diff --git a/sites/backend/src/models/person.mjs b/sites/backend/src/models/person.mjs
index 1c840b93bdb..025eff4b738 100644
--- a/sites/backend/src/models/person.mjs
+++ b/sites/backend/src/models/person.mjs
@@ -175,10 +175,8 @@ PersonModel.prototype.unsafeUpdate = async function ({ params, body, user }) {
   await this.read({ id: parseInt(params.id) })
   if (user.uid !== this.record.userId) return this.setResponse(403, 'accessDenied')
   const data = {}
-  const notes = []
   /*
   img       String?
-  public    Boolean   @default(false)
   */
   // Imperial
   if (body.imperial === true || body.imperial === false) data.imperial = body.imperial
@@ -191,11 +189,11 @@ PersonModel.prototype.unsafeUpdate = async function ({ params, body, user }) {
   // Measurements
   const measies = {}
   if (typeof body.measies === 'object') {
-    for (const [key, val] of body.measies) {
+    for (const [key, val] of Object.entries(body.measies)) {
       if (this.config.measies.includes(key) && typeof val === 'number' && val > 0)
         measies[key] = val
     }
-    data.measies = { ...this.record.measies, ...measies }
+    data.measies = { ...this.clear.measies, ...measies }
   }
 
   // Image (img)
diff --git a/sites/backend/src/models/user.mjs b/sites/backend/src/models/user.mjs
index cab3c2c2970..5a6db2b4ac1 100644
--- a/sites/backend/src/models/user.mjs
+++ b/sites/backend/src/models/user.mjs
@@ -319,8 +319,8 @@ UserModel.prototype.safeUpdate = async function (data) {
  * so we can't be certain it's safe
  */
 UserModel.prototype.unsafeUpdate = async function (body) {
+  if (user.level < 3) return this.setResponse(403, 'insufficientAccessLevel')
   const data = {}
-  const notes = []
   // Bio
   if (typeof body.bio === 'string') data.bio = body.bio
   // Consent
diff --git a/sites/backend/tests/person.mjs b/sites/backend/tests/person.mjs
index 0342c679b29..b717ce5d63d 100644
--- a/sites/backend/tests/person.mjs
+++ b/sites/backend/tests/person.mjs
@@ -1,15 +1,4 @@
 import { cat } from './cat.mjs'
-/*
-  id        Int       @id @default(autoincrement())
-  createdAt DateTime  @default(now())
-  name      String    @default("")
-  notes     String    @default("")
-  user      User      @relation(fields: [userId], references: [id])
-  userId    Int
-  measies   String    @default("{}")
-  Pattern   Pattern[]
-  public    Boolean   @default(false)
-*/
 
 export const personTests = async (chai, config, expect, store) => {
   const data = {
@@ -69,10 +58,10 @@ export const personTests = async (chai, config, expect, store) => {
             store.person[auth] = res.body.person
             done()
           })
-      })
+      }).timeout(5000)
 
       for (const field of ['name', 'notes']) {
-        it(`${store.icon('person', auth)} Should update the ${field} (${auth})`, (done) => {
+        it(`${store.icon('person', auth)} Should update the ${field} field (${auth})`, (done) => {
           const data = {}
           const val = store.person[auth][field] + '_updated'
           data[field] = val
@@ -98,6 +87,72 @@ export const personTests = async (chai, config, expect, store) => {
             })
         })
       }
+
+      for (const field of ['imperial', 'public']) {
+        it(`${store.icon('person', auth)} Should update the ${field} field (${auth})`, (done) => {
+          const data = {}
+          const val = false
+          data[field] = val
+          chai
+            .request(config.api)
+            .put(`/people/${store.person[auth].id}/${auth}`)
+            .set(
+              'Authorization',
+              auth === 'jwt'
+                ? 'Bearer ' + store.account.token
+                : 'Basic ' +
+                    new Buffer(
+                      `${store.account.apikey.key}:${store.account.apikey.secret}`
+                    ).toString('base64')
+            )
+            .send(data)
+            .end((err, res) => {
+              expect(err === null).to.equal(true)
+              expect(res.status).to.equal(200)
+              expect(res.body.result).to.equal(`success`)
+              expect(res.body.person[field]).to.equal(val)
+              done()
+            })
+        })
+      }
+
+      for (const field of ['chest', 'neck', 'ankle']) {
+        it(`${store.icon(
+          'person',
+          auth
+        )} Should update the ${field} measurement (${auth})`, (done) => {
+          const data = { measies: {} }
+          const val = Math.ceil(Math.random() * 1000)
+          data.measies[field] = val
+          chai
+            .request(config.api)
+            .put(`/people/${store.person[auth].id}/${auth}`)
+            .set(
+              'Authorization',
+              auth === 'jwt'
+                ? 'Bearer ' + store.account.token
+                : 'Basic ' +
+                    new Buffer(
+                      `${store.account.apikey.key}:${store.account.apikey.secret}`
+                    ).toString('base64')
+            )
+            .send(data)
+            .end((err, res) => {
+              expect(err === null).to.equal(true)
+              expect(res.status).to.equal(200)
+              expect(res.body.result).to.equal(`success`)
+              expect(res.body.person.measies[field]).to.equal(val)
+              done()
+            })
+        })
+      }
     })
+
+    // TODO:
+    // - Add non-existing measurement
+    // - Clear measurement
+    // - List/get person
+    // - Clone person
+    // - Clone person accross accounts of they are public
   }
 }