From e6d45b6d6028527079744af20dc9407a2a3867f2 Mon Sep 17 00:00:00 2001
From: Byron Jones <glob@mozilla.com>
Date: Tue, 25 Aug 2015 13:40:13 +0800
Subject: Bug 1196134 - add ability for admins to force a user to change their
 password on next login

---
 Bugzilla.pm | 20 +++++++++++++++++++-
 1 file changed, 19 insertions(+), 1 deletion(-)

(limited to 'Bugzilla.pm')

diff --git a/Bugzilla.pm b/Bugzilla.pm
index 8a0ff2fd7..fa95128d1 100644
--- a/Bugzilla.pm
+++ b/Bugzilla.pm
@@ -367,8 +367,26 @@ sub login {
     }
 
     my $authenticated_user = $authorizer->login($type);
-    
+
     # At this point, we now know if a real person is logged in.
+
+    # Check if a password reset is required
+    if ($authenticated_user->password_change_required) {
+        # We cannot show the password reset UI for API calls, so treat those as
+        # a disabled account.
+        if (i_am_webservice()) {
+            ThrowUserError("account_disabled", { disabled_reason => $authenticated_user->password_change_reason });
+        }
+
+        # only allow the reset-password and token pages to handle requests
+        # (tokens handles the 'forgot password' process)
+        # otherwise redirect user to the reset-password page.
+        if ($ENV{SCRIPT_NAME} !~ m#/(?:reset_password|token)\.cgi$#) {
+            print Bugzilla->cgi->redirect('reset_password.cgi');
+            exit;
+        }
+    }
+
     # We must now check to see if an sudo session is in progress.
     # For a session to be in progress, the following must be true:
     # 1: There must be a logged in user
-- 
cgit v1.2.3-24-g4f1b