diff --git a/inc/config.php b/inc/config.php
index 410078d3..1437aa58 100644
--- a/inc/config.php
+++ b/inc/config.php
@@ -1187,12 +1187,47 @@
 	$config['mod']['news_custom'] = ADMIN;
 	// Delete news entries
 	$config['mod']['news_delete'] = ADMIN;
-
-	// Edit the current configuration (via web interface)
-	$config['mod']['edit_config'] = ADMIN;
-
 	// Execute un-filtered SQL queries on the database (?/debug/sql)
 	$config['mod']['debug_sql'] = DISABLED;
+	// Edit the current configuration (via web interface)
+	$config['mod']['edit_config'] = MOD;
+
+	// Config editor permissions
+	$config['mod']['config'] = array(
+		JANITOR => false,
+		MOD => false,
+		ADMIN => false,
+		DISABLED => false,
+	);
+
+	// Disable the following configuration variables from being changed via ?/config. The following default
+	// banned variables are considered somewhat dangerous.
+	$config['mod']['config'][DISABLED] = array(
+		'mod>config',
+		'mod>config_editor_php',
+		'convert_args',
+		'db>password',
+	);
+	
+	$config['mod']['config'][JANITOR] = array(
+		'!', // Allow editing ONLY the variables listed (in this case, nothing).
+	);
+	
+	$config['mod']['config'][MOD] = array(
+		'!', // Allow editing ONLY the variables listed (plus that in $config['mod']['config'][JANITOR]).
+		'global_message',
+	);
+	
+	// Example: Disallow ADMIN from editing (and viewing) $config['db']['password'].
+	// $config['mod']['config'][ADMIN] = array(
+	// 	'db>password',
+	// );
+	
+	// Example: Allow ADMIN to edit anything other than $config['db']
+	// (and $config['mod']['config'][DISABLED]).
+	// $config['mod']['config'][ADMIN] = array(
+	// 	'db',
+	// );
 
 /*
  * ====================
diff --git a/inc/mod/config-editor.php b/inc/mod/config-editor.php
index caca5a0e..27740378 100644
--- a/inc/mod/config-editor.php
+++ b/inc/mod/config-editor.php
@@ -1,5 +1,43 @@
 <?php
 
+function permission_to_edit_config_var($varname) {
+	global $config, $mod;
+
+	if (is_array($config['mod']['config'][DISABLED])) {
+		foreach ($config['mod']['config'][DISABLED] as $disabled_var_name) {
+			$disabled_var_name = explode('>', $disabled_var_name);
+			if (count($disabled_var_name) == 1)
+				$disabled_var_name = $disabled_var_name[0];
+			if ($varname == $disabled_var_name)
+				return false;
+		}
+	}
+	
+	$allow_only = false;
+	// for ($perm = (int)$mod['type']; $perm >= JANITOR; $perm --) {
+	for ($perm = JANITOR; $perm <= (int)$mod['type']; $perm ++) {
+		$allow_only = false;
+		if (is_array($config['mod']['config'][$perm])) {
+			foreach ($config['mod']['config'][$perm] as $perm_var_name) {
+				if ($perm_var_name == '!') {
+					$allow_only = true;
+					continue;
+				}
+				$perm_var_name = explode('>', $perm_var_name);
+				if ((count($perm_var_name) == 1 && $varname == $perm_var_name[0]) ||
+						(is_array($varname) && array_slice($varname, 0, count($perm_var_name)) == $perm_var_name)) {
+					if ($allow_only)
+						return true;
+					else
+						return false;
+				}
+			}
+		}
+	}
+	
+	return !$allow_only;
+}
+
 function config_vars() {
 	global $config;
 	
@@ -77,8 +115,8 @@ function config_vars() {
 							$already_exists = true;
 							
 					}
-					if (!$already_exists)
-					$conf[] = $var;
+					if (!$already_exists && permission_to_edit_config_var($var['name']))
+						$conf[] = $var;
 				}
 			}