From 5ddaee767892d5bb91c51a1e5bd2fe64ffb1efeb Mon Sep 17 00:00:00 2001
From: Iglocska <andras.iklody@gmail.com>
Date: Mon, 18 Jan 2016 15:37:07 +0100
Subject: [PATCH] Fix to an invalid permission lookup denying users from mass
 deleting attributes due to a copy pasta fail

---
 app/Controller/AttributesController.php | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/app/Controller/AttributesController.php b/app/Controller/AttributesController.php
index 20abac73a..df3def602 100755
--- a/app/Controller/AttributesController.php
+++ b/app/Controller/AttributesController.php
@@ -941,11 +941,10 @@ class AttributesController extends AppController {
 					'recursive' => -1,
 					'fields' => array('id', 'orgc_id', 'user_id')
 			));
-			if ($event['Event']['orgc_id'] != $this->Auth->user('org_id') || (!$this->userRole['perm_modify_org_id'] && !($this->userRole['perm_modify'] && $event['Event']['user_id'] == $this->Auth->user('id')))) {
+			if ($event['Event']['orgc_id'] != $this->Auth->user('org_id') || (!$this->userRole['perm_modify_org'] && !($this->userRole['perm_modify'] && $event['Event']['user_id'] == $this->Auth->user('id')))) {
 				throw new MethodNotAllowedException('Invalid Event.');
 			}
 		}
-		
 		// find all attributes from the ID list that also match the provided event ID.
 		$attributes = $this->Attribute->find('all', array(
 			'recursive' => -1,