We are looking for a PHP & AJAX & MySQL user management with drag and drop, sortable and autocomplete features in AJAX, a friendly interface, templates preferable.
It must be a Role Based Access Control, allow the definition of new roles, disable old roles, keep a log of ALL changes/updates/actions for each module/feature.
The back-end has to be MySQL.
It is mandatory to have everything properly sanitized and not to be vulnerable to XSS, SQL injections. In case any issues are found they must be fixed before payment is done.
The code&DB must be properly documented and commented in English (low level design and high level design documents, including and not limiting only to comments in the code). Functions will include usage examples. All requirements for the installation will be provided. A setup module is desirable which will validate requirements. A demo will be provided online for validation and afterwards it will be provided with the source code in the archive together will all the other information and requirements.
Among the features: we require a password reset module: a page where the user submits his username and based on the information in the DB the user will receive an email with a link (one time use only, it cannot be used more than once) which will unlock the account and change the password (random generated) and it will email the user the new details.
If the account is locked the administrator and user will be notified via email including the link to the account unlock page(the mail function will allow HTML content and will send the content as HTML/TXT (the template can be defined via web module)).
It will allow language selection.
Please find some details regarding the project:

PROTECTED PAGE ACCESS:
- web management module of restrictions to access the web pages
- ability to restrict sections of the code/output on a per role/company/division/department/unit or other category (i.e.: we might want to show certain information only to users that have an admin role or to users that are part of a certain company/division/department/unit/other category which will require a validation based on information stored in the session and/or DB.
- validate session
- validate constraints (maximum sessions, lifetime etc)

LOGIN PROCESS:
- validation of session in order to ensure that the user has not attempted to alter any information (encryption, hash validation and other techniques).
- record username, encrypted password (no hashing), ip address in login table
- increment number of logins (correct/incorrect) in users table
- allow restriction of 1 login / user (check box and edit box with number of maximum simultaneous logins) stored in users table
- allow account lockout (it will be set globally for all users in the web interface, however some users will be excluded (allow web selection of excluded users) and all the info will be stored in the DB).
- allow ip lockout (again certain ip addresses will be excluded and managed via the web) - all info stored in DB
- accounts will not be deleted, they will be set as disabled for audit reasons
- set per user / global session lifetime
- disable the usage of back/forward/refresh browser actions (management of these features will be set in the per page restrictions and access settings)

REGISTRATION PROCESS:
- username (based on the user email address: i.e.: will have a username firstname.lastname)
- age
- country
- Interesting
- Looking (what are you looking?)
- image username
- email address
- location selection
- phone number
- password (will be generated and communicated via email and will force the user to change the password after the first login).
- expiration date (can be enforced by the certain roles in the management module)
- account will require activation by supervisor/admin/other groups (notification will be issued mandatory to supervisor and other selected roles in the management module).

MANAGEMENT MODULES:
- users management: enforce password change on first login after registration, after x days (set via globally / per user), 
- supervisor management
- roles management
- reporting module: per user, per ip, per role including graphs
- web management module of restrictions to access the web page
- other settings mentioned in the above requirements