Index: modules/user/user.module
===================================================================
RCS file: /cvs/drupal/drupal/modules/user/user.module,v
retrieving revision 1.827
diff -u -p -r1.827 user.module
--- modules/user/user.module	9 Aug 2007 10:49:26 -0000	1.827
+++ modules/user/user.module	10 Aug 2007 18:58:16 -0000
@@ -245,10 +245,11 @@ function user_save($account, $array = ar
     }
 
     // If the password changed, delete all open sessions and recreate
-    // the current one.
+    // the current one. Also, mark required password change as complete.
     if (!empty($array['pass'])) {
       sess_destroy_uid($account->uid);
       sess_regenerate();
+      unset($_SESSION['user_password_needs_change']);
     }
 
     // Refresh user object
@@ -490,7 +491,7 @@ function user_fields() {
  * Implementation of hook_perm().
  */
 function user_perm() {
-  return array('administer access control', 'administer users', 'access user profiles', 'change own username');
+  return array('administer access control', 'administer users', 'access user profiles', 'change own username', 'skip required password change');
 }
 
 /**
@@ -1073,6 +1074,12 @@ function user_menu() {
 
 function user_init() {
   drupal_add_css(drupal_get_path('module', 'user') .'/user.css', 'module');
+
+  global $user;
+  if ($user->uid && !empty($_SESSION['user_password_needs_change']) && !(arg(0) == 'user' && arg(1) == $user->uid && arg(2) == 'edit')) {
+    drupal_set_message('Please change your password.', 'error');
+    drupal_goto('user/'. $user->uid .'/edit');
+  }
 }
 
 function user_current_load($arg) {
@@ -1287,6 +1294,7 @@ function user_logout() {
 }
 
 function user_pass() {
+  $form['instructions'] = array('#value' => '<p>'. t('Instructions on how to change your password will sent to your e-mail address.') .'</p>'); 
   $form['name'] = array(
     '#type' => 'textfield',
     '#title' => t('Username or e-mail address'),
@@ -1294,7 +1302,7 @@ function user_pass() {
     '#maxlength' => max(USERNAME_MAX_LENGTH, EMAIL_MAX_LENGTH),
     '#required' => TRUE,
   );
-  $form['submit'] = array('#type' => 'submit', '#value' => t('E-mail new password'));
+  $form['submit'] = array('#type' => 'submit', '#value' => t('E-mail instructions'));
 
