getnikola · Jan 22, 2015
diff --git a/‎coil/data/coil_assets/css/coil.css
+4 b/‎coil/data/coil_assets/css/coil.css
+4
diff --git a/‎coil/data/templates/jinja/coil_users.tmpl
+43-41 b/‎coil/data/templates/jinja/coil_users.tmpl
+43-41
diff --git a/‎coil/data/templates/jinja/coil_users_edit.tmpl
+9 b/‎coil/data/templates/jinja/coil_users_edit.tmpl
+9
diff --git a/‎coil/data/templates/jinja/coil_users_permissions.tmpl
+15-11 b/‎coil/data/templates/jinja/coil_users_permissions.tmpl
+15-11
diff --git a/‎coil/data/templates/mako/coil_users.tmpl
+43-41 b/‎coil/data/templates/mako/coil_users.tmpl
+43-41
diff --git a/‎coil/data/templates/mako/coil_users_edit.tmpl
+9 b/‎coil/data/templates/mako/coil_users_edit.tmpl
+9
diff --git a/‎coil/data/templates/mako/coil_users_permissions.tmpl
+15-11 b/‎coil/data/templates/mako/coil_users_permissions.tmpl
+15-11
diff --git a/‎coil/forms.py
+5-1 b/‎coil/forms.py
+5-1
diff --git a/‎coil/utils.py
+7-1 b/‎coil/utils.py
+7-1
diff --git a/‎coil/web.py
+116-62 b/‎coil/web.py
+116-62
diff --git a/‎docs/admin/users.rst
+39-10 b/‎docs/admin/users.rst
+39-10
diff --git a/‎docs/internals.rst
+4-5 b/‎docs/internals.rst
+4-5
@@ -90,6 +90,10 @@ table.users .uid {
     text-align: center;
 }
 
+.perm-descr {
+    font-size: x-small;
+}
+
 /* login (copied from Bootstrap example) */
 
 .form-signin {
 
@@ -41,57 +41,59 @@ $('#deleteModal').on('show.bs.modal', function (event) {
 
 <table class="table table-hover users" style="table-layout: fixed;">
 <thead><tr>
-    <th class="uid">#</th>
-    <th class="username">Username</th>
-    <th class="realname">Real name</th>
-    <th class="email">E-mail address</th>
-    <th class="is_admin">Admin</th>
-    <th class="actions">Actions</th>
+<th class="uid">#</th>
+<th class="username">Username</th>
+<th class="realname">Real name</th>
+<th class="email">E-mail address</th>
+<th class="is_admin">Admin</th>
+<th class="actions">Actions</th>
 </tr></thead>
 {% for uid, user in USERS %}
 {% if user.active %}
 <tr>
 {% else %}
 <tr class="danger inactive-user">
 {% endif %}
-    <td class="uid">{{ uid }}</td>
-    <td class="username">{{ user.username }}</td>
-    <td class="realname">{{ user.realname }}</td>
-    <td class="email">{{ user.email }}</td>
-    <td class="actions">
-    {% if user.is_admin %}
-    <i class="fa fa-check"></i>
-    {% else %}
-    <i class="fa fa-times"></i>
-    {% endif %}
-    </td>
-    <td class="actions">
-    <form action="{{ url_for('acp_users_edit') }}" method="POST">{{ editform.csrf_token }}
-    <input type="hidden" name="uid" value="{{ uid }}">
-    <input type="hidden" name="action" value="edit">
-    <div class="btn-group" role="group">
-    {% if user.active %}
-        <button type="submit" class="btn btn-sm btn-info" title="Edit"><i class="fa fa-pencil fa-fw"></i> Edit</button>
-        {% if user.uid == current_user.uid %}
-        <button type="button" class="btn btn-sm btn-danger" title="Delete" disabled><i class="fa fa-trash fa-fw"></i> Delete</button>
-        {% else %}
-        <button type="button" class="btn btn-sm btn-danger" data-toggle="modal" data-target="#deleteModal" data-username="{{ user.username }}" data-uid="{{ uid }}" data-direction="del" title="Delete"><i class="fa fa-trash fa-fw"></i> Delete</button>
