--- concerto-1.9.3-NoCAS/admin/app/users/controller.php	2011-06-17 11:00:56.035168758 -0700
+++ concerto-1.9.3-NoCAS-patched/admin/app/users/controller.php	2011-05-06 15:01:20.000000000 -0700
@@ -151,6 +151,21 @@
    {
       $user = new User($this->args[1]);
       $dat = $_POST['user'];
+
+      // saa 6 May 11
+      // http://itissues.catholiccharities.com/details.aspx?iid=7982
+      // enable password changing from the user profile edit page
+      if ($dat['np1']!=$dat['np2'])
+      {
+       $_SESSION['flash'][]=Array('error', 'Passwords don\'t match...try again.');
+       redirect_to(ADMIN_URL.'/users/edit/'.$this->args[1]);
+      }
+      if ($dat['np1']!='')
+      {
+       $passwdhash=md5($dat['np1']);
+       $sql='update user set password=\''.$passwdhash.'\' where id='.$user->id;
+       sql_query($sql);
+      }
    
       //We don't want anyone modifying these properties
       //of their own profiles