   return $form;
 }
@@ -1323,7 +1331,7 @@ function user_pass_submit($form, &$form_
   $mail_success = _user_mail_notify('password_reset', $account, $language);
   if ($mail_success) {
     watchdog('user', 'Password reset instructions mailed to %name at %email.', array('%name' => $account->name, '%email' => $account->mail));
-    drupal_set_message(t('Further instructions have been sent to your e-mail address.'));
+    drupal_set_message(t('Password creation instructions have been sent to your e-mail address.'));
   }
   else {
     watchdog('user', 'Error mailing password reset instructions to %name at %email.', array('%name' => $account->name, '%email' => $account->mail), WATCHDOG_ERROR);
@@ -1364,6 +1372,11 @@ function user_pass_reset(&$form_state, $
           db_query("UPDATE {users} SET login = %d WHERE uid = %d", time(), $account->uid);
           // Now we can set the new user.
           $user = $account;
+          // Require the user to change his/her password unless they
+          // are special.
+          if (!user_access('skip required password change')) {
+            $_SESSION['user_password_needs_change'] = 1;
+          }
           // And proceed with normal login, going to user page.
           $edit = array();
           user_module_invoke('login', $edit, $user);
@@ -1545,10 +1558,10 @@ function user_register_submit($form, &$f
       $op = $notify ? 'register_admin_created' : 'register_no_approval_required';
       _user_mail_notify($op, $account);
       if ($notify) {
-        drupal_set_message(t('Password and further instructions have been e-mailed to the new user <a href="@url">%name</a>.', array('@url' => url("user/$account->uid"), '%name' => $account->name)));
+        drupal_set_message(t('Password creation instructions have been e-mailed to the new user <a href="@url">%name</a>.', array('@url' => url("user/$account->uid"), '%name' => $account->name)));
       }
       else {
-        drupal_set_message(t('Your password and further instructions have been sent to your e-mail address.'));
+        drupal_set_message(t('Password creation instructions have been sent to your e-mail address.'));
         $form_state['redirect'] = '';
         return;
       }
@@ -1556,8 +1569,7 @@ function user_register_submit($form, &$f
     else {
       // Create new user account, administrator approval required.
       _user_mail_notify('register_pending_approval', $account);
-      drupal_set_message(t('Thank you for applying for an account. Your account is currently pending approval by the site administrator.<br />In the meantime, your password and further instructions have been sent to your e-mail address.'));
-
+      drupal_set_message(t('Thank you for applying for an account. Your account is currently pending approval by the site administrator.<br />If your account is approved, password creation instructions will be sent to your e-mail address.'));
     }
   }
 }
@@ -1583,13 +1595,14 @@ function user_edit_form(&$form_state, $u
     '#title' => t('E-mail address'),
     '#default_value' => $edit['mail'],
     '#maxlength' => EMAIL_MAX_LENGTH,
-    '#description' => t('A valid e-mail address. All e-mails from the system will be sent to this address. The e-mail address is not made public and will only be used if you wish to receive a new password or wish to receive certain news or notifications by e-mail.'),
+    '#description' => t('A valid e-mail address. All e-mails from the system will be sent to this address. The e-mail address is not made public and will only be used if you request a new password or wish to receive certain news or notifications by e-mail.'),
     '#required' => TRUE,
   );
   if (!$register) {
     $form['account']['pass'] = array('#type' => 'password_confirm',
       '#description' => t('To change the current user password, enter the new password in both fields.'),
       '#size' => 25,
+      '#required' => !empty($_SESSION['user_password_needs_change']),
     );
   }
   elseif (!variable_get('user_email_verification', TRUE) || $admin) {
@@ -1840,11 +1853,11 @@ function _user_mail_text($key, $language
       case 'register_no_approval_required_subject':
         return t('Account details for !username at !site', $variables, $langcode);
       case 'register_no_approval_required_body':
-        return t("!username,\n\nThank you for registering at !site. You may now log in to !login_uri using the following username and password:\n\nusername: !username\npassword: !password\n\nYou may also log in by clicking on this link or copying and pasting it in your browser:\n\n!login_url\n\nThis is a one-time login, so it can be used only once.\n\nAfter logging in, you will be redirected to !edit_uri so you can change your password.\n\n\n--  !site team", $variables, $langcode);
+        return t("!username,\n\nThank you for registering at !site. You may now log in to !uri_brief by clicking on this link or copying and pasting it in your browser:\n\n!login_url\n\nThis is a one-time login, so it can be used only once.\n\nAfter logging in, you will be required to set your initial password.\n\n\n--  !site team", $variables, $langcode);
       case 'register_admin_created_subject':
         return t('An administrator created an account for you at !site', $variables, $langcode);
       case 'register_admin_created_body':
-        return t("!username,\n\nA site administrator at !site has created an account for you. You may now log in to !login_uri using the following username and password:\n\nusername: !username\npassword: !password\n\nYou may also log in by clicking on this link or copying and pasting it in your browser:\n\n!login_url\n\nThis is a one-time login, so it can be used only once.\n\nAfter logging in, you will be redirected to !edit_uri so you can change your password.\n\n\n--  !site team", $variables, $langcode);
+        return t("!username,\n\nA site administrator at !site has created an account for you. You may now log in to !uri_brief by clicking on this link or copying and pasting it in your browser:\n\n!login_url\n\nThis is a one-time login, so it can be used only once.\n\nAfter logging in, you will be required to set your initial password.\n\n\n--  !site team", $variables, $langcode);
       case 'register_pending_approval_subject':
       case 'pending_approval_admin_subject':
         return t('Account details for !username at !site (pending admin approval)', $variables, $langcode);
@@ -1855,7 +1868,7 @@ function _user_mail_text($key, $language
       case 'password_reset_subject':
         return t('Replacement login information for !username at !site', $variables, $langcode);
       case 'password_reset_body':
-        return t("!username,\n\nA request to reset the password for your account has been made at !site.\n\nYou may now log in to !uri_brief clicking on this link or copying and pasting it in your browser:\n\n!login_url\n\nThis is a one-time login, so it can be used only once. It expires after one day and nothing will happen if it's not used.\n\nAfter logging in, you will be redirected to !edit_uri so you can change your password.", $variables, $langcode);
+        return t("!username,\n\nA request to reset the password for your account has been made at !site.\n\nYou may now log in to !uri_brief by clicking on this link or copying and pasting it in your browser:\n\n!login_url\n\nThis is a one-time login, so it can be used only once. It expires after one day and nothing will happen if it's not used.\n\nAfter using it to log in, you will be required to change your password.", $variables, $langcode);
       case 'status_activated_subject':
         return t('Account details for !username at !site (approved)', $variables, $langcode);
       case 'status_activated_body':