-        {% endif %}
-    {% else %}
-        <button type="button" class="btn btn-sm btn-info" title="Edit" disabled><i class="fa fa-pencil fa-fw"></i> Edit</button>
-        <button type="button" class="btn btn-sm btn-success" data-toggle="modal" data-target="#deleteModal" data-username="{{ user.username }}" data-uid="{{ uid }}" data-direction="undel" title="Undelete"><i class="fa fa-trash-o fa-fw"></i> Undelete</button>
-    {% endif %}
-    </div>
-    </form>
+<td class="uid">{{ uid }}</td>
+<td class="username">{{ user.username }}</td>
+<td class="realname">{{ user.realname }}</td>
+<td class="email">{{ user.email }}</td>
+<td class="actions">
+{% if user.is_admin %}
+<i class="fa fa-check"></i>
+{% else %}
+<i class="fa fa-times"></i>
+{% endif %}
+</td>
+<td class="actions">
+<form action="{{ url_for('acp_users_edit') }}" method="POST">{{ editform.csrf_token }}
+<input type="hidden" name="uid" value="{{ uid }}">
+<input type="hidden" name="action" value="edit">
+<div class="btn-group" role="group">
+{% if user.active %}
+<button type="submit" class="btn btn-sm btn-info" title="Edit"><i class="fa fa-pencil fa-fw"></i> Edit</button>
+{% if user.uid == current_user.uid %}
+<button type="button" class="btn btn-sm btn-danger" title="Delete" disabled><i class="fa fa-trash fa-fw"></i> Delete</button>
+{% else %}
+<button type="button" class="btn btn-sm btn-danger" data-toggle="modal" data-target="#deleteModal" data-username="{{ user.username }}" data-uid="{{ uid }}" data-direction="del" title="Delete"><i class="fa fa-trash fa-fw"></i> Delete</button>
+{% endif %}
+{% else %}
+<button type="button" class="btn btn-sm btn-info" title="Edit" disabled><i class="fa fa-pencil fa-fw"></i> Edit</button>
+<button type="button" class="btn btn-sm btn-success" data-toggle="modal" data-target="#deleteModal" data-username="{{ user.username }}" data-uid="{{ uid }}" data-direction="undel" title="Undelete"><i class="fa fa-trash-o fa-fw"></i> Undelete</button>
+{% endif %}
+</div>
+</form>
 </tr>
 {% endfor %}
 <tr><form action="{{ url_for('acp_users_edit') }}" method="POST">{{ editform.csrf_token }}
-    <td></td>
-    <td><input name="username" placeholder="New user" class="form-control"></td>
-    <td><input name="action" value="new" type="hidden"></td>
-    <td></td>
-    <td></td>
-    <td><button type="submit" class="btn btn-sm btn-primary"><i class="fa fa-plus-square fa-fw"></i> Create</button></td>
+<td class="uid"><strong>Create:</strong></td>
+<td colspan="4"><input name="username" placeholder="New user" class="form-control input-sm"></td>
+<td><button type="submit" class="btn btn-sm btn-primary"><i class="fa fa-plus-square fa-fw"></i> Create</button></td>
+</form></tr>
+<tr><form action="{{ url_for('acp_users_import') }}" method="POST" enctype="multipart/form-data">{{ importform.csrf_token }}
+<td class="uid"><strong>Import:</strong></td>
+<td colspan="4"><input name="tsv" type="file" required></td>
+<td><button type="submit" class="btn btn-sm btn-primary"><i class="fa fa-file-text-o fa-fw"></i> Import TSV</button></td>
 </form></tr>
 </table>
 
