require a verified email address for any account action

tests/functional/manage/test_views.py

@@ -41,7 +41,7 @@ def test_save_account(self, pyramid_services, user_service, db_request):
         db_request.path = "/manage/accounts/"
         db_request.POST = MultiDict({"name": "new name", "public_email": ""})
 
-        views.ManageAccountViews(db_request).save_account()
+        views.ManageVerifiedAccountViews(db_request).save_account()
         user = user_service.get_user(user.id)
 
         assert user.name == "new name"

tests/unit/test_routes.py

@@ -211,6 +211,9 @@ def add_policy(name, filename):
             "/account/verify-project-role/",
             domain=warehouse,
         ),
+        pretend.call(
+            "manage.unverified-account", "/manage/unverified-account/", domain=warehouse
+        ),
         pretend.call("manage.account", "/manage/account/", domain=warehouse),
         pretend.call(
             "manage.account.publishing", "/manage/account/publishing/", domain=warehouse

warehouse/accounts/security_policy.py

@@ -184,8 +184,8 @@ def _permits_for_user_policy(acl, request, context, permission):
     if (
         isinstance(res, Allowed)
         and not request.identity.has_primary_verified_email
-        and request.matched_route.name.startswith("manage")
-        and request.matched_route.name != "manage.account"
+        and request.matched_route.name
+        not in {"manage.unverified-account", "accounts.verify-email"}
     ):
         return WarehouseDenied("unverified", reason="unverified_email")
 
@@ -214,6 +214,8 @@ def _check_for_mfa(request, context) -> WarehouseDenied | None:
         "manage.account.totp-provision",
         "manage.account.two-factor",
         "manage.account.webauthn-provision",
+        "manage.unverified-account",
+        "accounts.verify-email",
     ]
 
     if (