Index: user.module
===================================================================
RCS file: /cvs/drupal/drupal/modules/user/user.module,v
retrieving revision 1.1002
diff -u -r1.1002 user.module
--- user.module	22 Jun 2009 09:10:07 -0000	1.1002
+++ user.module	24 Jun 2009 13:43:36 -0000
@@ -380,6 +380,10 @@
     if (!$edit['pass']) {
       return FALSE;
     }
+    // Remove password reset tag, as a new password will be set.
+    if (isset($_SESSION['pass_reset_'. $account->uid])) {
+      unset($_SESSION['pass_reset_'. $account->uid]);
+    }
   }
   else {
     // Avoid overwriting an existing password with a blank password.
@@ -641,6 +645,23 @@
   }
 }
 
+function user_validate_current_pass(&$form, &$form_state) {
+  $account = $form_state['values']['_account'];
+  // Check current password only if account details was changed.
+  if (!empty($form_state['values']['pass']) || $form_state['values']['mail'] != $account->mail || $form_state['values']['status'] != $account->status || $form_state['values']['roles'] != $account->roles) {
+    $admin = user_access('administer users');
+    $account_is_admin = user_access('administer users', $account);
+
+    // Always ask for confirmation from current user, or if trying to change password for admin or if you're not admin.
+    if ($GLOBALS['user']->uid == $uid || $account_is_admin || !$admin) {
+      require_once DRUPAL_ROOT . '/' . variable_get('password_inc', 'includes/password.inc');
+      if (!isset($form_state['values']['pass_current']) || (!user_check_password($form_state['values']['pass_current'], $account))) {
+        form_set_error('pass_current', t("The current password is wrong, it's required to change account information."));
+      }
+    }
+  }
+}
+
 /**
  * Generate a random alphanumeric password.
  */
@@ -939,6 +960,7 @@
  */
 function user_user_validate(&$edit, &$account, $category = NULL) {
   if ($category == 'account') {
+
     $uid = isset($account->uid) ? $account->uid : FALSE;
     // Validate the username when: new user account; or user is editing own account and can change username; or an admin user.
     if (!$uid || ($GLOBALS['user']->uid == $uid && user_access('change own username')) || user_access('administer users')) {
@@ -1800,13 +1822,15 @@
   $form = array();
 
   // Account information:
-  $form['account'] = array('#type' => 'fieldset',
+  $form['account'] = array(
+    '#type' => 'fieldset',
     '#title' => t('Account information'),
     '#weight' => -10,
   );
   // Only show name field when: registration page; or user is editing own account and can change username; or an admin user.
   if ($register || ($GLOBALS['user']->uid == $uid && user_access('change own username')) || $admin) {
-    $form['account']['name'] = array('#type' => 'textfield',
+    $form['account']['name'] = array(
+      '#type' => 'textfield',
       '#title' => t('Username'),
       '#default_value' => $edit['name'],
       '#maxlength' => USERNAME_MAX_LENGTH,
@@ -1815,7 +1839,8 @@
       '#attributes' => array('class' => 'username'),
     );
   }
-  $form['account']['mail'] = array('#type' => 'textfield',
+  $form['account']['mail'] = array(
+    '#type' => 'textfield',
     '#title' => t('E-mail address'),
     '#default_value' => $edit['mail'],
     '#maxlength' => EMAIL_MAX_LENGTH,
@@ -1823,7 +1848,8 @@
     '#required' => TRUE,
   );
   if (!$register) {
-    $form['account']['pass'] = array('#type' => 'password_confirm',
+    $form['account']['pass'] = array(
+      '#type' => 'password_confirm',
       '#description' => t('To change the current user password, enter the new password in both fields.'),
       '#size' => 25,
     );
@@ -1872,6 +1898,22 @@
     }
   }
 
+  if (!$register) {
+    $account = user_load($uid);
+    $account_is_admin = user_access('administer users', $account);
+
+    // Always ask for confirmation from current user, or if trying to change password for admin or if you're not admin.
+    if (!isset($_SESSION['pass_reset_'. $uid]) && ($GLOBALS['user']->uid == $uid || $account_is_admin || !$admin)) {
+      $form['account']['pass_current'] = array(
+        '#type' => 'password',
+        '#description' => t('To change account information, provide the current password to verify your identity.'),
+        '#title' => t('Current password'),
+        '#size' => 25,
+      );
+      $form['#validate'][] = 'user_validate_current_password';
+    }
+  }
+
   // Signature:
   if (variable_get('user_signatures', 0) && module_exists('comment') && !$register) {
     $form['signature_settings'] = array(
Index: user.pages.inc
===================================================================
RCS file: /cvs/drupal/drupal/modules/user/user.pages.inc,v
retrieving revision 1.40
diff -u -r1.40 user.pages.inc
--- user.pages.inc	18 Jun 2009 21:19:02 -0000	1.40
+++ user.pages.inc	24 Jun 2009 12:50:55 -0000
@@ -105,6 +105,8 @@
           // user, which invalidates further use of the one-time login link.
           user_authenticate_finalize($form_state['values']);
           drupal_set_message(t('You have just used your one-time login link. It is no longer necessary to use this link to login. Please change your password.'));
+          // Place password reset tag, so user could change it's password without current password check.
+          $_SESSION['pass_reset_'. $user->uid] = TRUE;
           drupal_goto('user/' . $user->uid . '/edit');
         }
         else {