WIP notes permissions

app/controllers/notes_controller.rb

@@ -30,6 +30,8 @@ class NotesController < ApplicationController
 
     # Enforce that students and externals can only add notes with
     # 'group_members' access.
+    #
+    # TODO: Needs to be instead based on permissions
     prms[:access_level] = :group_members\
       if current_user.role_student? || current_user.external?