More inventive ways to avoid real work; add password expiration
capability. New DB field in the users table (pswd_expires) which is a date field that initially gets set to one year after the user account is created. When the password is changed via the web form, it gets bumped 1 more year into the future *unless* the current uid is different from the target_uid (ie: you are changing a password for someone else). In that case, the expiration is set to the current date, which forces the target user to change his password next time he logs in. I've changed the menu/auth code to look for password expiration, and when expired the menu options contain just a single option to change the password. All other https pages will fail with a password expired message. Normal text pages will work of course.
Showing with 169 additions and 96 deletions