Index: modules/user/user.module
===================================================================
RCS file: /cvs/drupal/drupal/modules/user/user.module,v
retrieving revision 1.785
diff -u -p -r1.785 user.module
--- modules/user/user.module	22 May 2007 05:52:17 -0000	1.785
+++ modules/user/user.module	24 May 2007 07:47:09 -0000
@@ -199,10 +199,11 @@ function user_save($account, $array = ar
     }
 
     // If the password changed, delete all open sessions and recreate
-    // the current one.
+    // the current one.  Also, mark required password change as complete.
     if (isset($array['pass'])) {
       sess_destroy_uid($account->uid);
       sess_regenerate();
+      unset($_SESSION['user_pw_change']);
     }
 
     // Refresh user object
@@ -455,7 +456,7 @@ function user_fields() {
  * Implementation of hook_perm().
  */
 function user_perm() {
-  return array('administer access control', 'administer users', 'access user profiles', 'change own username');
+  return array('administer access control', 'administer users', 'access user profiles', 'change own username', 'no required password change');
 }
 
 /**
@@ -548,7 +549,7 @@ function user_login_block() {
   if (variable_get('user_register', 1)) {
     $items[] = l(t('Create new account'), 'user/register', array('title' => t('Create a new user account.')));
   }
-  $items[] = l(t('Request new password'), 'user/password', array('title' => t('Request new password via e-mail.')));
+  $items[] = l(t('Reset password'), 'user/password', array('title' => t('Request a one-time login link via e-mail.')));
   $form['links'] = array('#value' => theme('item_list', $items));
   return $form;
 }
@@ -799,7 +800,7 @@ function user_menu() {
   );
 
   $items['user/password'] = array(
-    'title' => 'Request new password',
+    'title' => 'Reset password',
     'page callback' => 'drupal_get_form',
     'page arguments' => array('user_pass'),
     'access callback' => 'user_is_anonymous',
@@ -970,6 +971,12 @@ function user_menu() {
 
 function user_init() {
   drupal_add_css(drupal_get_path('module', 'user') .'/user.css', 'module');
+
+  global $user;
+  if ($user->uid && !empty($_SESSION['user_pw_change']) && !(arg(0) == 'user' && arg(1) == $user->uid && arg(2) == 'edit')) {
+    drupal_set_message('Please change your password.', 'error');
+    drupal_goto('user/'. $user->uid .'/edit');
+  }
 }
 
 function user_current_load($arg) {
@@ -1177,7 +1184,7 @@ function user_pass() {
     '#maxlength' => max(USERNAME_MAX_LENGTH, EMAIL_MAX_LENGTH),
     '#required' => TRUE,
   );
-  $form['submit'] = array('#type' => 'submit', '#value' => t('E-mail new password'));
+  $form['submit'] = array('#type' => 'submit', '#value' => t('Reset password'));
 
   return $form;
 }
@@ -1245,6 +1252,11 @@ function user_pass_reset($uid, $timestam
           db_query("UPDATE {users} SET login = %d WHERE uid = %d", time(), $account->uid);
           // Now we can set the new user.
           $user = $account;
+          // Require the user to change his/her password unless they
+          // are special.
+          if (!user_access('no required password change')) {
+            $_SESSION['user_pw_change'] = 1;
+          }
           // And proceed with normal login, going to user page.
           $edit = array();
           user_module_invoke('login', $edit, $user);
@@ -1443,13 +1455,14 @@ function user_edit_form($uid, $edit, $re
     '#title' => t('E-mail address'),
     '#default_value' => $edit['mail'],
     '#maxlength' => EMAIL_MAX_LENGTH,
-    '#description' => t('A valid e-mail address. All e-mails from the system will be sent to this address. The e-mail address is not made public and will only be used if you wish to receive a new password or wish to receive certain news or notifications by e-mail.'),
+    '#description' => t('A valid e-mail address. All e-mails from the system will be sent to this address. The e-mail address is not made public and will only be used if you request a password reset or wish to receive certain news or notifications by e-mail.'),
     '#required' => TRUE,
   );
   if (!$register) {
     $form['account']['pass'] = array('#type' => 'password_confirm',
       '#description' => t('To change the current user password, enter the new password in both fields.'),
       '#size' => 25,
+      '#required' => !empty($_SESSION['user_pw_change']),
     );
   }
   elseif (!variable_get('user_email_verification', TRUE) || $admin) {
@@ -1680,11 +1693,11 @@ function _user_mail_text($messageid, $va
       case 'register_no_approval_required_subject':
         return t('Account details for !username at !site', $variables);
       case 'register_no_approval_required_body':
-        return t("!username,\n\nThank you for registering at !site. You may now log in to !login_uri using the following username and password:\n\nusername: !username\npassword: !password\n\nYou may also log in by clicking on this link or copying and pasting it in your browser:\n\n!login_url\n\nThis is a one-time login, so it can be used only once.\n\nAfter logging in, you will be redirected to !edit_uri so you can change your password.\n\n\n--  !site team", $variables);
+        return t("!username,\n\nThank you for registering at !site. You may now log by clicking on this link or copying and pasting it in your browser:\n\n!login_url\n\nThis is a one-time login, so it can be used only once.\n\nAfter logging in, you will be required to set your initial password.\n\n\n--  !site team", $variables);
       case 'register_admin_created_subject':
         return t('An administrator created an account for you at !site', $variables);
       case 'register_admin_created_body':
-        return t("!username,\n\nA site administrator at !site has created an account for you. You may now log in to !login_uri using the following username and password:\n\nusername: !username\npassword: !password\n\nYou may also log in by clicking on this link or copying and pasting it in your browser:\n\n!login_url\n\nThis is a one-time login, so it can be used only once.\n\nAfter logging in, you will be redirected to !edit_uri so you can change your password.\n\n\n--  !site team", $variables);
+         return t("!username,\n\nA site administrator at !site has created an account for you. You may now log by clicking on this link or copying and pasting it in your browser:\n\n!login_url\n\nThis is a one-time login, so it can be used only once.\n\nAfter logging in, you will be required to set your initial password.\n\n\n--  !site team", $variables);
       case 'register_pending_approval_subject':
         return t('Account details for !username at !site (pending admin approval)', $variables);
       case 'register_pending_approval_body':
@@ -1692,7 +1705,7 @@ function _user_mail_text($messageid, $va
       case 'password_reset_subject':
         return t('Replacement login information for !username at !site', $variables);
       case 'password_reset_body':
-        return t("!username,\n\nA request to reset the password for your account has been made at !site.\n\nYou may now log in to !uri_brief clicking on this link or copying and pasting it in your browser:\n\n!login_url\n\nThis is a one-time login, so it can be used only once. It expires after one day and nothing will happen if it's not used.\n\nAfter logging in, you will be redirected to !edit_uri so you can change your password.", $variables);
+         return t("!username,\n\nA request to reset the password for your account has been made at !site.\n\nYou may now log in to !uri_brief by clicking on this link or copying and pasting it in your browser:\n\n!login_url\n\nThis is a one-time login, so it can be used only once. It expires after one day and nothing will happen if it's not used.\n\nAfter using it to log in, you will be required to change your password.", $variables);
       case 'status_activated_subject':
         return t('Account details for !username at !site (approved)', $variables);
       case 'status_activated_body':