Increase security for Email Change
We already require OLD password when changing the current user password, but email is another way to recover an account. If hacker is able to access open instance of RC he can trigger an email change and change the password after that.
Proposed idea to fix this is:
- Make email a select field instead of text input
- Inside the input we allow user to pick any of the addresses added via extra emails
- In order to change an email user needs to add a new email from additional emails, this needs to require a password, and then he can select a new email from the entry.
THis should force users to give current password to change the email