Email security hole in invitation-acceptance procedure

(Bug, Closed -> Fixed, Priority: Critical, Test Status: No automated tests yet , Reported By Justin du Coeur, )

Summary: Currently, I can accept an Invitation and claim an email address other than the one the invite went to; this is not currently verified, so it lets me claim email addresses I don't own.

If I sign up using an email address that doesn't yet have an Identity, mark it as Unverified, send out the usual validation email, and show a notification that we have done so. This becomes the conventional signup procedure.

If I sign up using an email address other than the one this Invitation went to, that is already in use, check that Identity's status. If it is already a QuerkiLogin, reject that with an explicit error saying that that email address is in use by a Querki account, and offer the password-reset dance. Since this email address is already assigned to a User, we cannot create a new account with it.

If it is an existing SimpleEmail identity and was not the Identity that this Invitation went to, we have a tricky situation. We might have to introduce a new email pathway to validate that email address claim, and merge the Identities in some fashion if so. (But this is an edge case, and can probably wait a while.) Note that the issue here is that we don't want to allow this new User to claim this email address, which might be impersonating somebody, without validating that they own it. But this situation can arise if I have received multiple invitations from multiple sources, have not signed up yet, and have several email addresses.