You can currently set a sitepolicy as a url people need to read when they first login and agree too. This is ok but it is:

a) very simple with no scope for more complex rules like how to version the policy and under what conditions to invalidate the agreement (eg every year regardless of wether it's changed)

b) the use of an external url inside an iframe isn't great. There are other trackers like MDL-46553 to improve on this

c) we've implemented a couple plugins for different clients who have replaced this with something much more nuanced, like needing to complete a course or an activity, or they need to fill out some other extra form or profile fields but we don't want that form up front on the self enrollment page.

Some sitepolocy logic is also tightly coupled with the email authentication plugin which should be untangled.

This seems like another good candidate for a new family of related callbacks so that we can write plugins to intercept this whole flow. It should also be possible to chain several of them together, either because some will only fire under certain conditions or we want the student to go through a couple unrelated stages.

So I haven't completely worked through what the cleanest api would be, but we'd want some sort of callback probably inside require_login which returns a temporary alternate wants url where they go do something and then come back. And a second callback inside user_not_fully_set_up() which also gets passed the strict flag.

Then finally the existing sitepolicy code can be cleaned up and refactored into a standalone plugin, probably an admin tool.