The implementation of
MDL-66776 will expose Moodle's change password functionality to users who haven't previously interacted with it much, or at all. For those of us who use external authentication systems such as LDAP or CAS we've never had to worry about those values.
Consider this scenario:
- Site uses LDAP for authentication
- Site does not allow users to change their password within Moodle, so "Use standard page for changing password" is set to "No". The "Password-change URL" is empty. "Forgotten password URL" in "Manage authentication" is set to an external system that manages credentials.
In this scenario, you would probably want the Forgotten password URL returned, but what you'll get is a link to the user preferences page (I've included flowcharts explaining the workflow as I understand it). This is why:
- Moodle returns the user preference link by default.
- Moodle checks with the auth plugin if it can change the password. In the case of LDAP, it says yes if "Use standard page for changing password" is set to "Yes" or "Password-change URL" isn't empty. Otherwise, it returns false.
- On false, Moodle uses the preference link.
If the administrator sets the Password-change URL to the external system, then nothing is returned at all, because the having determined that the password can be changed, change_password_url() returns NULL if "Use standard page for changing password" is empty.
I think the workflow for new login notifications should include the Forgotten password URL.