If you leave Piwik open and logged in, anyone accessing the computer could change the email address or the password. Changing email address would allow to "reset" the password.
Therefore, as an extra security measure, we should require the old password to change the password or the email address.
When changing other settings inputting the password wouldn't be necessary.
Rather than typing the old password in the page, maybe on submit, it could redirect to the login form with only the password field and ask to enter password there? (Like Github does)
Also, and this is important:
updateUserAPI) will need to enforce the same protections, ie. require to input the user password as a parameter, before changing the user password
otherwise one attacker could easily write a XSS that calls the API to change password and bypass the "Enter your password" protection.