Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-73558

Change password URLs and external authentication



    • Improvement
    • Resolution: Unresolved
    • Minor
    • None
    • 4.0
    • Authentication
    • None


      The implementation of MDL-66776 will expose Moodle's change password functionality to users who haven't previously interacted with it much, or at all. For those of us who use external authentication systems such as LDAP or CAS we've never had to worry about those values.

      Consider this scenario:

      • Site uses LDAP for authentication
      • Site does not allow users to change their password within Moodle, so "Use standard page for changing password" is set to "No". The "Password-change URL" is empty. "Forgotten password URL" in "Manage authentication" is set to an external system that manages credentials.

      In this scenario, you would probably want the Forgotten password URL returned, but what you'll get is a link to the user preferences page (I've included flowcharts explaining the workflow as I understand it). This is why:

      • Moodle returns the user preference link by default.
      • Moodle checks with the auth plugin if it can change the password. In the case of LDAP, it says yes if "Use standard page for changing password" is set to "Yes" or "Password-change URL" isn't empty. Otherwise, it returns false.
      • On false, Moodle uses the preference link.

      If the administrator sets the Password-change URL to the external system, then nothing is returned at all, because the having determined that the password can be changed, change_password_url() returns NULL if "Use standard page for changing password" is empty.

      I think the workflow for new login notifications should include the Forgotten password URL.


        Issue Links



              Unassigned Unassigned
              cfulton Charles Fulton
              8 Vote for this issue
              9 Start watching this issue