 
@@ -95,6 +95,15 @@
                     {% endif %}
                     > User is an administrator
                 </label></div>
+            <div class="checkbox"><label><input type="checkbox" name="must_change_password"
+                    {% if user.must_change_password %}
+                    checked
+                    {% endif %}
+                    {% if user.uid == current_user.uid %}
+                    disabled
+                    {% endif %}
+                    > User must change password on next login
+                </label></div>
             <div class="checkbox"><label><input type="checkbox" name="can_edit_all_posts"
                     {% if user.can_edit_all_posts %}
                     checked
 
@@ -2,7 +2,7 @@
 {% extends 'base.tmpl' %}
 {% block extra_js %}
 <script>
-var PERMISSIONS = {{ json.dumps(PERMISSIONS) }};
+var PERMISSIONS = {{ json.dumps(PERMISSIONS_E) }};
 var UIDS = {{ json.dumps(UIDS) }};
 var current_uid = {{ current_user.uid }};
 $(document).ready(function() {
@@ -54,35 +54,39 @@ $(document).ready(function() {
 {% endif %}
 
 <form action="{{ url_for('acp_users_permissions') }}" method="POST">
-<table class="table table-hover users" style="table-layout: fixed;">
+<table class="table table-hover users">
 <thead><tr>
     <th class="uid">#</th>
     <th class="username">Username</th>
-    <th class="perm is_active">Active<br>
+    <th class="perm is_active"><div class="perm-descr">Active</div>
         <button type="button" class="btn btn-info btn-xs select_all-perm" data-perm="is_active"><i class="fa fa-check-square-o fa-fw"></i></button>
         <button type="button" class="btn btn-info btn-xs select_none-perm" data-perm="is_active"><i class="fa fa-square-o fa-fw"></i></button>
     </th>
-    <th class="perm is_admin">Admin<br>
+    <th class="perm is_admin"><div class="perm-descr">Admin</div>
         <button type="button" class="btn btn-info btn-xs select_all-perm" data-perm="is_admin"><i class="fa fa-check-square-o fa-fw"></i></button>
         <button type="button" class="btn btn-info btn-xs select_none-perm" data-perm="is_admin"><i class="fa fa-square-o fa-fw"></i></button>
     </th>
-    <th class="perm can_edit_all_posts">Can all posts<br>
+    <th class="perm must_change_password"><div class="perm-descr">Must change password</div>
+        <button type="button" class="btn btn-info btn-xs select_all-perm" data-perm="must_change_password"><i class="fa fa-check-square-o fa-fw"></i></button>
+        <button type="button" class="btn btn-info btn-xs select_none-perm" data-perm="must_change_password"><i class="fa fa-square-o fa-fw"></i></button>
+    </th>
+    <th class="perm can_edit_all_posts"><div class="perm-descr">Can all posts</div>
         <button type="button" class="btn btn-info btn-xs select_all-perm" data-perm="can_edit_all_posts"><i class="fa fa-check-square-o fa-fw"></i></button>
         <button type="button" class="btn btn-info btn-xs select_none-perm" data-perm="can_edit_all_posts"><i class="fa fa-square-o fa-fw"></i></button>
     </th>
-    <th class="perm wants_all_posts">Wants all posts<br>
+    <th class="perm wants_all_posts"><div class="perm-descr">Wants all posts</div>
         <button type="button" class="btn btn-info btn-xs select_all-perm" data-perm="wants_all_posts"><i class="fa fa-check-square-o fa-fw"></i></button>
         <button type="button" class="btn btn-info btn-xs select_none-perm" data-perm="wants_all_posts"><i class="fa fa-square-o fa-fw"></i></button>
     </th>
-    <th class="perm can_upload_attachments">Attachments<br>
+    <th class="perm can_upload_attachments"><div class="perm-descr">Attachments</div>
         <button type="button" class="btn btn-info btn-xs select_all-perm" data-perm="can_upload_attachments"><i class="fa fa-check-square-o fa-fw"></i></button>
         <button type="button" class="btn btn-info btn-xs select_none-perm" data-perm="can_upload_attachments"><i class="fa fa-square-o fa-fw"></i></button>
     </th>
-    <th class="perm can_rebuild_site">Rebuild<br>
+    <th class="perm can_rebuild_site"><div class="perm-descr">Rebuild</div>
         <button type="button" class="btn btn-info btn-xs select_all-perm" data-perm="can_rebuild_site"><i class="fa fa-check-square-o fa-fw"></i></button>
         <button type="button" class="btn btn-info btn-xs select_none-perm" data-perm="can_rebuild_site"><i class="fa fa-square-o fa-fw"></i></button>
     </th>
-    <th class="perm can_transfer_post_authorship">Transfer authorship<br>
+    <th class="perm can_transfer_post_authorship"><div class="perm-descr">Transfer authorship</div>
         <button type="button" class="btn btn-info btn-xs select_all-perm" data-perm="can_transfer_post_authorship"><i class="fa fa-check-square-o fa-fw"></i></button>
         <button type="button" class="btn btn-info btn-xs select_none-perm" data-perm="can_transfer_post_authorship"><i class="fa fa-square-o fa-fw"></i></button>
     </th>
@@ -93,7 +97,7 @@ $(document).ready(function() {
 <tr class="u{{ uid }}">
     <td class="uid">{{ uid }}</td>
     <td class="username">{{ user.username }}</td>
-    {% for p in PERMISSIONS %}
+    {% for p in PERMISSIONS_E %}
     <td class="perm
 {% if p == 'active' %}
 is_active
@@ -102,7 +106,7 @@ is_active
 {% endif %}
 ">{{ display_permission(user, p) }}</td>
     {% endfor %}
-    <td class="select_all"><button type="button" class="btn btn-info select_all-user" data-uid="{{ uid }}"><i class="fa fa-check-square-o fa-fw"></i></button> <button type="button" class="btn btn-info select_none-user" data-uid="{{ uid }}"><i class="fa fa-square-o fa-fw"></i></button></td>
+    <td class="select_all"><button type="button" class="btn btn-sm btn-info select_all-user" data-uid="{{ uid }}"><i class="fa fa-check-square-o fa-fw"></i></button> <button type="button" class="btn btn-sm btn-info select_none-user" data-uid="{{ uid }}"><i class="fa fa-square-o fa-fw"></i></button></td>
 </tr>
 {% endif %}
 {% endfor %}
 
