security: fix CVE 2022 46172 (#4275)

* fallback to current user in user_write, add flag to disable user creation

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

* update api and web ui

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

* update default flows

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

* add cve post to website

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

* add tests

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

web/src/admin/stages/user_write/UserWriteStageForm.ts

@@ -59,6 +59,21 @@ export class UserWriteStageForm extends ModelForm<UserWriteStage, string> {
             <ak-form-group .expanded=${true}>
                 <span slot="header"> ${t`Stage-specific settings`} </span>
                 <div slot="body" class="pf-c-form">
+                    <ak-form-element-horizontal name="canCreateUsers">
+                        <div class="pf-c-check">
+                            <input
+                                type="checkbox"
+                                class="pf-c-check__input"
+                                ?checked=${first(this.instance?.canCreateUsers, false)}
+                            />
+                            <label class="pf-c-check__label">
+                                ${t`Can create users`}
+                            </label>
+                        </div>
+                        <p class="pf-c-form__helper-text">
+                            ${t`When enabled, this stage has the ability to create new users. If no user is available in the flow with this disabled, the stage will fail.`}
+                        </p>
+                    </ak-form-element-horizontal>
                     <ak-form-element-horizontal name="createUsersAsInactive">
                         <div class="pf-c-check">
                             <input