Refactor settings controllers

[Gargron]

• Disallow suspended accounts from revoking sessions and apps
• Allow suspended accounts to access exports

[SuperSandro2000]

Disallow suspended accounts from revoking authorized applications, browser sessions, or changing 2FA settings

Why tough? If you are suspended you should still be allowed to revoke access from everything.

[Gargron]

If you are suspended, we retain some data to prevent ban evasions, e.g. you can’t sign up with the identical email address anymore. IPs and used apps may provide further insight into finding alternative accounts, so it doesn’t make sense that the suspended user can simply clean up all the tracks.

[SuperSandro2000]

you can’t sign up with the identical email address anymore.

It's the part after the + filtered?

IPs are most of the time pretty useless. Mine for example changes every day and I can easily switch it.

it doesn’t make sense that the suspended user can simply clean up all the tracks.

If my account got suspended by action taken on another device which maybe got stolen or the session cookie was phished etc. I can't revoke that device. I should be able to revoke those sessions without cleaning up all my tracks.

Also revoking or disabling 2FA does not clean up any track or provides any useful information to anyone. It is just a measure which maybe locks people out of their account without any real advantage.

[Gargron]

Why should you be able to change 2fa settings if you’re not allowed to change your password or email? It makes more sense to me to keep it consistent: suspended means the account’s done, no further changes.

[ClearlyClaire]

Before I actually review: I see no issue with being able to change 2FA settings or password when suspended. It would also be good to be able to revoke active sessions and change e-mail address, but I also understand how this is tied with the anti-abuse features so I think that's an acceptable compromise.