@@ -41,57 +41,59 @@ $('#deleteModal').on('show.bs.modal', function (event) {
 
 <table class="table table-hover users" style="table-layout: fixed;">
 <thead><tr>
-    <th class="uid">#</th>
-    <th class="username">Username</th>
-    <th class="realname">Real name</th>
-    <th class="email">E-mail address</th>
-    <th class="is_admin">Admin</th>
-    <th class="actions">Actions</th>
+<th class="uid">#</th>
+<th class="username">Username</th>
+<th class="realname">Real name</th>
+<th class="email">E-mail address</th>
+<th class="is_admin">Admin</th>
+<th class="actions">Actions</th>
 </tr></thead>
 % for uid, user in USERS:
 % if user.active:
 <tr>
 % else:
 <tr class="danger inactive-user">
 % endif
-    <td class="uid">${uid}</td>
-    <td class="username">${user.username}</td>
-    <td class="realname">${user.realname}</td>
-    <td class="email">${user.email}</td>
-    <td class="actions">
-    % if user.is_admin:
-    <i class="fa fa-check"></i>
-    % else:
-    <i class="fa fa-times"></i>
-    % endif
-    </td>
-    <td class="actions">
-    <form action="${url_for('acp_users_edit')}" method="POST">${editform.csrf_token}
-    <input type="hidden" name="uid" value="${uid}">
-    <input type="hidden" name="action" value="edit">
-    <div class="btn-group" role="group">
-    % if user.active:
-        <button type="submit" class="btn btn-sm btn-info" title="Edit"><i class="fa fa-pencil fa-fw"></i> Edit</button>
-        % if user.uid == current_user.uid:
-        <button type="button" class="btn btn-sm btn-danger" title="Delete" disabled><i class="fa fa-trash fa-fw"></i> Delete</button>
-        % else:
-        <button type="button" class="btn btn-sm btn-danger" data-toggle="modal" data-target="#deleteModal" data-username="${user.username}" data-uid="${uid}" data-direction="del" title="Delete"><i class="fa fa-trash fa-fw"></i> Delete</button>
-        % endif
-    % else:
-        <button type="button" class="btn btn-sm btn-info" title="Edit" disabled><i class="fa fa-pencil fa-fw"></i> Edit</button>
-        <button type="button" class="btn btn-sm btn-success" data-toggle="modal" data-target="#deleteModal" data-username="${user.username}" data-uid="${uid}" data-direction="undel" title="Undelete"><i class="fa fa-trash-o fa-fw"></i> Undelete</button>
-    % endif
-    </div>
-    </form>
+<td class="uid">${uid}</td>
+<td class="username">${user.username}</td>
+<td class="realname">${user.realname}</td>
+<td class="email">${user.email}</td>
+<td class="actions">
+% if user.is_admin:
+<i class="fa fa-check"></i>
+% else:
+<i class="fa fa-times"></i>
+% endif
+</td>
+<td class="actions">
+<form action="${url_for('acp_users_edit')}" method="POST">${editform.csrf_token}
+<input type="hidden" name="uid" value="${uid}">
+<input type="hidden" name="action" value="edit">
+<div class="btn-group" role="group">
+% if user.active:
+<button type="submit" class="btn btn-sm btn-info" title="Edit"><i class="fa fa-pencil fa-fw"></i> Edit</button>
+% if user.uid == current_user.uid:
+<button type="button" class="btn btn-sm btn-danger" title="Delete" disabled><i class="fa fa-trash fa-fw"></i> Delete</button>
+% else:
+<button type="button" class="btn btn-sm btn-danger" data-toggle="modal" data-target="#deleteModal" data-username="${user.username}" data-uid="${uid}" data-direction="del" title="Delete"><i class="fa fa-trash fa-fw"></i> Delete</button>
+% endif
+% else:
+<button type="button" class="btn btn-sm btn-info" title="Edit" disabled><i class="fa fa-pencil fa-fw"></i> Edit</button>
+<button type="button" class="btn btn-sm btn-success" data-toggle="modal" data-target="#deleteModal" data-username="${user.username}" data-uid="${uid}" data-direction="undel" title="Undelete"><i class="fa fa-trash-o fa-fw"></i> Undelete</button>
+% endif
+</div>
+</form>
 </tr>
 % endfor
 <tr><form action="${url_for('acp_users_edit')}" method="POST">${editform.csrf_token}
-    <td></td>
-    <td><input name="username" placeholder="New user" class="form-control"></td>
-    <td><input name="action" value="new" type="hidden"></td>
-    <td></td>
-    <td></td>
-    <td><button type="submit" class="btn btn-sm btn-primary"><i class="fa fa-plus-square fa-fw"></i> Create</button></td>
+<td class="uid"><strong>Create:</strong></td>
+<td colspan="4"><input name="username" placeholder="New user" class="form-control input-sm"></td>
+<td><button type="submit" class="btn btn-sm btn-primary"><i class="fa fa-plus-square fa-fw"></i> Create</button></td>
+</form></tr>
+<tr><form action="${url_for('acp_users_import')}" method="POST" enctype="multipart/form-data">${importform.csrf_token}
+<td class="uid"><strong>Import:</strong></td>
+<td colspan="4"><input name="tsv" type="file" required></td>
+<td><button type="submit" class="btn btn-sm btn-primary"><i class="fa fa-file-text-o fa-fw"></i> Import TSV</button></td>
 </form></tr>
 </table>
 
 
@@ -95,6 +95,15 @@
                     % endif
                     > User is an administrator
                 </label></div>
+            <div class="checkbox"><label><input type="checkbox" name="must_change_password"
+                    % if user.must_change_password:
+                    checked
+                    % endif
+                    % if user.uid == current_user.uid:
+                    disabled
+                    % endif
+                    > User must change password on next login
+                </label></div>
             <div class="checkbox"><label><input type="checkbox" name="can_edit_all_posts"
                     % if user.can_edit_all_posts:
                     checked
 
@@ -2,7 +2,7 @@
 <%inherit file="base.tmpl"/>
 <%block name="extra_js">
 <script>
-var PERMISSIONS = ${json.dumps(PERMISSIONS)};
+var PERMISSIONS = ${json.dumps(PERMISSIONS_E)};
 var UIDS = ${json.dumps(UIDS)};
 var current_uid = ${current_user.uid};
 $(document).ready(function() {
@@ -54,35 +54,39 @@ $(document).ready(function() {
 % endif
 
