Index: user.module
===================================================================
RCS file: /cvs/drupal/drupal/modules/user.module,v
retrieving revision 1.578
diff -u -r1.578 user.module
--- user.module	2 Feb 2006 01:51:54 -0000	1.578
+++ user.module	4 Feb 2006 15:54:44 -0000
@@ -1025,7 +1025,7 @@
 /**
  * Menu callback; process one time login link and redirects to the user page on success.
  */
-function user_pass_reset($uid, $timestamp, $hashed_pass) {
+function user_pass_reset($uid, $timestamp, $hashed_pass, $dologin = FALSE) {
   global $user;
 
   // Check if the user is already logged in. The back button is often the culprit here.
@@ -1045,16 +1045,28 @@
         drupal_goto('user/password');
       }
       else if ($account->uid && $timestamp > $account->login && $timestamp < $current && $hashed_pass == user_pass_rehash($account->pass, $timestamp, $account->login)) {
-        watchdog('user', t('User %name used one-time login link at time %timestamp.', array('%name' => "<em>$account->name</em>", '%timestamp' => $timestamp)));
-        // Update the user table noting user has logged in.
-        // And this also makes this hashed password a one-time-only login.
-        db_query("UPDATE {users} SET login = %d WHERE uid = %d", time(), $account->uid);
-        // Now we can set the new user.
-        $user = $account;
-        // And proceed with normal login, going to user page.
-        user_module_invoke('login', $edit, $user);
-        drupal_set_message(t('You have just used your one-time login link. It is no longer necessary to use this link to login. Please change your password.'));
-        drupal_goto('user/'. $user->uid .'/edit');
+        // First stage is a confirmation form, then login
+        if($dologin){
+          watchdog('user', t('User %name used one-time login link at time %timestamp.', array('%name' => "<em>$account->name</em>", '%timestamp' => $timestamp)));
+          // Update the user table noting user has logged in.
+          // And this also makes this hashed password a one-time-only login.
+          db_query("UPDATE {users} SET login = %d WHERE uid = %d", time(), $account->uid);
+          // Now we can set the new user.
+          $user = $account;
+          // And proceed with normal login, going to user page.
+          user_module_invoke('login', $edit, $user);
+          drupal_set_message(t('You have just used your one-time login link. It is no longer necessary to use this link to login. Please change your password.'));
+          drupal_goto('user/'. $user->uid .'/edit');
+        }
+        else {
+          $form['message'] = array('#value' => t('<p>This is a one-time login for <strong>%user_name</strong> and will expire on %expiration_date</p><p>Click on this button to login to the site and change your password.</p>', array('%user_name' => $account->name, '%expiration_date' => format_date($timestamp + $timeout))));
+          $form['uid'] = array('#type' => 'hidden', '#value' => $uid);
+          $form['timestamp'] = array('#type' => 'hidden', '#value' => $timestamp);
+          $form['hashed_pass'] = array('#type' => 'hidden', '#value' => $hashed_pass);
+				  $form['submit'] = array('#type' => 'submit', '#value' => t('Log in'));
+          $form['help'] = array('#value' => t('<p>This login can be used only once.</p>'));
+          return drupal_get_form('user_pass_reset', $form);
+        }
       }
       else {
         drupal_set_message(t('You have tried to use a one-time login link which has either been used or is no longer valid. Please request a new one using the form below.'));
@@ -1069,6 +1081,10 @@
   }
 }
 
+function user_pass_reset_submit($form_id, $form_values){
+  return user_pass_reset($form_values['uid'], $form_values['timestamp'], $form_values['hashed_pass'], TRUE);
+}
+
 function user_pass_reset_url($account) {
   $timestamp = time();
   return url("user/reset/$account->uid/$timestamp/".user_pass_rehash($account->pass, $timestamp, $account->login), NULL, NULL, TRUE);