After Email confirmation redirect to change password

I am working on an HR related project. Where SuperUser can create a Company and then can add Users in that company.

Then it’s sending account confirmation email to user with password created by SuperUser. So when user click on that link it’s redirect user to login page and after login it goes to dashboard.

Now i want to force user to change it’s password and he shouldn’t able to access any other page until he reset password.

Now i was able to redirect user to change password page after login from confirmation. but i unable to restrict user after login.

is there anyway to do it. or any of you have idea about midleware in Yii2, i am really at beginning level in Yii.

Thanks in advance…