 <form action="${url_for('acp_users_permissions')}" method="POST">
-<table class="table table-hover users" style="table-layout: fixed;">
+<table class="table table-hover users">
 <thead><tr>
     <th class="uid">#</th>
     <th class="username">Username</th>
-    <th class="perm is_active">Active<br>
+    <th class="perm is_active"><div class="perm-descr">Active</div>
         <button type="button" class="btn btn-info btn-xs select_all-perm" data-perm="is_active"><i class="fa fa-check-square-o fa-fw"></i></button>
         <button type="button" class="btn btn-info btn-xs select_none-perm" data-perm="is_active"><i class="fa fa-square-o fa-fw"></i></button>
     </th>
-    <th class="perm is_admin">Admin<br>
+    <th class="perm is_admin"><div class="perm-descr">Admin</div>
         <button type="button" class="btn btn-info btn-xs select_all-perm" data-perm="is_admin"><i class="fa fa-check-square-o fa-fw"></i></button>
         <button type="button" class="btn btn-info btn-xs select_none-perm" data-perm="is_admin"><i class="fa fa-square-o fa-fw"></i></button>
     </th>
-    <th class="perm can_edit_all_posts">Can all posts<br>
+    <th class="perm must_change_password"><div class="perm-descr">Must change password</div>
+        <button type="button" class="btn btn-info btn-xs select_all-perm" data-perm="must_change_password"><i class="fa fa-check-square-o fa-fw"></i></button>
+        <button type="button" class="btn btn-info btn-xs select_none-perm" data-perm="must_change_password"><i class="fa fa-square-o fa-fw"></i></button>
+    </th>
+    <th class="perm can_edit_all_posts"><div class="perm-descr">Can all posts</div>
         <button type="button" class="btn btn-info btn-xs select_all-perm" data-perm="can_edit_all_posts"><i class="fa fa-check-square-o fa-fw"></i></button>
         <button type="button" class="btn btn-info btn-xs select_none-perm" data-perm="can_edit_all_posts"><i class="fa fa-square-o fa-fw"></i></button>
     </th>
-    <th class="perm wants_all_posts">Wants all posts<br>
+    <th class="perm wants_all_posts"><div class="perm-descr">Wants all posts</div>
         <button type="button" class="btn btn-info btn-xs select_all-perm" data-perm="wants_all_posts"><i class="fa fa-check-square-o fa-fw"></i></button>
         <button type="button" class="btn btn-info btn-xs select_none-perm" data-perm="wants_all_posts"><i class="fa fa-square-o fa-fw"></i></button>
     </th>
-    <th class="perm can_upload_attachments">Attachments<br>
+    <th class="perm can_upload_attachments"><div class="perm-descr">Attachments</div>
         <button type="button" class="btn btn-info btn-xs select_all-perm" data-perm="can_upload_attachments"><i class="fa fa-check-square-o fa-fw"></i></button>
         <button type="button" class="btn btn-info btn-xs select_none-perm" data-perm="can_upload_attachments"><i class="fa fa-square-o fa-fw"></i></button>
     </th>
-    <th class="perm can_rebuild_site">Rebuild<br>
+    <th class="perm can_rebuild_site"><div class="perm-descr">Rebuild</div>
         <button type="button" class="btn btn-info btn-xs select_all-perm" data-perm="can_rebuild_site"><i class="fa fa-check-square-o fa-fw"></i></button>
         <button type="button" class="btn btn-info btn-xs select_none-perm" data-perm="can_rebuild_site"><i class="fa fa-square-o fa-fw"></i></button>
     </th>
-    <th class="perm can_transfer_post_authorship">Transfer authorship<br>
+    <th class="perm can_transfer_post_authorship"><div class="perm-descr">Transfer authorship</div>
         <button type="button" class="btn btn-info btn-xs select_all-perm" data-perm="can_transfer_post_authorship"><i class="fa fa-check-square-o fa-fw"></i></button>
         <button type="button" class="btn btn-info btn-xs select_none-perm" data-perm="can_transfer_post_authorship"><i class="fa fa-square-o fa-fw"></i></button>
     </th>
@@ -93,7 +97,7 @@ $(document).ready(function() {
 <tr class="u${uid}">
     <td class="uid">${uid}</td>
     <td class="username">${user.username}</td>
-    % for p in PERMISSIONS:
+    % for p in PERMISSIONS_E:
     <td class="perm
 % if p == 'active':
 is_active
@@ -102,7 +106,7 @@ ${p}
 %endif
 ">${display_permission(user, p)}</td>
     % endfor
-    <td class="select_all"><button type="button" class="btn btn-info select_all-user" data-uid="${uid}"><i class="fa fa-check-square-o fa-fw"></i></button> <button type="button" class="btn btn-info select_none-user" data-uid="${uid}"><i class="fa fa-square-o fa-fw"></i></button></td>
+    <td class="select_all"><button type="button" class="btn btn-sm btn-info select_all-user" data-uid="${uid}"><i class="fa fa-check-square-o fa-fw"></i></button> <button type="button" class="btn btn-sm btn-info select_none-user" data-uid="${uid}"><i class="fa fa-square-o fa-fw"></i></button></td>
 </tr>
 % endif
 % endfor
 
@@ -28,7 +28,7 @@
 from __future__ import print_function, unicode_literals
 
 from flask.ext.wtf import Form
-from wtforms.fields import TextField, PasswordField, BooleanField
+from wtforms.fields import TextField, PasswordField, FileField, BooleanField
 from wtforms.validators import Required, ValidationError
 
 
@@ -69,6 +69,10 @@ class AccountForm(Form):
     pass
 
 
+class UserImportForm(Form):
+    """A user import form."""
+    tsv = FileField("TSV File")
+
 class UserEditForm(Form):
     """A user editor form, used for CSRF protection only."""
     pass
 
@@ -36,9 +36,15 @@
            'SiteProxy']
 
 USER_FIELDS = ['username', 'realname', 'password', 'email']
+# internal order
 PERMISSIONS = ['active', 'is_admin', 'can_edit_all_posts', 'wants_all_posts',
                'can_upload_attachments', 'can_rebuild_site',
-               'can_transfer_post_authorship']
+               'can_transfer_post_authorship', 'must_change_password']
+# special display order
+PERMISSIONS_E = ['active', 'is_admin', 'must_change_password',
+                 'can_edit_all_posts', 'wants_all_posts',
+                 'can_upload_attachments', 'can_rebuild_site',
+                 'can_transfer_post_authorship']
 USER_ALL = USER_FIELDS + PERMISSIONS
 
