modules/password_policy/password_policy.module

<?php
// $Id: password_policy.module,v 1.23 2009/06/04 21:48:39 deekayen Exp $
/**
 * @file
 * The password policy module allows you to enforce a specific level of
 * password complexity for the user passwords on the system.
 */

//////////////////////////////////////////////////////////////////////////////

define('PASSWORD_POLICY_ADMIN',             variable_get('password_policy_admin', 0));
define('PASSWORD_POLICY_BEGIN',             variable_get('password_policy_begin', 0));
define('PASSWORD_POLICY_BLOCK',             variable_get('password_policy_block', 0));
define('PASSWORD_POLICY_SHOW_RESTRICTIONS', variable_get('password_policy_show_restrictions', 0));

define('PASSWORD_POLICY_ENTRIES_PER_PAGE', 20);

//////////////////////////////////////////////////////////////////////////////
// Core API hooks

/**
 * Implementation of hook_help().
 */
function password_policy_help($path, $arg) {
  switch ($path) {
    case "admin/help#password_policy":
      return '<p>'. t('The password policy module allows you to enforce a specific level of password complexity for the user passwords on the system.') .'</p>';
  }
}

/**
 * Implementation of hook_init().
 */
function password_policy_init() {
  global $_password_policy;

  // Save all available constrains in a global variable.
  $dir = drupal_get_path('module', 'password_policy') .'/constraints';
  $constraints = file_scan_directory($dir, '^constraint.*\.inc$');
  foreach ($constraints as $file) {
    if (is_file($file->filename)) {
      include_once($file->filename);
      $_password_policy[] = drupal_substr($file->name, 11);
    }
  }
}

/**
 * Implementation of hook_theme().
 */

function password_policy_theme() {
  return array(
    'password_policy_admin_list' => array(
      'arguments' => array('form' => NULL),
      'file' => 'password_policy.theme.inc',
    ),
  );
}

/**
 * Implementation of hook_perm().
 */
function password_policy_perm() {
  return array('unblock expired accounts');
}

/**
 * Implementation of hook_menu().
 */
function password_policy_menu() {
  $items['admin/settings/password_policy'] = array(
    'title' => 'Password policies',
    'description' => 'Configures policies for user account passwords.',
    'page callback' => 'drupal_get_form',
    'page arguments' => array('password_policy_admin_settings'),
    'access arguments' => array('administer site configuration'),
    'file' => 'password_policy.admin.inc',
  );
  $items['admin/settings/password_policy/configure'] = array(
    'title' => 'Settings',
    'type' => MENU_DEFAULT_LOCAL_TASK,
  );
  $items['admin/settings/password_policy/list'] = array(
    'title' => 'List',
    'type' => MENU_LOCAL_TASK,
    'page callback' => 'drupal_get_form',
    'page arguments' => array('password_policy_admin_list'),
    'access arguments' => array('administer site configuration'),
    'weight' => 1,
    'file' => 'password_policy.admin.inc',
  );
  $items['admin/settings/password_policy/add'] = array(
    'title' => 'Add',
    'type' => MENU_LOCAL_TASK,
    'page callback' => 'drupal_get_form',
    'page arguments' => array('password_policy_admin_form', NULL),
    'access arguments' => array('administer site configuration'),
    'weight' => 2,
    'file' => 'password_policy.admin.inc',
  );
  $items['admin/settings/password_policy/%pp_policy'] = array(
    'title callback' => 'password_policy_format_title',
    'title arguments' => array(3),
    'type' => MENU_CALLBACK,
    'page callback' => 'password_policy_admin_view',
    'page arguments' => array(3),
    'access arguments' => array('administer site configuration'),
    'file' => 'password_policy.admin.inc',
  );
  $items['admin/settings/password_policy/%pp_policy/view'] = array(
    'title' => 'View',
    'type' => MENU_DEFAULT_LOCAL_TASK,
  );
  $items['admin/settings/password_policy/%pp_policy/edit'] = array(
    'title' => 'Edit',
    'type' => MENU_LOCAL_TASK,
    'page callback' => 'drupal_get_form',
    'page arguments' => array('password_policy_admin_form', 3),
    'access arguments' => array('administer site configuration'),
    'weight' => 1,
    'file' => 'password_policy.admin.inc',
  );
  $items['admin/settings/password_policy/delete'] = array(
    'title' => 'Delete',
    'type' => MENU_CALLBACK,
    'page callback' => 'drupal_get_form',
    'page arguments' => array('password_policy_admin_delete'),
    'access arguments' => array('administer site configuration'),
    'file' => 'password_policy.admin.inc',
  );
  $items['admin/user/expired'] = array(
    'title' => 'Expired accounts',
    'description' => 'Lists all expired accounts.',
    'page callback' => 'password_policy_expired_list',
    'page arguments' => array('password_policy_list_expired'),
    'access arguments' => array('unblock expired accounts'),
  );
  $items['admin/user/expired/unblock/%pp_uid'] = array(
    'title' => 'Unblock',
    'type' => MENU_CALLBACK,
    'page callback' => 'password_policy_expired_unblock',
    'page arguments' => array(4),
    'access arguments' => array('unblock expired accounts'),
  );
  return $items;
}

