In my environment users get accounts created with API and login is done directly for them. So if they could change the password they would break their access.
Also would like to disable API for users, but still have it for superuser. This I just did solve by hiding the API link (and hope that they wouldn't know how to use it otherwise (they shouldn't as they won't know the token)).
Attached is a proposed patch to get these features. It uses following settings in config. Of course the naming of those
can be changed.
[ui] disablepasswordchange = 1 hideapi = 1
Attachment: Patch to implement suggested changes