Requirement
I thought it would be better if I could change this behavior with an optional switch.
Consideration
In the current implementation, while the logged-in user is away, you can change the user name and password by operating the edit screen. I think that this is assumed to use inside the building of the enterprise that tends to leave the seat, while the screen is open. But, originally, I think internal crimes are less likely to occur if it is inside the enterprise. On the other hand, when using outside the building, I think that there are many cases where it is self-responsibility. However, if you need to enter a password you are safe even if you leave your seat.
Target
I thought that this processing should be added to such as the following processing that affect more bigger than the password change processing.
Change user name & E-mail address screen
There is a case, suddenly, a user will not be able to use own account due to abuse of user name change by the other user. Especially, in the case of the E-mail address was changed, this state can not be recovered by only the password reset processing without tracking the ID and user name.
Delete account screen
Since deletion specification depends on the specification of each project, this screen does not exist at this time. However, since in case of deleting an account of e-mail format, there are cases that the account cannot be re-created, we think that it is meaningful to defend it with a password when adding an account deletion screen.