/**
 * Load policy array from the database.
 *
 * @param $pid
 *   The policy id
 *
 * @return
 *   A populated policy array or NULL if not found.
 */
function pp_policy_load($pid) {
  static $policies = array();

  if (is_numeric($pid)) {
    if (isset($policies[$pid])) {
      return $policies[$pid];
    }
    else {
      $policy = _password_policy_load_policy_by_pid($pid);
      if ($policy) {
        $policies[$pid] = $policy;
        return $policy;
      }
    }
  }
  return FALSE;
}

/**
 * Load user object from the database.
 *
 * @param $id
 *   The user id
 *
 * @return
 *   A populated user object or NULL if not found.
 */
function pp_uid_load($id) {
  if (is_numeric($id)) {
    $account = user_load(array('uid' => $id));
    if ($account) {
      return $account;
    }
  }
  return FALSE;
}

/**
 * Display a password policy form title.
 *
 * @param $policy
 *   Policy array
 *
 * @return
 *   A policy's title string
 */
function password_policy_format_title($policy) {
  return $policy['name'];
}

/**
 * Implementation of hook_user().
 */
function password_policy_user($op, &$edit, &$account, $category = NULL) {
  switch ($op) {
    case "insert":
      if (!empty($edit['pass'])) {
        // New users do not yet have an uid during the validation step, but they do have at this insert step.
        // Store their first password in the system for use with the history constraint (if used).
        if ($account->uid) {
          _password_policy_store_password($account->uid, $edit['pass']);
        }
      }
      break;
    case "login":
      $policy = _password_policy_load_active_policy();
      // A value $edit['name'] is NULL for a one time login
      if ($policy && ($account->uid > 1 || PASSWORD_POLICY_ADMIN) && !empty($edit['name'])) {
        // Calculate expiration and warning times.
        $expiration = $policy['expiration'];
        $warning = max(explode(',', $policy['warning']));
        $expiration_seconds = $expiration*60*60*24;
        $warning_seconds = $warning*60*60*24;
        // The policy was enabled
        $policy_start = _password_policy_start($expiration_seconds);
        if (!empty($expiration)) {
          // Account expiration is active.
          // Get the last password change time.
          $result = db_query_range("SELECT * FROM {password_policy_history} WHERE uid = %d ORDER BY created DESC", $account->uid, 0, 1);
          if ($row = db_fetch_object($result)) {
            $last_change = $row->created;
          }
          else {
            // A user has not changed his pwd after this module had been enabled.
            $last_change = $account->created;
          }
          $time = time();
          if ($time > max($policy_start, $last_change) + $expiration_seconds) {
            // The account has expired.
            db_query("UPDATE {users} SET status = '0' WHERE uid = %d", $account->uid);
            $result = db_query("SELECT * FROM {password_policy_expiration} WHERE uid = %d", $account->uid);
            if ($row = db_fetch_array($result)) {
              db_query("UPDATE {password_policy_expiration} SET blocked = %d WHERE uid = %d", $time, $account->uid);
            }
            else {
              db_query("INSERT INTO {password_policy_expiration} (uid, blocked) VALUES (%d, %d)", $account->uid, $time);
            }
            watchdog('password_policy', 'Password for user %name has expired.', array('%name' => $account->name), WATCHDOG_NOTICE, l(t('edit'), 'user/'. $account->uid .'/edit'));
            if (PASSWORD_POLICY_BLOCK == 0) {
              // User is blocked imediately and cannot change his password after expiration.
              include_once(drupal_get_path('module', 'user') .'/user.pages.inc');
              user_logout();
            }
            else {
              // User is transfered to a password change page. User is unblocked on password change.
