Comment 8 for bug 1237989

With the proposed fix I see two sides in this issue: an unfortunate default (update_user not being restricted to admin_required) and a v3 API gap (no way for users to update password in a secure manner).

This makes this OSSN territory: we need to warn users that they may not be as secure as they think with the Grizzly default and should consider changing it.

Havana should have the "right" default. Icehouse should add the missing API call, completing the strengthening.
Thoughts ?