Inconsistent permission checks in mail token verification
The selfservice.token_mail
view requires the user to be logged in, but does not verify that the mail token is related to the logged-in user. I see no reason, why the user needs to login in this case, but maybe I overlooked something. Anyway ... this should be made more consistent.
See also test test_selfservice.TestSelfservice.test_token_mail_wrong_user
.