              // If the user don't change password now, he will not be able to login again, since he is still blocked.
              drupal_set_message(t('Your password has expired. You have to change it now or you won\'t be able to login again.'), 'error');
              $destination = drupal_get_destination();
              unset($_REQUEST['destination']);
              drupal_goto('user/'. $account->uid .'/'. (module_exists('password_policy_password_tab') ? 'password' : 'edit'), $destination);
            }
          }
          elseif ($time > max($policy_start, $last_change) + $expiration_seconds - $warning_seconds) {
            // The warning is shown on login and the user is transfered to the password change page.
            $days_left = ceil((max($policy_start, $last_change) + $expiration_seconds - $time)/(60*60*24));
            drupal_set_message(format_plural($days_left, 'Your password will expire in less than one day. Please change it.', 'Your password will expire in less than @count days. Please change it.'));
            $destination = drupal_get_destination();
            unset($_REQUEST['destination']);
            drupal_goto('user/'. $account->uid .'/'. (module_exists('password_policy_password_tab') ? 'password' : 'edit'), $destination);
          }
        }
      }
      break;
    case "delete":
      db_query("DELETE FROM {password_policy_history} WHERE uid = %d", $account->uid);
      db_query("DELETE FROM {password_policy_expiration} WHERE uid = %d", $account->uid);
      break;
    case "submit":
      if ($account->status == 0 && isset($edit['status']) && $edit['status'] == 1 && user_access('unblock expired accounts')) {
        // Account is beeing unblocked.
        _password_policy_unblock($account);
      }
      break;
  }
}

/**
 * Implementation of hook_form_alter().
 */
function password_policy_form_alter(&$form, $form_state, $form_id) {
  switch ($form_id) {
    case "user_profile_form":
    case "user_register":
      // Password change form.
      $uid = isset($form['#uid']) ? $form['#uid'] : NULL;
      //if ($uid == 1 && !PASSWORD_POLICY_ADMIN) { break; }
      $policy = _password_policy_load_active_policy();
      $translate = array();
      if (!empty($policy['policy'])) {
        // Some policy constraints are active.
        password_policy_add_policy_js($policy, $uid);
        foreach ($policy['policy'] as $key => $value) {
          $translate['constraint_'. $key] = _password_policy_constraint_error($key, $value);
        }
      }

      // Printing out the restrictions.
      if (PASSWORD_POLICY_SHOW_RESTRICTIONS && isset($translate)) {
        $form['account']['pass']['#prefix'] = '<div id="account-pass-restrictions"><ul><li>'. implode('</li><li>', $translate) .'</li></ul></div>';
      }

      // Set a custom form validate and submit handlers.
      $form['#validate'][] = 'password_policy_password_validate';
      $form['#submit'][] = 'password_policy_password_submit';
      break;
  }
}

/**
 * Implementation of hook_cron().
 */
function password_policy_cron() {
  $policy = _password_policy_load_active_policy();
  if ($policy) {
    $expiration = $policy['expiration'];
    $warnings = explode(',', $policy['warning']);
    if (!empty($expiration)) {
      // Accounts expiration is active.
      // Get all users' last password change time. We don't touch blocked accounts
      $result = db_query("SELECT u.uid AS uid, u.created AS created_u, p.created AS created_p, e.pid AS pid, e.warning AS warning, e.unblocked AS unblocked FROM {users} u LEFT JOIN {password_policy_history} p ON u.uid = p.uid LEFT JOIN {password_policy_expiration} e ON u.uid = e.uid WHERE u.uid > 0 AND u.status = '1' ORDER BY p.created ASC");
      while ($row = db_fetch_object($result)) {
        if ($row->uid == 1 && !PASSWORD_POLICY_ADMIN)
          continue;

