The new reset actions doesn't require the user to authenticate prior to
performing them. Is it not a bit dangerous that the user can change the
email address without authentication?
For reset password we obviously need to be able to do it without requiring
authentication, but shouldn't "bypassing" authentication be limited as much
as possible?