💻Allows email addresses as usernames when student account is cre…

[FBastiaan04]

Allows email addresses as usernames when student account is created by teacher.
The colon character (:) is still disallowed. The original reason for disallowing this was not found, and it was decided that there was not enough demand for allowing it to warrent the effort.

Fixes #5888
How to test

Follow these steps to verify this PR works as intended:

• Create a teacher account
• Create a class
• Click "Add students" and "Create accounts"
• Create one or more student accounts containing an "@"
• Verify that you can log into those new student accounts

Checklist
Done? Check if you have it all in place using this list: (mark with x if done)

• Contains one of the PR categories in the name
• Describes changes in the format above
• Links to an existing issue or discussion
• Has a "How to test" section

If you're unsure about any of these, don't hesitate to ask. We're here to help!

[brianpeiris]

Still just reviewing as a contributor, but I think I spotted a security issue with this PR

[brianpeiris]

I believe adding this code alone will cause a bit of a authorization/security issue, unless we also change update_profile in profile.py. The update_profile code will also have to check if a user exists with user_by_username when the user updates their email, in order to prevent conflicts.

The problematic scenario is:

1. A Teacher creates two student accounts with emails as usernames. E.g. username: [email protected], and username: [email protected]
2. I login as a student with my username, [email protected], then I go to my profile settings.
3. My email is initially blank. I update my email to [email protected]
4. Now [email protected] cannot login because I have taken their email address, and their account still only has a username.

[FBastiaan04]

@brianpeiris Good catch! The point of this PR is to allow emails however, so maybe the following could solve this:
Use utils.valid_email to check if someone's username is a valid email, and if it is, also set that accounts email equal to its username. This should solve the following situations:

• A teacher creating an account with username floris@ (this account will not have its email set)
• A teacher creating an account with username [email protected] while another account already has this as its email (the new account will be rejected as its email is already in use)
• A teacher creating accounts with the usernames [email protected] and brian, then brian setting their email (which is currently blank) to [email protected]. (Brians new email will not be allowed, as its already in use)
  Would this still satisfy the original requirements and solve the security issues @jpelay ?

[jpelay]

Hello, @brianpeiris! Can't thank you enough for taking care of reviewing this PR, I think all your suggestions are on point, specially the last one about the security issue. @FBastiaan04 please take a look into those whenever you can.