() method. Before calling the base implementation of create(), our method uses the user_has_groups() method to check whether the user belongs to the my_library.group_librarian group (this is the XML ID of the group). If this is not the case and a value is passed for manager_remarks, a UserError exception is raised, preventing the creation of the record. This check is performed before the base implementation is called.
Step 2 does the same thing for the write() method; before writing, we check the group and the presence of the field in the values to write and raise a UserError if there is a problem.
Having the field set to read-only in the web client does not prevent RPC calls from writing it. This is why we extend create() and write().
To test this implementation, you can log in as a demo user or revoke librarian access from the current user.