Verify account only if a request is in progress

The account verification page should only proceed and allow updating the
user's profile (including resetting their password) when there is an
active activation token.

Fixes #22690

Backported from cfbc5e5

verify.php

@@ -63,7 +63,7 @@
 
 $t_token_confirm_hash = token_get_value( TOKEN_ACCOUNT_ACTIVATION, $f_user_id );
 
-if( $f_confirm_hash != $t_token_confirm_hash ) {
+if( $t_token_confirm_hash == null || $f_confirm_hash !== $t_token_confirm_hash ) {
 	trigger_error( ERROR_LOST_PASSWORD_CONFIRM_HASH_INVALID, ERROR );
 }