If you want to use Masquerade with this (i.e. an Admin masquerading as user XXX should not have to change the password on user XXX) then you just need to make this addition to the hook_init in password_policy.module: 

/**
 * Implements hook_init().
 */
function password_policy_init() {
  global $user;

  if (isset($_SESSION['masquerading'])) {
     // here you could set a message to the Admin user ... "Admin not subject to password policy"
  } else {
  // Check password reset status and force a reset if needed.
    if (_password_policy_is_password_change_forced($user->uid) &&
        !_password_policy_is_path_allowed_when_password_change_forced()) {
      _password_policy_set_password_change_forced_message();
      _password_policy_go_to_password_change_page();
    }
  }
}

Comments

jamescook created an issue. See original summary.

jamescook’s picture

jamescook CreditAttribution: jamescook commented
Status: Active » Closed (works as designed)
powrsurg’s picture

powrsurg CreditAttribution: powrsurg commented

For anyone that might need this, I was able to work around this with, given a custom module "foo":

function foo_password_policy_force_change_allowed_paths_alter(&$allowed_paths) {
  if (isset($_SESSION['masquerading'])) {
    $allowed_paths[] = current_path();
  }
}

This just allows anyone that is currently masquerading to masquerade as someone without triggering the change password scenario.