Fixes #11320: Provide a way to disable the raw configuration management.

adm_config_delete.php

@@ -31,10 +31,10 @@
 	$f_project_id = gpc_get_int( 'project_id' );
 	$f_config_option = gpc_get_string( 'config_option' );
 
-	if ( $f_project_id == ALL_PROJECTS ) {
-		access_ensure_global_level( config_get( 'set_configuration_threshold' ) );
-	} else {
-		access_ensure_project_level( config_get( 'set_configuration_threshold' ), $f_project_id );
+	access_ensure_global_level( config_get( 'set_configuration_threshold' ) );
+
+	if ( $f_project_id != ALL_PROJECTS ) {
+		project_ensure_exists( $f_project_id );
 	}
 
 	helper_ensure_confirmed( lang_get( 'delete_config_sure_msg' ), lang_get( 'delete_link' ) );

adm_config_report.php

@@ -25,7 +25,9 @@
 	  */
 	require_once( 'core.php' );
 
-	access_ensure_project_level( config_get( 'view_configuration_threshold' ) );
+	access_ensure_global_level( config_get( 'view_configuration_threshold' ) );
+
+	$t_read_write_access = access_has_global_level( config_get('set_configuration_threshold' ) );
 
 	html_page_top( lang_get( 'configuration_report' ) );
 
@@ -121,9 +123,11 @@ function print_config_value_as_string( $p_type, $p_value ) {
 			<td class="center">
 				<?php echo lang_get( 'access_level' ) ?>
 			</td>
+<?php if ( $t_read_write_access ): ?>
 			<td class="center">
 				<?php echo lang_get( 'actions' ) ?>
 			</td>
+<?php endif; ?>
 		</tr>
 <?php
 	while ( $row = db_fetch_array( $result ) ) {
@@ -150,6 +154,7 @@ function print_config_value_as_string( $p_type, $p_value ) {
 			<td class="center">
 				<?php echo get_enum_element( 'access_levels', $v_access_reqd ) ?>
 			</td>
+			<?php if ( $t_read_write_access ): ?>
 			<td class="center">
 				<?php
 					if ( config_can_delete( $v_config_id ) ) {
@@ -159,13 +164,14 @@ function print_config_value_as_string( $p_type, $p_value ) {
 					}
 				?>
 			</td>
+			<?php endif; ?>
 		</tr>
 <?php
 	} # end for loop
 ?>
 </table>
 <?php
-    if ( access_has_global_level( config_get('set_configuration_threshold' ) ) ) {
+    if ( $t_read_write_access ) {
 ?>
 <br />
 <!-- Config Set Form -->

adm_config_set.php

@@ -40,11 +40,10 @@
 		trigger_error( ERROR_EMPTY_FIELD, ERROR );
 	}
 
-	if ( $f_project_id == ALL_PROJECTS ) {
-		access_ensure_global_level( config_get('set_configuration_threshold' ) );
-	} else {
+	access_ensure_global_level( config_get( 'set_configuration_threshold' ) );
+
+	if ( $f_project_id != ALL_PROJECTS ) {
 		project_ensure_exists( $f_project_id );
-		access_ensure_project_level( config_get('set_configuration_threshold' ), $f_project_id );
 	}
 
 	# make sure that configuration option specified is a valid one.

adm_permissions_report.php

@@ -26,7 +26,7 @@
 	  */
 	require_once( 'core.php' );
 
-	access_ensure_project_level( config_get( 'view_configuration_threshold' ) );
+	access_ensure_project_level( config_get( 'manage_configuration_threshold' ) );
 
 	html_page_top( lang_get( 'permissions_summary_report' ) );
 

config_defaults_inc.php

@@ -2762,6 +2762,12 @@
  */
 $g_csv_separator = ',';
 
+/**
+ * The threshold required for users to be able to manage configuration of a project.
+ * This includes workflow, email notifications, columns to view, and others.
+ */
+$g_manage_configuration_threshold = MANAGER;
+
 /**
  * threshold for users to view the system configurations
  * @global int $g_view_configuration_threshold

core/html_api.php

@@ -926,6 +926,7 @@ function print_manage_menu( $p_page = '' ) {
 	$t_manage_custom_field_page = 'manage_custom_field_page.php';
 	$t_manage_plugin_page = 'manage_plugin_page.php';
 	$t_manage_config_page = 'adm_config_report.php';
+	$t_permissions_summary_report = 'adm_permissions_report.php';
 	$t_manage_prof_menu_page = 'manage_prof_menu_page.php';
 	$t_manage_tags_page = 'manage_tags_page.php';
 