        // Use account creation timestamp if there is no entry in password history table.
        $accounts[$row->uid] = empty($row->created_p) ? $row->created_u : $row->created_p;
        // Last time a warning was mailed out (if was). We need it because we send warnings only once a day, not on all cron runs.
        $warns[$row->uid] = $row->warning;
        // The user was last time unblocked (if was). We don't block this account again for some period of time.
        $unblocks[$row->uid] = $row->unblocked;
        // The user was last time unblocked (if was). We don't block this account again for some period of time.
        $pids[$row->uid] = $row->pid;
      }
      // Calculate expiration time.
      $expiration_seconds = $expiration*60*60*24;
      $policy_start = _password_policy_start($expiration_seconds);
      rsort($warnings, SORT_NUMERIC);
      $time = time();
      if ($accounts) {
        foreach ($accounts as $uid => $last_change) {
          // Check expiration and warning days for each account.
          if (!empty($warnings)) {
            foreach ($warnings as $warning) {
              // Loop through all configured warning send out days. If today is the day we send out the warning.
              $warning_seconds = $warning*60*60*24;
              // Warning start time.
              $start_period = max($policy_start, $last_change) + $expiration_seconds - $warning_seconds;
              // Warning end time. We create a one day window for cron to run.
              $end_period = $start_period + 60*60*24;
              if ($warns[$uid] && $warns[$uid] > $start_period && $warns[$uid] < $end_period) {
                // A warning was already mailed out
                continue;
              }
              if ($time > $start_period && $time < $end_period) {
                // A warning falls in the one day window, so we send out the warning.
                $account = user_load(array('uid' => $uid));
                $message = drupal_mail('password_policy', 'warning', $account->mail, user_preferred_language($account), array('account' => $account, 'days_left' => $warning));
                if ($message['result']) {
                  // The mail was sent out successfully.
                  watchdog('password_policy', 'Password expiration warning mailed to %username at %email.', array('%username' => $account->name, '%email' => $account->mail));
                }
                if ($pids[$uid]) {
                  db_query("UPDATE {password_policy_expiration} SET warning = %d WHERE uid = %d", $time, $uid);
                }
                else {
                  db_query("INSERT INTO {password_policy_expiration} (uid, warning) VALUES (%d, %d)", $uid, $time);
                }
              }
            }
          }
          if ($time > max($policy_start, $last_change) + $expiration_seconds && $time > $unblocks[$uid] + 60*60*24 && PASSWORD_POLICY_BLOCK == 0) {
            // Block expired accounts. Unblocked accounts are not blocked for 24h.
            // One time login lasts for a 24h.
            db_query("UPDATE {users} SET status = '0' WHERE uid = %d", $uid);
            if ($pids[$uid]) {
              db_query("UPDATE {password_policy_expiration} SET blocked = %d WHERE uid = %d", $time, $uid);
            }
            else {
              db_query("INSERT INTO {password_policy_expiration} (uid, blocked) VALUES (%d, %d)", $uid, $time);
            }

            $account = user_load(array('uid' => $uid));
            watchdog('password_policy', 'Password for user %name has expired.', array('%name' => $account->name), WATCHDOG_NOTICE, l(t('edit'), 'user/'. $account->uid .'/edit'));
          }
        }
      }
    }
  }
}

/**
 * Implementation of hook_mail().
 */
function password_policy_mail($key, &$message, $params) {
  $language = $message['language'];
  $variables = password_policy_mail_tokens($params, $language);
  $message['subject'] .= _password_policy_mail_text($key .'_subject', $language, $variables);
  $message['body'][] = _password_policy_mail_text($key .'_body', $language, $variables);
}

