Index: INSTALL.txt
===================================================================
RCS file: /cvs/drupal-contrib/contributions/modules/logintoboggan/INSTALL.txt,v
retrieving revision 1.2
diff -u -F^f -u -F^f -r1.2 INSTALL.txt
--- INSTALL.txt	9 Mar 2008 01:18:45 -0000	1.2
+++ INSTALL.txt	28 Mar 2009 21:25:45 -0000
@@ -10,14 +10,14 @@
   (a) your sites/all/modules directory
   (b) your sites/[my site]/modules directory.
 
-Enable the module at 
+Enable the module at
 Administer -> Site building - > Modules
 
-Configure loggintoboggan settings at 
+Configure loggintoboggan settings at
 Administer -> User management -> LoginToboggan.
 
-The module changes the functionality of the login block 
-AND provides a new 'LoginToboggan logged in block' 
+The module changes the functionality of the login block
+AND provides a new 'LoginToboggan logged in block'
 
 Configure each block at
 Administer -> Site building -> Blocks
@@ -32,9 +32,35 @@
 type" sends user to a login form, returning them to original page after
 successful login.
 
-2. Configure 'LoginToboggan logged in block' 
+2. Configure 'LoginToboggan logged in block'
 
 Tip: by leaving the title blank, the 'LoginToboggan logged in block' is slim
 and neat.
 
 Done!
+
+CAVEATS:
+
+1. Use the 'Delete unvalidated users after' feature with extreme caution!
+
+   This feature can be handy, but if misconfigured can cause unexpected damage
+   to your user data -- specifically deleting users!  Two things to guard
+   against:
+
+     a. Be very careful when editing the 'Non-authenticated role' setting.
+        If you set it to anything other than the 'authenticated user' role,
+        LoginToboggan will happily start deleting any users you have in that
+        role that were created prior to the purge interval.  If you want to
+        avoid problems, it's best to never change that setting after you've
+        initially set it up.
+
+     b. LoginToboggan has mechanisms in place that prevent a user from being
+        re-added to the Non-authenticated role after a user has been validated.
+        Note that these protections are only present in core's interface -- if
+        you have another module enabled which does any role manipulation
+        (either via the user interface or programatically), you must find your
+        own way to ensure that it doesn't add any users back into the
+        Non-authenticated role.
+
+   Also note that the feature is only enabled if the 'Set password' option is
+   also enabled.
Index: README.txt
===================================================================
RCS file: /cvs/drupal-contrib/contributions/modules/logintoboggan/README.txt,v
retrieving revision 1.7
diff -u -F^f -u -F^f -r1.7 README.txt
--- README.txt	9 Jun 2008 19:08:38 -0000	1.7
+++ README.txt	28 Mar 2009 21:25:45 -0000
@@ -16,6 +16,9 @@
    6. Optionally redirect the user to a specific page when using the 'immediate login' feature.
    7. Optionally redirect the user to a specific page upon validation of their e-mail address.
    8. Optionally display a user message indicating a successful login.
+   9. Optionally have unvalidated users purged from the system at a pre-defined interval
+      (please read the CAVEATS section of INSTALL.txt for important information on configuring
+      this feature!).
 
 Users who choose their own password can be automatically assigned to a selected 'non-authenticated' role. This role could have more permissions than anonymous but less than authenticated - thus preventing spoof accounts and spammers.  The user will only be removed from the non-authenticated role and granted authenticated permissions when they verify their account via a special email link, or when an administrator removes them from the non-authenticated role.
 
Index: logintoboggan.module
===================================================================
RCS file: /cvs/drupal-contrib/contributions/modules/logintoboggan/logintoboggan.module,v
retrieving revision 1.133.2.9
diff -u -F^f -u -F^f -r1.133.2.9 logintoboggan.module
--- logintoboggan.module	21 Mar 2009 12:09:20 -0000	1.133.2.9
+++ logintoboggan.module	28 Mar 2009 21:25:46 -0000
@@ -32,9 +32,9 @@ function logintoboggan_cron() {
     $validating_id = logintoboggan_validating_id();
     // As a safety check, make sure that we have a non-core role as the
     // pre-auth role -- otherwise skip.
-    if ($validating_id > DRUPAL_AUTHENTICATED_RID) {
+    if (!in_array($validating_id, array(DRUPAL_ANONYMOUS_RID, DRUPAL_AUTHENTICATED_RID))) {
       $purge_time = time() - $purge_interval;
-      $accounts = db_query("SELECT u.uid, u.name FROM {users} u INNER JOIN {users_roles} ur ON u.uid = ur.uid WHERE ur.rid = %d AND u.access < %d", $validating_id, $purge_time);
+      $accounts = db_query("SELECT u.uid, u.name FROM {users} u INNER JOIN {users_roles} ur ON u.uid = ur.uid WHERE ur.rid = %d AND u.created < %d", $validating_id, $purge_time);
 
