Make sure only admins can change password of other users

app/Controller/UserCredentialController.php

@@ -43,6 +43,10 @@ class UserCredentialController extends BaseController
 
         list($valid, $errors) = $this->userValidator->validatePasswordModification($values);
 
+        if (! $this->userSession->isAdmin()) {
+            $values['id'] = $this->userSession->getId();
+        }
+
         if ($valid) {
             if ($this->userModel->update($values)) {
                 $this->flash->success(t('Password modified successfully.'));