A specifically crafted URL from a user logged in to the application permits the user to promote himself to admin role and also change the value of ANYfield on other users profile.
The URL is basically calling the inline Detail View Ajax edit functionality
The patch committed solves both problems by limiting the editing to current user and admin users and also limiting the edition of the is_admin field only to users with administrative privileges.
Thank you Muhammed Abdul Salim for reporting this.