force password change on next login

See: Force users to change password on first login

This issue is now handled by the Force Password Change module.

Allen is going to port his patch from #730266: Doesn't follow Drupal code style really at all back to here.

Added code to support forced password change by role, individual user or to force all new users to change their password on first login. Made minor bugfixes for WSoD encountered when trying to add new policies. Added unit tests for force password change feature set. Also rewrote several existing tests to work with the new policy by role code.

Patch #9 looks good overall. I think this functionality should definitely be included in the next Password Policy release.

Couple issues found with patch:

• superuser 1 should be exempt from having to change their password, irrespective of roles selected on the Force Password Change form (honor setting from password_policy_admin).
• logic error on submit handler: if is_numeric($uid) and !$force_change is handled as new user, this occurs when an admin is editing their own account.
• in hook_user validate, patch effectively adds the condition of password history by requiring new password to not match last password. While it makes sense to do this, I think its better to let _password_policy_constraint_validate(...) do its thing and enforce password history constraint if enabled in the policy.
• in hook_form_alter, the $form_id switch is effectively duplicated with another if(...)
• Password Change Tab module is not supported
• the Force Password Change message "An administrator has required..." seems awkward to me. I imagine that an administrator typically will force change in the event they exact a new policy and want all users to update their passwords, or in the case of new users. The more generic "Your password has expired. You must change your password to proceed on the site." seems better (at least to me).
• I documented in another thread that the Block user account setting that enables users to change their existing password does not work. Your patch makes this a much simpler fix.

I'll roll a new patch based on #9 and submit this evening.

Other than a couple minor tweaks your patch looks great. Good call clearing out the password enforcement (history, null), that stuff snuck in during the port from Force Password Change.

A few minor issues encountered:
- a change in wording to one of the alter messages caused several tests to break
- unselected roles from the form submission resulted in 0's in the $roles array, when parsed mayhem ensued.
- Since no special handling of Authenticated Users was present and role 2 doesn't add entries to the users_roles table selecting authenticated users wasn't working.
- Dunno if I missed this or if it snuck in with the latest patch but there was a bug in the formatting of the update query in the form submit handler that resulted in only the first user assigned to a given role getting flagged. For more details refer to http://drupal.org/node/381352

Attached patch based on #11

- rewrote portions of the FPC test suite to work with changes in #11
- fixed query formatting bug in password_policy_change_settings_submit()
- fixed bug caused by unselected roles resulting in 0's in the roles array

installed password policy module and applied the patch in #12

Functionality seems to work correctly.

I chose the "Force password change on first-time login" option and created new user. Was asked to change password on first login and successfully did so.

Chose a role to have all users of that role be forced to change their password and this functionality was successful.

Chose a user to force password change on next login and this functionality was successful.

I found one usability issue. When Password Change Tab is enabled, the checkbox to force the user to reset their password on the user profile password tab is below the submit button.

committed to HEAD

Automatically closed -- issue fixed for 2 weeks with no activity.