/**
 * Implementation of hook_simpletest().
 */
function password_policy_simpletest() {
  // Scan through mymodule/tests directory for any .test files to tell SimpleTest module.
  $tests = file_scan_directory(drupal_get_path('module', 'password_policy') .'/tests', '\.test');
  return array_keys($tests);
}

//////////////////////////////////////////////////////////////////////////////
// FAPI

/**
 * Password save validate handler.
 */
function password_policy_password_validate($form, &$form_state) {
  $values = $form_state['values'];
  $account = isset($form['_account']['#value']) ? $form['_account']['#value'] : (object)array('uid' => 0);

  if (!empty($values['pass']) && !isset($values['auth_openid'])) {
    $error = _password_policy_constraint_validate($values['pass'], $account);
    if ($error) {
      form_set_error('pass', t('Your password has not met the following requirement(s):') .'<ul><li>'. implode('</li><li>', $error) .'</li></ul>');
    }
  }
}

/**
 * Password save submit handler.
 */
function password_policy_password_submit($form, &$form_state) {
  global $user;

  $values = $form_state['values'];
  $account = isset($form['_account']['#value']) ? $form['_account']['#value'] : (object)array('uid' => 0);

  // Track the hashed password values which can then be used in the history constraint.
  if ($account->uid && !empty($values['pass'])) {
    _password_policy_store_password($account->uid, $values['pass']);

    // If user successfully changed his password we will unblock the account.
    if ($user->uid == $account->uid) {
      db_query("UPDATE {users} SET status = 1 WHERE uid = %d", $account->uid);
      db_query("DELETE FROM {password_policy_expiration} WHERE uid = %d", $account->uid);
    }
  }
}

//////////////////////////////////////////////////////////////////////////////
// Expired accounts UI

/**
 * Lists all expired accounts.
 */
function password_policy_expired_list() {
  $header[] = array('data' => t('Username'), 'field' => 'name');
  $header[] = array('data' => t('Blocked'), 'field' => 'blocked', 'sort' => 'desc');
  $header[] = array('data' => t('Unblocked'), 'field' => 'unblocked');
  $header[] = array('data' => t('Action'));

  $result = pager_query("SELECT p.*, u.name FROM {password_policy_expiration} p INNER JOIN {users} u ON p.uid = u.uid WHERE p.blocked > 0". tablesort_sql($header), PASSWORD_POLICY_ENTRIES_PER_PAGE, 0, NULL);
  while ($row = db_fetch_object($result)) {
    $entry[$row->uid]['name'] = l($row->name, 'user/'. $row->uid);
    $entry[$row->uid]['blocked'] = format_date($row->blocked, 'medium');
    $entry[$row->uid]['unblocked'] = $row->unblocked < $row->blocked ? '' : format_date($row->unblocked, 'medium');
    $entry[$row->uid]['action'] = $row->unblocked < $row->blocked ? l(t('unblock'), 'admin/user/expired/unblock/'. $row->uid) : '';
  }
  if (!isset($entry)) {
    $colspan = '4';
    $entry[] = array(array('data' => t('No entries'), 'colspan' => $colspan));
  }
  $page = theme('table', $header, $entry);
  $page .= theme('pager', NULL, PASSWORD_POLICY_ENTRIES_PER_PAGE, 0);

  return $page;
}

/**
 * Unblocks the expired account.
 */
function password_policy_expired_unblock($account) {
  // Unblock the user
  _password_policy_unblock($account);
  drupal_goto('admin/user/expired');
}

//////////////////////////////////////////////////////////////////////////////
// Mail handling

/**
 * Returns a mail string for a variable name.
 *
 * Used by password_policy_mail() and the settings forms to retrieve strings.
 */
function _password_policy_mail_text($key, $language = NULL, $variables = array()) {
  $langcode = isset($language) ? $language->language : NULL;

  if ($admin_setting = variable_get('password_policy_'. $key, FALSE)) {
    // An admin setting overrides the default string.
    return strtr($admin_setting, $variables);
  }
  else {
    // No override, return with default strings.
    switch ($key) {
      case 'warning_subject':
        return t('Password expiration warning for !username at !site', $variables, $langcode);
      case 'warning_body':
        return t("!username,\n\nYour password at !site will expire in less than !days_left day(s).\n\nPlease go to !edit_uri to change your password.", $variables, $langcode);
    }
  }
}