 
 
@@ -44,10 +44,10 @@
 from flask.ext.login import (LoginManager, login_required, login_user,
                              logout_user, current_user, make_secure_token)
 from flask.ext.bcrypt import Bcrypt
-from coil.utils import USER_FIELDS, PERMISSIONS, SiteProxy
+from coil.utils import USER_FIELDS, PERMISSIONS, PERMISSIONS_E, SiteProxy
 from coil.forms import (LoginForm, NewPostForm, NewPageForm, DeleteForm,
                          UserDeleteForm, UserEditForm, AccountForm,
-                         PermissionsForm)
+                         PermissionsForm, UserImportForm)
 
 _site = None
 site = None
@@ -366,7 +366,7 @@ class User(object):
     def __init__(self, uid, username, realname, password, email, active,
                  is_admin, can_edit_all_posts, wants_all_posts,
                  can_upload_attachments, can_rebuild_site,
-                 can_transfer_post_authorship):
+                 can_transfer_post_authorship, must_change_password):
         """Initialize an user with specified settings."""
         self.uid = int(uid)
         self.username = username
@@ -380,6 +380,7 @@ def __init__(self, uid, username, realname, password, email, active,
         self.can_upload_attachments = can_upload_attachments
         self.can_rebuild_site = can_rebuild_site
         self.can_transfer_post_authorship = can_transfer_post_authorship
+        self.must_change_password = must_change_password
 
     def get_id(self):
         """Get user ID."""
@@ -419,7 +420,7 @@ def get_user(uid):
     d = db.hgetall('user:{0}'.format(uid))
     if d:
         for p in PERMISSIONS:
-            d[p] = d[p] == '1'
+            d[p] = d.get(p) == '1'
         return User(uid=uid, **d)
     else:
         return None
@@ -511,6 +512,9 @@ def index():
 
     :param int all: Whether or not should show all posts
     """
+    if current_user.must_change_password:
+        return redirect(url_for('acp_account') + '?status=pwdchange')
+
     context = {'postform': NewPostForm(),
                'pageform': NewPageForm(),
                'delform': DeleteForm()}
@@ -559,6 +563,9 @@ def edit(path):
 
     :param path: Path to post to edit.
     """
+    if current_user.must_change_password:
+        return redirect(url_for('acp_account') + '?status=pwdchange')
+
     context = {'path': path, 'site': site}
     post = find_post(path)
     if post is None:
@@ -628,6 +635,9 @@ def edit(path):
 @login_required
 def delete():
     """Delete a post."""
+    if current_user.must_change_password:
+        return redirect(url_for('acp_account') + '?status=pwdchange')
+
     form = DeleteForm()
     path = request.form['path']
     post = find_post(path)
@@ -687,6 +697,9 @@ def api_rebuild():
 @login_required
 def rebuild(mode=''):
     """Rebuild the site with a nice UI."""
+    if current_user.must_change_password:
+        return redirect(url_for('acp_account') + '?status=pwdchange')
+
     scan_site()  # for good measure
     if not current_user.can_rebuild_site:
         return error('You are not permitted to rebuild the site.</p>'
@@ -705,55 +718,16 @@ def rebuild(mode=''):
     return render('coil_rebuild.tmpl', {'title': 'Rebuild'})
 
 
-@app.route('/bower_components/<path:path>')
-def serve_bower_components(path):
-    """Serve bower components.
-
-    This is meant to be used ONLY by the internal dev server.
-    Please configure your web server to handle requests to this URL::
-
-        /bower_components/ => coil/data/bower_components
-    """
-    res = pkg_resources.resource_filename(
-        'coil', os.path.join('data', 'bower_components'))
-    return send_from_directory(res, path)
-
-
-@app.route('/coil_assets/<path:path>')
-def serve_coil_assets(path):
-    """Serve Coil assets.
-
-    This is meant to be used ONLY by the internal dev server.
-    Please configure your web server to handle requests to this URL::
-
-        /coil_assets/ => coil/data/coil_assets
-    """
-    res = pkg_resources.resource_filename(
-        'coil', os.path.join('data', 'coil_assets'))
-    return send_from_directory(res, path)
-
-
-@app.route('/assets/<path:path>')
-def serve_assets(path):
-    """Serve Nikola assets.
-
-    This is meant to be used ONLY by the internal dev server.
-    Please configure your web server to handle requests to this URL::
-
-        /assets/ => output/assets
-    """
-    res = os.path.join(app.config['NIKOLA_ROOT'],
-                       _site.config["OUTPUT_FOLDER"], 'assets')
-    return send_from_directory(res, path)
-
-
 @app.route('/new/<obj>/', methods=['POST'])
 @login_required
 def new(obj):
     """Create a new post or page.
 
