I have a settings form generated with:
drupal_get_form('variable_module_form', 'this_site');

On this form I have options for two domains: Domain1 and Domain2.

I have a variable "Variable", which is available (and different) on both domains - let's say that in Domain1 Variable = v1, in Domain2 Variable=v2.

Now, I have a non-admin user who has access to this form (and only to this form). The user works on http://domain1/ .
On top of form she can change domain (Domain1 | Domain2), but the change doesn't change content of input field for Variable - it's still v1.

If user will work on http://domain2/ , she will always see value v2, regardless of domain selected on top of form.

For admin user, when admin changes from Domain1 to Domain2, the value changes from v1 to v2 and it works on whole site. Just edit form doesn't work properly.

Do I need to grant the user any additional permission? Or is it a bug?


GregSmith104’s picture

I am experiencing the same issue. Using the "Custom Permissions" module to provide access to a custom variable I've created and given access to a role to modify that variable. Problem is, at the top of the edit form is a menu "THERE ARE DOMAIN VARIABLES IN THIS FORM" that allow the user to change the variable on other domains.

I can hide that menu with CSS for now, but I assume this is a bug as domain access rules are not being followed.

bforchhammer’s picture

As far as I know we don't fiddle with access control; any #access checks defined in the form render array should still work the same way, so unless access checks are performed in some completely different way, I'm not sure why it wouldn't work. If this is indeed a problem with the domain variable module, it may actually need to be fixed in the variable module instead...

Sorry, I can't be of more help; I'd be happy to review a patch if someone wants to dig in. :)

seanB’s picture

Issue summary: View changes

I just took a look at this. The problem is in variable_realm_init(). This function only allows the switch of variable realms by query string parameters, if the permission administer site configuration is added to the user.

There are several issues created for the variable module:

I seems the maintainer is affraid there could be security issues when using other/custom permissions. It could be solved by implementing your own hook init without the permission (or with a custom one).

function yourmodule_init() {  
  if (arg(0) == 'admin' && (arg(3) != 'variable' || arg(4) != 'realm') && ($params = variable_realm_params()) && user_access('[CUSTOM-PERMISSION]')) {  
    foreach ($params as $realm_name => $realm_key) {  
      variable_realm_switch($realm_name, $realm_key, FALSE);