This affects mail verification and password reset links. Existing links
continue to work. However support for legacy links (without id) is
deprecated and will be removed in the future.

Fixes #104.

Replaced "group" keyword argument for login_required with "permission_check".
Most views already define a *_acl_check function that returns whether the
current user has the required permissions for use with register_navbar. The
same function can now be passed to login_required as the "permission_check"
argument.

Differenciated login and selfservice access permissions. Previously
ACL_SELFSERVICE_GROUP was required to login. Now ACL_ACCESS_GROUP is required
to login and ACL_SELFSERVICE_GROUP is required to access selfservice functions
(and to use role-granting invite links). A user with just ACL_ACCESS_GROUP can
now login, access the services overview page and authenticate with OAuth2
services he has access to, but not change his user attributes, password or
roles/permissions.

Fixes #26.

Prior to this change user passwords were not validated on change aside from
their length, but validated on login/bind by ldap3 with SASLprep. Instead of
using SASLprep on password change, this change restricts passwords to 7-bit
ASCII without control characters. Control characters are forbidden by
SASLprep. Multi-byte characters are uncommon in password, especially in those
generated by password managers. This ensures that passwords are always
SASLprep-safe without implementing the rather complex SASLprep algorithm. It
also allows us to fully describe the alphabet restrictions in the relevant
forms.

Fixes #100

Add a few unit tests as well as integration tests that cover almost all views. Also fixed a lot of HTML validator errors.