     :param str obj: Object to create (post or page)
     """
+    if current_user.must_change_password:
+        return redirect(url_for('acp_account') + '?status=pwdchange')
+
     title = request.form['title']
     _site.config['ADDITIONAL_METADATA']['author.uid'] = current_user.uid
     try:
@@ -789,15 +763,61 @@ def new(obj):
     return redirect(url_for('index'))
 
 
+@app.route('/bower_components/<path:path>')
+def serve_bower_components(path):
+    """Serve bower components.
+
+    This is meant to be used ONLY by the internal dev server.
+    Please configure your web server to handle requests to this URL::
+
+        /bower_components/ => coil/data/bower_components
+    """
+    res = pkg_resources.resource_filename(
+        'coil', os.path.join('data', 'bower_components'))
+    return send_from_directory(res, path)
+
+
+@app.route('/coil_assets/<path:path>')
+def serve_coil_assets(path):
+    """Serve Coil assets.
+
+    This is meant to be used ONLY by the internal dev server.
+    Please configure your web server to handle requests to this URL::
+
+        /coil_assets/ => coil/data/coil_assets
+    """
+    res = pkg_resources.resource_filename(
+        'coil', os.path.join('data', 'coil_assets'))
+    return send_from_directory(res, path)
+
+
+@app.route('/assets/<path:path>')
+def serve_assets(path):
+    """Serve Nikola assets.
+
+    This is meant to be used ONLY by the internal dev server.
+    Please configure your web server to handle requests to this URL::
+
+        /assets/ => output/assets
+    """
+    res = os.path.join(app.config['NIKOLA_ROOT'],
+                       _site.config["OUTPUT_FOLDER"], 'assets')
+    return send_from_directory(res, path)
+
+
 @app.route('/account/', methods=['POST', 'GET'])
 @login_required
 def acp_account():
     """Manage the user account of currently-logged-in users.
 
     This does NOT accept admin-specific options.
     """
-    alert = ''
-    alert_status = ''
+    if request.args.get('status') == 'pwdchange':
+        alert = 'You must change your password before proceeding.'
+        alert_status = 'danger'
+    else:
+        alert = ''
+        alert_status = ''
     action = 'edit'
     form = AccountForm()
     if request.method == 'POST':
@@ -809,6 +829,7 @@ def acp_account():
             if data['newpwd1'] == data['newpwd2'] and check_password(
                     current_user.password, data['oldpwd']):
                 current_user.password = password_hash(data['newpwd1'])
+                current_user.must_change_password = False
             else:
                 alert = 'Passwords don’t match.'
                 alert_status = 'danger'
@@ -830,6 +851,11 @@ def acp_account():
 @login_required
 def acp_users():
     """List all users."""
+    if current_user.must_change_password:
+        return redirect(url_for('acp_account') + '?status=pwdchange')
+    elif not current_user.is_admin:
+        return error("Not authorized to edit users.", 401)
+
     alert = ''
     alert_status = ''
     if request.args.get('status') == 'deleted':
@@ -838,8 +864,6 @@ def acp_users():
     if request.args.get('status') == 'undeleted':
         alert = 'User undeleted.'
         alert_status = 'success'
-    if not current_user.is_admin:
-        return error("Not authorized to edit users.", 401)
     else:
         uids = db.hgetall('users').values()
         USERS = sorted([(i, get_user(i)) for i in uids])
@@ -849,16 +873,18 @@ def acp_users():
                                'alert': alert,
                                'alert_status': alert_status,
                                'delform': UserDeleteForm(),
-                               'editform': UserEditForm()})
+                               'editform': UserEditForm(),
+                               'importform': UserImportForm()})
 
 
 @app.route('/users/edit/', methods=['POST'])
 @login_required
 def acp_users_edit():
     """Edit an user account."""
     global current_user
-
-    if not current_user.is_admin:
+    if current_user.must_change_password:
+        return redirect(url_for('acp_account') + '?status=pwdchange')
+    elif not current_user.is_admin:
         return error("Not authorized to edit users.", 401)
     data = request.form
 
@@ -873,6 +899,7 @@ def acp_users_edit():
         uid = max(db.hgetall('users').values()) + 1
         pf = [False for p in PERMISSIONS]
         pf[0] = True  # active
+        pf[7] = True  # must_change_password
         user = User(uid, data['username'], '', '', '', *pf)
         write_user(user)
         db.hset('users', user.username, user.uid)
@@ -911,6 +938,7 @@ def acp_users_edit():
         user.active = True
         if user.uid == current_user.uid:
             user.is_admin = True
+            user.must_change_password = False
             current_user = user
         write_user(user)
 
@@ -924,12 +952,33 @@ def acp_users_edit():
                            'form': form})
 
 
+@app.route('/users/import/', methods=['POST'])
+@login_required
+def acp_users_import():
+    """Import users from a TSV file."""
+    if current_user.must_change_password:
+        return redirect(url_for('acp_account') + '?status=pwdchange')
+    elif not current_user.is_admin:
+        return error("Not authorized to edit users.", 401)
+
+    form = UserImportForm()
+    if not form.validate():
+        return error("Bad Request", 400)
+    fh = request.files['tsv'].stream
+    tsv = fh.read()
+    return tsv
+    # TODO
+
+
 @app.route('/users/delete/', methods=['POST'])
 @login_required
 def acp_users_delete():
     """Delete or undelete an user account."""
-    if not current_user.is_admin:
+    if current_user.must_change_password:
+        return redirect(url_for('acp_account') + '?status=pwdchange')
+    elif not current_user.is_admin:
         return error("Not authorized to edit users.", 401)
+
     form = UserDeleteForm()
     if not form.validate():
         return error("Bad Request", 400)
@@ -950,7 +999,9 @@ def acp_users_delete():
 @login_required
 def acp_users_permissions():
     """Change user permissions."""
-    if not current_user.is_admin:
+    if current_user.must_change_password:
+        return redirect(url_for('acp_account') + '?status=pwdchange')
+    elif not current_user.is_admin:
         return error("Not authorized to edit users.", 401)
 
