Fix: The user can change his password

[benel]

We would need another functional test about a malicious user who would send himself an invitation (with his own e-mail address) but with the login of another existing user. Of course such an attempt should fail. But the application will probably need to be updated to check if the e-mail is the same.

[kamwaStephanie]

i dont understand very well the aim of this test.

The malicious user is already registered in LDAP. (i guess) -i can check if it is possible for him to send himself an invitation -but i don't understand when you say with the login of another person. Before sending an invitation (of after doing that), you have to log on. So the mallicious user need to know both the login & password and in this case there is nothing i can do about it. (i think)

[benel]

Alice has the account "alice.dodgson" with the following e-mail "alice@wonderland.org". Malory has also an account and want to steal Alice's. He sends an invitation to alice.dodgson but to his own e-mail "malory@hell.com".