For starters, the Moodle version that I am using is 3.0.
I'm working on a corporate implementation and I'm looking for an authentication workflow that is pretty specific. It is as follows:
- Users are uploaded in bulk to the system. They are set with a generic password (that they never see) and upon upload they are set as suspended (I want to be able to enroll them in courses, I just don't want them to be able to log in and I want it to look like they don't exist when they try to log in).
- Users are given a generic email to a "registration" page. This page I just made a custom form that only requires an email address. When the user enters in the email address, it tells them right off the bat if they are allowed to register or not (checks the database for the existing user). If the user is found in the system, then they are sent an email to confirm/activate/unsuspend their account.
- The email link is custom generated. It has their email address, the expiration time, and a token as variables in the link. The token is generated by hashing a combination of things.
- When the user clicks on the link, there is a check to see if the token is correct as well as a check to see if they are within the required time window.
- If the user is within the required time window, I want to bring to what looks like the set password page where they can set their own password.
I can get everything above to work except for the portion where the user tries to set their own password (the very last step). I tried using the existing "set_password_form" and set up a function that is *similar* to how it would normally be processed (core_login_process_password_set($token)), but I can't use that token because I have my own custom token that I already validate before calling the form. I tried making a custom form where I strip out the token aspect, but I'm running into a couple of issues:
- The form will catch when the field is empty and the user tries to submit, but it will not catch if the fields do not match. I maintained the "passwordsdiffer" logic used in the set_password_form, but it doesn't seem to catch this at all.
- If the user submits with the different password fields, nothing happens. They just get shot back out to the registration page I made. I want it to tell them that the passwords don't match.
- If the fields do match and the user submits, same deal. Nothing happens and the password doesn't get set.
What I'm looking for (without posting allllll of that code) is if there is another process, or layer of authentication that has to happen when trying to have the user set their own password and not going through the existing core forms. I.e., if I wanted to make my own set password form that didn't require a token that an existing user could use, what would something like that look like?
Thanks so much!