Index: user.module
===================================================================
RCS file: /cvs/drupal/drupal/modules/user/user.module,v
retrieving revision 1.892.2.13
diff -u -r1.892.2.13 user.module
--- user.module	27 Apr 2009 12:02:27 -0000	1.892.2.13
+++ user.module	15 Jun 2009 16:34:48 -0000
@@ -1457,6 +1457,15 @@
     '#required' => TRUE,
   );
   if (!$register) {
+    // Verify the password if the user is not an admin and if the user is editing his own page
+    if (!$admin || $GLOBALS['user']->uid == $uid) {
+      $form['account']['currentpass'] = array(
+        '#type' => 'password',
+        '#title' => t('Current password'),
+        '#description' => t('To change your password, provide the current one to verify your identity.'),
+        '#size' => 25,
+      );
+    }
     $form['account']['pass'] = array('#type' => 'password_confirm',
       '#description' => t('To change the current user password, enter the new password in both fields.'),
       '#size' => 25,
@@ -1554,7 +1563,11 @@
       form_set_error('name', t('The name %name has been denied access.', array('%name' => $edit['name'])));
     }
   }
-
+  // Calidate current password before setting a new one:
+  $account = user_load(array('uid' => (int)$uid));
+  if (!empty($edit['pass']) && !user_access('administer users') && md5($edit['currentpass']) != $account->pass) {
+    form_set_error('currentpass', t("The old password is wrong, it's needed to change to a new one."));
+  }  
   // Validate the e-mail address:
   if ($error = user_validate_mail($edit['mail'])) {
     form_set_error('mail', $error);