       $purged_users = array();
       // Delete the users from the system.
@@ -67,6 +67,7 @@ function logintoboggan_help($path, $arg)
       <li>Optionally redirect the user to a specific page when using the 'Immediate login' feature.</li>
       <li>Optionally redirect the user to a specific page upon validation of their e-mail address.</li>
       <li>Optionally display a user message indicating a successful login.</li>
+      <li>Optionally have unvalidated users purged from the system at a pre-defined interval (please read the CAVEATS section of INSTALL.txt for important information on configuring this feature!).</li>
       </ol>
       These features may be turned on or off in the Login Toboggan <a href=\"!url\">settings</a>.</p>
       <p>Because this module completely reorients the Drupal login process you will probably want to edit the welcome e-mail on the <a href=\"!user_settings\">user settings</a> page. For instance if you have enabled the 'Set password' option, you probably should not send the user's password out in the welcome e-mail (also note when the 'Set password' option is enabled, the !login_url becomes a verification url that the user MUST visit in order to enable authenticated status). The following is an example welcome e-mail:</p>
@@ -149,12 +150,21 @@ function logintoboggan_form_alter(&$form
       $account = user_load(array('uid' => arg(1)));
       $id = logintoboggan_validating_id();
       $in_pre_auth_role = in_array($id, array_keys($account->roles));
-      // Messages aren't necessary if pre-auth role is authenticated user.
-      if ($in_pre_auth_role && user_access('administer users') && $id != DRUPAL_AUTHENTICATED_RID) {
-        if ((variable_get('user_register', 1) == 2)) {
-          $form['account']['status']['#description'] = t('If this user was created using the "Immediate Login" feature of LoginToboggan, and they are also awaiting adminstrator approval on their account, you must remove them from the site\'s pre-authorized role in the "Roles" section below, or they will not receive authenticated user permissions!');
+      // Messages are only necessary for user admins, and aren't necessary if
+      // pre-auth role is authenticated user.
+      if (user_access('administer users') && isset($form['account']['roles']) && $id != DRUPAL_AUTHENTICATED_RID) {
+        // User is still in the pre-auth role, so let the admin know.
+        if ($in_pre_auth_role) {
+          if ((variable_get('user_register', 1) == 2)) {
+            $form['account']['status']['#description'] = t('If this user was created using the "Immediate Login" feature of LoginToboggan, and they are also awaiting adminstrator approval on their account, you must remove them from the site\'s pre-authorized role in the "Roles" section below, or they will not receive authenticated user permissions!');
+          }
+          $form['account']['roles']['#description'] = t("The user is assigned LoginToboggan's pre-authorized role, and is not currently receiving authenticated user permissions.");
+        }
+        // User is no longer in the pre-auth role, so remove the option to add
+        // them back.
+        else {
+          unset($form['account']['roles']['#options'][$id]);
         }
-        $form['account']['roles']['#description'] = t("The user is assigned LoginToboggan's pre-authorized role, and is not currently receiving authenticated user permissions.");
       }
       break;
 
@@ -250,6 +260,15 @@ function logintoboggan_form_alter(&$form
         }
       }
       break;
+
+    // Unset the ability to add the pre-auth role in the user admin interface.
+    case 'user_admin_account':
+      $id = logintoboggan_validating_id();
+      $add = t('Add a role to the selected users');
+      if ($id != DRUPAL_AUTHENTICATED_RID && isset($form['options']['operation']['#options'][$add]["add_role-$id"])) {
+        unset($form['options']['operation']['#options'][$add]["add_role-$id"]);
+      }
+      break;
   }
 }
 
@@ -649,7 +668,7 @@ function logintoboggan_main_settings(&$f
     '#title' => t('Non-authenticated role'),
     '#options' => $roles,
     '#default_value' => variable_get('logintoboggan_pre_auth_role', DRUPAL_AUTHENTICATED_RID),
-    '#description' => t('If "Set password" is selected, users will be able to login before their e-mail address has been authenticated. Therefore, you must choose a role for new non-authenticated users. Users will be removed from this role and assigned to the "authenticated user" role once they follow the link in their welcome e-mail. <a href="!url">Add new roles</a>.', array('!url' => url('admin/user/roles'))),
+    '#description' => t('If "Set password" is selected, users will be able to login before their e-mail address has been authenticated. Therefore, you must choose a role for new non-authenticated users. Users will be removed from this role and assigned to the "authenticated user" role once they follow the link in their welcome e-mail. <a href="!url">Add new roles</a>. <strong>WARNING: changing this setting after initial site setup can cause undesirable results, including unintended deletion of users -- change with extreme caution!</strong>', array('!url' => url('admin/user/roles'))),
   );
 
   $purge_options = array(
@@ -673,7 +692,7 @@ function logintoboggan_main_settings(&$f
     '#title' => t('Delete unvalidated users after'),
     '#options' => $purge_options,
     '#default_value' => variable_get('logintoboggan_purge_unvalidated_user_interval', 0),
-    '#description' => t("If enabled, users that are still in the 'Non-authenticated role' set above will be deleted automatically from the system, if the set time interval since their last login has passed. This can be used to automatically purge spambot registrations. Note: this requires cron, and also requires that the 'Set password' option above is enabled.")
+    '#description' => t("If enabled, users that are still in the 'Non-authenticated role' set above will be deleted automatically from the system, if the set time interval since their initial account creation has passed. This can be used to automatically purge spambot registrations. Note: this requires cron, and also requires that the 'Set password' option above is enabled. <strong>WARNING: changing this setting after initial site setup can cause undesirable results, including unintended deletion of users -- change with extreme caution! (please read the CAVEATS section of INSTALL.txt for important information on configuring this feature)</strong>")
   );
 
   $form['registration']['logintoboggan_immediate_login_on_register'] = array(