Prevent password reset exposing account presence

[markstuart]

This work was done in CKAN 2.7.7 by @smotornyuk
just porting to other releases here.

Proposed fixes:

The password reset behaviour currently behaves differently when there is no account found matching the username or email address entered in the form. This can give a malicious agent information about which accounts exist in the system and which don't.

This work makes the response to the user the same for all cases.

Features:

• includes tests covering changes
• includes updated documentation
• includes user-visible changes
• includes API changes
• includes bugfix for possible backport

Please [X] all the boxes above that apply

[markstuart]

@amercader we discussed this via email in late May, just got back to it now sorry. I also have a branch with the same commit targeting dev-v2.8 if you want me to raise a PR for that too?

[smotornyuk]

I'm merging this PR - it will be backported as a part of usual patch-release process, so there is no need in creating PR into 2.8