     form = PermissionsForm()
@@ -966,9 +1017,11 @@ def acp_users_permissions():
                     setattr(user, perm, True)
                 else:
                     setattr(user, perm, False)
-            if uid == current_user.uid:
-                user.is_admin = True  # cannot deadmin oneself
-                user.active = True  # cannot deactivate oneself
+            if int(uid) == current_user.uid:
+                # Some permissions cannot apply to the current user.
+                user.is_admin = True
+                user.active = True
+                user.must_change_password = False
             write_user(user)
             users.append((uid, user))
         action = 'save'
@@ -981,8 +1034,8 @@ def display_permission(user, permission):
         if permission == 'wants_all_posts' and not user.can_edit_all_posts:
             # If this happens, permissions are damaged.
             checked = ''
-        if user.uid == current_user.uid and permission in ['active',
-                                                           'is_admin']:
+        if (user.uid == current_user.uid and permission in [
+                'active', 'is_admin', 'must_change_password']):
             disabled = 'disabled'
         else:
             disabled = ''
@@ -993,13 +1046,14 @@ def display_permission(user, permission):
              'data-perm="{4}" class="u{0}" {2} {3}>')
         return d.format(user.uid, permission, checked, disabled, permission_a)
 
-    users = [(i, get_user(i)) for i in uids]
+    if not users:
+        users = [(i, get_user(i)) for i in uids]
 
     return render('coil_users_permissions.tmpl',
                   context={'title': 'Permissions',
                            'USERS': sorted(users),
                            'UIDS': sorted(uids),
-                           'PERMISSIONS': PERMISSIONS,
+                           'PERMISSIONS_E': PERMISSIONS_E,
                            'action': action,
                            'json': json,
                            'form': form,
 
@@ -40,16 +40,17 @@ Permissions
 Coil uses a very granular permission system.  Each user can have a different
 set of permissions, depending on the needs of the organization.
 
-================================  =============================  ===================
-Name                              In Account                     In Permissions
-================================  =============================  ===================
-``active``                        n/a                            Active
-``is_admin``                      User is an administrator       Admin
-``can_edit_all_posts``            Can edit posts of other users  Can all posts
-``can_upload_attachments``        Can upload attachments         Attachments
-``can_rebuild_site``              Can rebuild the site           Rebuild
-``can_transfer_post_authorship``  Can transfer post authorship   Transfer authorship
-================================  =============================  ===================
+================================  ==================================  ====================
+Name                              In Account                          In Permissions
+================================  ==================================  ====================
+``active``                        n/a                                 Active
+``must_change_password``          Must change password on next login  Must change password
+``is_admin``                      User is an administrator            Admin
+``can_edit_all_posts``            Can edit posts of other users       Can all posts
+``can_upload_attachments``        Can upload attachments              Attachments
+``can_rebuild_site``              Can rebuild the site                Rebuild
+``can_transfer_post_authorship``  Can transfer post authorship        Transfer authorship
+================================  ==================================  ====================
 
 Managing users and permissions
 ==============================
@@ -63,6 +64,33 @@ Manage users
 This is a table of all users.  You can add new users at the bottom by typing in
 a name and clicking *Create*.  You can also *Edit*, *Delete* or *Undelete*.
 
+Bulk import
+```````````
+
+The last row lets you import a file with user data.  `TSV (Tab-Separated Values)`__
+files are accepted.
+
+__ http://en.wikipedia.org/wiki/Tab-separated_values
+
+The first row MUST contain all the column names.  They are:
+
+1. ``username``
+2. ``realname``
+3. ``email``
+4. ``password``
+5. ``active``
+6. ``is_admin``
+7. ``must_change_password``
+8. ``can_edit_all_posts``
+9. ``want_all_posts``
+10 ``can_upload_attachments``
+11. ``can_rebuild_site``
+12. ``can_transfer_post_authorship``
+
+The following rows should contain data for the users.  Passwords should be in
+plain-text.  All the boolean fields (``active`` and everything after it) accept
+``0`` or ``1`` as their value.
+
 Deleting and undeleting users
 `````````````````````````````
 
@@ -77,3 +105,4 @@ Permissions
 This is a table of all permissions in the system.  It can be used to quickly
 modify the permission list for groups of users.  The teal buttons can be used
 to select the permission for all users.
+
@@ -10,13 +10,12 @@ Database schema
 User storage
 ------------
 
-============  ======  ===================================================
+============  ======  ===============================================================================
 Name          Type    Contents
-============  ======  ===================================================
-``last_uid``  string  UID of newest user
+============  ======  ===============================================================================
 ``users``     hash    Hash mapping usernames to UIDs
-``user:uid``  Hash    All the data we have on the user (see :doc:`users`)
-============  ======  ===================================================
+``user:uid``  hash    All the data we have on the user (see :doc:`Users documentation <admin/users>`)
+============  ======  ===============================================================================
 
 Caching site
 ------------
Original file line number	Diff line number	Diff line change
`@@ -90,6 +90,10 @@ table.users .uid {`
`90`	`90`	`text-align: center;`
`91`	`91`	`}`
`92`	`92`
	`93`	`+.perm-descr {`
	`94`	`+ font-size: x-small;`
	`95`	`+}`
	`96`	`+`
`93`	`97`	`/* login (copied from Bootstrap example) */`
`94`	`98`
`95`	`99`	`.form-signin {`