Insufficient role authentication

[antirais]

Logged in user (editor) can change password for other users or delete them.

[Example attacks] http://localhost/system/admin/controllers/password.php POST:p=password&i=<user id>

// Delete user http://localhost/system/admin/controllers/users.php?del=<user id>

[evantobin]

I've submitted the code to fix this...