- remove the HasSignedTosMixin and to the verifications in
  AllgoAccessMixin instead (along with email verification)
- add Tos.get_latest() and User.has_agreed_tos
- ignore ToS agreement if the db has no ToS entries