Send email to administrator when an unauthorized user requests a password reset

[johnhenley]

Closes #5245

Summary

Email administrator when an unapproved user requests a password reset. Then the administrator can verify that it is a valid request, and if so, authorize the user and send a new password reset.

[johnhenley]

• I have sole ownership of intellectual property rights to my Submissions and I am not making Submissions in the course of work for my employer.
  @microsoft-github-policy-service agree

[bdukes]

@johnhenley you need to write @microsoft-github-policy-service agree to tell the bot you agree with that statement

[mitchelsellers]

I understand the intent here, but I'm slightly concerned that this could allow someone to abuse the system by constantly requesting a forgotten password and overwhelming administrators otherwise?

@dnnsoftware/approvers thoughts?

[bdukes]

I think the value is greater than the potential for abuse.

[johnhenley]

I understand the intent here, but I'm slightly concerned that this could allow someone to abuse the system by constantly requesting a forgotten password and overwhelming administrators otherwise?

@dnnsoftware/approvers thoughts?

@mitchelsellers understand and agree with your concerns about potential for abuse. What are your thoughts on adding a PasswordResetOutstandingRequestCount (or just a flag that a request is outstanding) to UserInfo and only sending to administrator on first request?

[bdukes]

Thanks!