Comment 4 for bug 1329864

Though it works by matching user_id , it is wrong behavior

Say I want to change your password with my token

 if I do

POST /v3/users/<your_user_id> with my token, it will think you as the owner.

I will expect 401 Authz error, but I believe I will get password doesn't match since I may not be knowing your original password which is part of POST request body.

I will confirm this and update the bug details.