From 2706dedaab6af2717627c454e014e2a7f211f82d Mon Sep 17 00:00:00 2001
From: Jaimos Skriletz <jaimosskriletz@gmail.com>
Date: Thu, 1 Aug 2024 13:44:25 -0600
Subject: [PATCH] Set default permissions to edit LTI secrets to admin level.

---
 conf/authen_LTI.conf.dist | 12 ++++++++++++
 conf/defaults.config      | 10 +++++++++-
 2 files changed, 21 insertions(+), 1 deletion(-)

diff --git a/conf/authen_LTI.conf.dist b/conf/authen_LTI.conf.dist
index 114d762f02..d0e5e7f92b 100644
--- a/conf/authen_LTI.conf.dist
+++ b/conf/authen_LTI.conf.dist
@@ -194,6 +194,18 @@ $LTIMassUpdateInterval = 86400;    #in seconds
 	#'lms_context_id'
 );
 
+# By default only admin users can modify the LTI secrets and lms_context_id. The following
+# permissions need to be modified to allow other users the permission to modify the values.
+#$permissionLevels{'change_config_LTI{v1p1}{BasicConsumerSecret}'} = "admin",
+#$permissionLevels{'change_config_LTI{v1p3}{PlatformID}'}          = "admin",
+#$permissionLevels{'change_config_LTI{v1p3}{ClientID}'}            = "admin",
+#$permissionLevels{'change_config_LTI{v1p3}{DeploymentID}'}        = "admin",
+#$permissionLevels{'change_config_LTI{v1p3}{PublicKeysetURL}'}     = "admin",
+#$permissionLevels{'change_config_LTI{v1p3}{AccessTokenURL}'}      = "admin",
+#$permissionLevels{'change_config_LTI{v1p3}{AccessTokenAUD}'}      = "admin",
+#$permissionLevels{'change_config_LTI{v1p3}{AuthReqURL}'}          = "admin",
+#$permissionLevels{'change_config_lms_context_id'}                 = "admin",
+
 # Note that the lms_context_id is actually a database setting. It must be set for a course in
 # order for the instructor to utilize LTI content selection. This can also be set in the admin
 # course.
diff --git a/conf/defaults.config b/conf/defaults.config
index 6a3521b8ef..dcee6d80c0 100644
--- a/conf/defaults.config
+++ b/conf/defaults.config
@@ -873,7 +873,15 @@ $authen{admin_module} = ['WeBWorK::Authen::Basic_TheLastOption'];
 	# sufficient to change a configuration setting.
 
 	#change_config_courseTitle    => "admin",
-	change_config_lms_context_id => "admin",
+	change_config_lms_context_id                   => "admin",
+	'change_config_LTI{v1p1}{BasicConsumerSecret}' => "admin",
+	'change_config_LTI{v1p3}{PlatformID}'          => "admin",
+	'change_config_LTI{v1p3}{ClientID}'            => "admin",
+	'change_config_LTI{v1p3}{DeploymentID}'        => "admin",
+	'change_config_LTI{v1p3}{PublicKeysetURL}'     => "admin",
+	'change_config_LTI{v1p3}{AccessTokenURL}'      => "admin",
+	'change_config_LTI{v1p3}{AccessTokenAUD}'      => "admin",
+	'change_config_LTI{v1p3}{AuthReqURL}'          => "admin",
 
 	# Do not confuse the permission to change a configuration permission with
 	# the actual permission as in the following example. If this us uncommented,