Inconsistent permission checks in mail token verification
selfservice.token_mail view requires the user to be logged in, but does not verify that the mail token is related to the logged-in user. I see no reason, why the user needs to login in this case, but maybe I overlooked something. Anyway ... this should be made more consistent.
See also test