Recover by email needs to allow anon access to its endpoints

endpoints/api/user.py

@@ -643,6 +643,7 @@ class Recovery(ApiResource):
   }
 
   @nickname('requestRecoveryEmail')
+  @anon_allowed
   @validate_json_request('RequestRecovery')
   def post(self):
     """ Request a password recovery email."""

endpoints/web.py

@@ -19,7 +19,7 @@ from util.invoice import renderInvoiceToPdf
 from util.seo import render_snapshot
 from util.cache import no_cache
 from endpoints.common import common_login, render_page_template, route_show_if, param_required
-from endpoints.decorators import anon_protect
+from endpoints.decorators import anon_protect, anon_allowed
 from endpoints.csrf import csrf_protect, generate_csrf_token, verify_csrf
 
 from buildtrigger.customhandler import CustomBuildTrigger
@@ -366,6 +366,7 @@ def confirm_repo_email():
 
 @web.route('/confirm', methods=['GET'])
 @route_show_if(features.MAILING)
+@anon_allowed
 def confirm_email():
   code = request.values['code']
   user = None
@@ -386,6 +387,8 @@ def confirm_email():
 
 
 @web.route('/recovery', methods=['GET'])
+@route_show_if(features.MAILING)
+@anon_allowed
 def confirm_recovery():
   code = request.values['code']
   user = model.user.validate_reset_code(code)