/**
 * Return an array of token to value mappings for user e-mail messages.
 *
 * @param $params
 *  Structured array with the parameters.
 * @param $language
 *  Language object to generate the tokens with.
 *
 * @return
 *  Array of mappings from token names to values (for use with strtr()).
 */
function password_policy_mail_tokens($params, $language) {
  global $base_url;
  $account = $params['account'];
  $tokens = array(
   '!username' => $account->name,
   '!site' => variable_get('site_name', 'Drupal'),
   '!uri' => $base_url,
   '!uri_brief' => drupal_substr($base_url, drupal_strlen('http://')),
   '!date' => format_date(time(), 'medium', '', NULL, $language->language),
   '!login_uri' => url('user', array('absolute' => TRUE)),
   '!edit_uri' => url('user/'. $account->uid .'/'. (module_exists('password_policy_password_tab') ? 'password' : 'edit'), array('absolute' => TRUE)),
   '!days_left' => isset($params['days_left']) ? $params['days_left'] : NULL,
   '!login_url' => isset($params['login_url']) ? $params['login_url'] : NULL,
  );
    return $tokens;
}

//////////////////////////////////////////////////////////////////////////////
// Constraints API

/**
 * Validates user password. Returns NULL on success or array with error messages
 * from the constraints on failure.
 *
 * @param $pass
 *   Clear text password.
 * @param &$account
 *   Populated user object.
 *
 * @return
 *   NULL or array with error messages.
 */
function _password_policy_constraint_validate($pass, &$account) {
  $error = NULL;
  $policy = _password_policy_load_active_policy();
  if (!empty($policy['policy'])) {
    foreach ($policy['policy'] as $key => $value) {
      if (!call_user_func('password_policy_constraint_'. $key .'_validate', $pass, $value, $account->uid)) {
        $error[] = call_user_func('password_policy_constraint_'. $key .'_error', $value);
      }
    }
  }
  return $error;
}

/**
 * Gets the constraint's name and description.
 *
 * @param $name
 *   Name of the constraint.
 *
 * @return
 *   Array containing the name and description.
 */
function _password_policy_constraint_description($name) {
  return call_user_func('password_policy_constraint_'. $name .'_description');
}

/**
 * Gets the constraint's error message.
 *
 * @param $name
 *   Name of the constraint.
 * @param $constraint
 *   Constraint value.
 *
 * @return
 *   Error message.
 */
function _password_policy_constraint_error($name, $constraint) {
  return call_user_func('password_policy_constraint_'. $name .'_error', $constraint);
}

/**
 * Gets the javascript code from the constraint to be added to the password validation.
 *
 * @param $name
 *   Name of the constraint.
 * @param $constraint
 *   Constraint value.
 * @param $uid
 *   User's id.
 *
 * @return
 *   Javascript code snippet for the constraint.
 */
function _password_policy_constraint_js($name, $constraint, $uid) {
  if (function_exists('password_policy_constraint_'. $name .'_js')) {
    return call_user_func('password_policy_constraint_'. $name .'_js', $constraint, $uid);
  }
}

//////////////////////////////////////////////////////////////////////////////
// Auxiliary functions

/**
 * Loads the policy with the specified id.
 *
 * @param $pid
 *   The policy id.
 *
 * @return
 *   A policy array, or NULL if no policy was found.
 */
function _password_policy_load_policy_by_pid($pid) {
  $result = db_query('SELECT * FROM {password_policy} WHERE pid = %d', $pid);
  $row = db_fetch_array($result);
  if (is_array($row)) {
    // fetch and unserialize the serialized policy
    $row['policy'] = unserialize($row['policy']);
    return $row;
  }
  return NULL;
}

