Barry -
I don't think this is a problem. The ad_require_permission *is* a check that the account doing the update has the right to make changes to the object specified by user_id (and if your system permission hierarchy isn't reflecting reality you've probably got bigger problems).
Although the user_id parameter could in theory be the object_id of something other than a user, the updates that are actually carried out (in the db_transaction block at the end of the file) are restricted to tables and attributes that are appropriate for "user" entities.
The only way I can see that this page could be used outside it's designed purpose would be to change the recorded email address of a group that the person doing the update has write but not admin access to (I'm assuming that changing the email address of a group normally requires admin access).
