* Lock 1: user confirmation/unlock pending, count shares
* Lock 2: Admin disabled, ignore shares
This further addresses #1332 and should allow proper dropping of shares
for banned accounts.
The way this now works is, if csrf is enabled:
* Any new or existing template can have csrf protection by adding the hidden input ctoken that's in this batch to its form, removes any logic in templates
* Page controllers that already exist have been updated, new ones only require checking if csrf is enabled and valid
* Now an array to disable with granularity
* Fixed all CSRF tokens back to 1 min
* Added CSRF protection for unlock account
* Unified error message for all csrf tokens
* Fixed a few issues with last commit
* Added new token type: account_unlock
* Added update SQL File
* Updated base structure with new token type
* Added empty template
* Updated user class to send mail on failed passwords
* Added unlock account page to use tokens
Addresses #670
