If a client initially authenticates with an external source such as Google+,
the user should still have the ability to set a password via the password
reset mechanism.

The `id` needs to be changed for the new clone in order for the POST data to
line up with with new field

DISABLE_SESSION define is changed so that existing session are continued
but new sessions are not saved. This allows external auth backends to
redirect to an external site and that site redirect back to a `/api` URL and
the user's session will be continued.

It is possible that a recipient received and processed by the system may not
have a name set. In that case, the email mailbox should be used. As a
failsafe, avoid crashing if the User::save() should fail.

This occurs for attachments added via the staff or client web interfaces

Use .domain.tld to accept all subdomains of a parent

This is a slight edit over the previous implementation of the same feature.
Previously, an "account" was required, which implies a user account with a
password. This implementation simply requires a user record. Importing of
users by organization domain is still supported -- even if the user does not
yet exist.

  * Auto confirm remote accounts
  * Don't send out emails for remote account activation
  * Forbid password changes on remote accounts

This stems from a confusing similarity between the + operator for arrays
and array_merge() in php. Adding arrays will ignore items in the RHS where
keys are present in the LHS. Therefore, when adding numerically indexed
arrays together, only items on the RHS that have a key higher than the
greatest key on the LHS will be included.