From f11e32d0b50a7ff1d43e85a2833cb66e6e7b5c9a Mon Sep 17 00:00:00 2001
From: Tony Mack <tmack@paris.CS.Princeton.EDU>
Date: Wed, 10 Nov 2010 15:42:22 -0500
Subject: [PATCH] Use PLC.Person.can_update() to authorize. fix name error.

---
 PLC/Methods/UpdatePersonTag.py | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/PLC/Methods/UpdatePersonTag.py b/PLC/Methods/UpdatePersonTag.py
index e07f873c..1cfc6ac7 100644
--- a/PLC/Methods/UpdatePersonTag.py
+++ b/PLC/Methods/UpdatePersonTag.py
@@ -53,10 +53,10 @@ class UpdatePersonTag(Method):
         # check permission : it not admin, is the user affiliated with the right person
         if 'admin' not in self.caller['roles']:
             # check caller is affiliated with this person's person
-            if len(set(person['person_ids']) & set(self.caller['person_ids'])) == 0:
+            if not self.call.can_update(person):
                 raise PLCPermissionDenied, "Not a member of the person's persons: %s"%person['person_ids']
 
-            required_min_role = tag_type ['min_role_id']
+            required_min_role = person_tag['min_role_id']
             if required_min_role is not None and \
                     min(self.caller['role_ids']) > required_min_role:
                 raise PLCPermissionDenied, "Not allowed to modify the specified person setting, requires role %d",required_min_role
-- 
2.47.0