/**
 * Loads the default (enabled and active) policy.
 *
 * @return
 *   A policy array, or NULL if no active policy exists.
 */
function _password_policy_load_active_policy() {
  $result = db_query('SELECT * FROM {password_policy} p WHERE p.enabled = 1');
  $row = db_fetch_array($result);
  if (is_array($row)) {
    // fetch and unserialize the serialized policy
    $row['policy'] = unserialize($row['policy']);
    return $row;
  }
  return NULL;
}

/**
 * Returns a timestamp when the policy was enabled.
 * It might be pushed back by the expiration time for the retroactive behaviour
 * based on the configuration options.
 *
 * @param $expiration
 *   Expiration time in seconds.
 *
 * @return
 *   A timestamp when a policy was enabled
 */
function _password_policy_start($expiration = 0) {
  $result = db_query_range("SELECT created FROM {password_policy} WHERE enabled = 1 ORDER BY enabled DESC", 0, 1);
  if ($row = db_fetch_object($result)) {
    $policy_start = $row->created;
  }
  if (PASSWORD_POLICY_BEGIN == 1) {
    // Password older than expiration time expires starting from setting the policy.
    $policy_start -= $expiration;
  }
  return $policy_start;
}

/**
 * Stores user password hash.
 *
 * @param $uid
 *   User id.
 * @param $pass
 *   Clear text password.
 */
function _password_policy_store_password($uid, $pass) {
  db_query("INSERT INTO {password_policy_history} (uid, pass, created) VALUES (%d, '%s', %d)", $uid, md5($pass), time());
}

/**
 * Unblocks the expired account.
 *
 * @param $uccount
 *   User pbject.
 */
function _password_policy_unblock($account) {
  // Unblock the user
  db_query("UPDATE {users} SET status = '1' WHERE uid = %d", $account->uid);
  db_query("UPDATE {password_policy_expiration} SET unblocked = %d WHERE uid = %d", time(), $account->uid);

  $message = drupal_mail('user', 'password_reset', $account->mail, user_preferred_language($account), array('account' => $account, 'login_url' => user_pass_reset_url($account)));
  if ($message['result']) {
    watchdog('password_policy', 'Password reset instructions mailed to %name at %email.', array('%name' => $account->name, '%email' => $account->mail));
  }
  drupal_set_message(t('The user %name has been unblocked.', array('%name' => $account->name)));
}

/**
 * Add password policy JS
 *
 * @param $policy
 *   A policy array.
 * @param $uid
 *   A user ID for which the policy is applied.
 */
function password_policy_add_policy_js($policy, $uid) {

  // Print out the javascript which checks the strength of the password.
  // It overwrites the defaut core javascript function.
  drupal_add_js(drupal_get_path('module', 'password_policy') .'/password_policy.js', 'module');
  $s = "/**\n";
  $s .= " * Evaluate the strength of a user's password.\n";
  $s .= " *\n";
  $s .= " * Returns the estimated strength and the relevant output message.\n";
  $s .= " */\n";
  $s .= "Drupal.evaluatePasswordStrength = function(value) {\n";
  $s .= "  var strength = \"high\", msg = [], translate = Drupal.settings.password_policy;\n";
  // Print out each constraint's javascript password strength evaluation.
  foreach ($policy['policy'] as $key => $value) {
    $s .= _password_policy_constraint_js($key, $value, $uid);
    // Constraints' error messages are used in javascript.
    $translate['constraint_'. $key] = _password_policy_constraint_error($key, $value);
  }
  $s .= "  msg = msg.length > 0 ? translate.needsMoreVariation +\"<ul><li>\"+ msg.join(\"</li><li>\") +\"</li></ul>\" : \"\";\n";
  $s .= "  return { strength: strength, message: msg };\n";
  $s .= "};\n";
  drupal_add_js($s, 'inline');

  drupal_add_js(array(
    'password_policy' => array_merge(array(
      'strengthTitle' => t('Password quality:'),
      'lowStrength' => t('Bad'),
      'mediumStrength' => t('Medium'),
      'highStrength' => t('Good'),
      'needsMoreVariation' => t('The password does not include enough variation to be secure.'),
      'confirmSuccess' => t('Yes'),
      'confirmFailure' => t('No'),
      'confirmTitle' => t('Passwords match:')), $translate)),
    'setting');
}