@@ -942,6 +943,9 @@ function print_manage_menu( $p_page = '' ) {
 		case $t_manage_config_page:
 			$t_manage_config_page = '';
 			break;
+		case $t_permissions_summary_report:
+			$t_permissions_summary_report = '';
+			break;
 		case $t_manage_plugin_page:
 			$t_manage_plugin_page = '';
 			break;
@@ -972,8 +976,15 @@ function print_manage_menu( $p_page = '' ) {
 	if( access_has_global_level( config_get( 'manage_plugin_threshold' ) ) ) {
 		print_bracket_link( helper_mantis_url( $t_manage_plugin_page ), lang_get( 'manage_plugin_link' ) );
 	}
-	if( access_has_project_level( config_get( 'view_configuration_threshold' ) ) ) {
-		print_bracket_link( helper_mantis_url( $t_manage_config_page ), lang_get( 'manage_config_link' ) );
+
+	if ( access_has_project_level( config_get( 'manage_configuration_threshold' ) ) ) {
+		if ( access_has_global_level( config_get( 'view_configuration_threshold' ) ) ) {
+			$t_config_page = $t_manage_config_page;
+		} else {
+			$t_config_page = $t_permissions_summary_report;
+		}
+
+		print_bracket_link( helper_mantis_url( $t_config_page ), lang_get( 'manage_config_link' ) );
 	}
 
 	# Plugin / Event added options
@@ -1034,16 +1045,21 @@ function print_manage_config_menu( $p_page = '' ) {
 			break;
 	}
 
-	echo '<br /><div align="center">';
-	if( access_has_project_level( config_get( 'view_configuration_threshold' ) ) ) {
-		print_bracket_link( helper_mantis_url( $t_configuration_report ), lang_get_defaulted( 'configuration_report' ) );
+	if ( access_has_project_level( config_get( 'manage_configuration_threshold' ) ) ) {
+		echo '<br /><div align="center">';
+
+		if ( access_has_global_level( config_get( 'view_configuration_threshold' ) ) ) {
+			print_bracket_link( helper_mantis_url( $t_configuration_report ), lang_get_defaulted( 'configuration_report' ) );
+		}
+
 		print_bracket_link( helper_mantis_url( $t_permissions_summary_report ), lang_get( 'permissions_summary_report' ) );
 		print_bracket_link( helper_mantis_url( $t_manage_work_threshold ), lang_get( 'manage_threshold_config' ) );
 		print_bracket_link( helper_mantis_url( $t_manage_workflow ), lang_get( 'manage_workflow_config' ) );
 		print_bracket_link( helper_mantis_url( $t_manage_email ), lang_get( 'manage_email_config' ) );
 		print_bracket_link( $t_manage_columns, lang_get( 'manage_columns_config' ) );
+
+		echo '</div>';
 	}
-	echo '</div>';
 }
 
 /**

docbook/adminguide/en/configuration.sgml

@@ -2206,6 +2206,32 @@
                     </warning>
                 </listitem>
             </varlistentry>
+            <varlistentry>
+                <term>$g_manage_configuration_threshold</term>
+                <listitem>
+                    <para>The threshold required for users to be able to manage configuration of a project.
+                        This includes workflow, email notifications, columns to view, and others.  Default is MANAGER.
+                    </para>
+                </listitem>
+            </varlistentry>
+            <varlistentry>
+                <term>$g_view_configuration_threshold</term>
+                <listitem>
+                    <para>Threshold for users to view the raw system configurations as stored in the database.
+                        Default is DEVELOPER.
+                    </para>
+                </listitem>
+            </varlistentry>
+            <varlistentry>
+                <term>$g_set_configuration_threshold</term>
+                <listitem>
+                    <para>Threshold for users to set the system configurations generically via MantisBT web interface.
+                        WARNING: Users who have access to set configuration via the interface MUST be trusted.  This is due
+                        to the fact that such users can set configurations to PHP code and hence there can be a security
+                        risk if such users are not trusted.
+                    </para>
+                </listitem>
+            </varlistentry>
         </variablelist>
     </section>