So it came to my attention that, even though only Managing Editors and Publishers (Textpattern privilege assignments) are given access to the ‘admin’ tab in the Administration Panel, anyone who is logged in can access the ‘site admin’ screen if they point their browser to ?event=admin
e.g. http://goodgrape.net/textpattern/?event=admin

This means two things:

1. users are able to change their own passwords by visiting that link — this is good
2. any user is able to access the full list of registered users, including their real names and email addresses — this is possibly bad

Perhaps you don’t mind having the names and email addresses exposed. But in case you do, here’s how to hide that list from view:

1. Open the txp_admin file:
   /textpattern/include/txp_admin.php


2. find the following code (the line number is approximately 210, but it may be different with your file/your text editor):
   

   	function author_list() 
   	{
   		global $myprivs;
   +		if ($myprivs != 1) return;
   		$out[] = hed(gTxt('authors'),3,' align="center"');
   		$out[] = startTable('list');
   

3. Add the line with the + sign in front of it, in the context shown above. (Remove the plus sign from your actual code, though.)

And there you have it. Users will still be able to access the page to change their password, but your list of authors will now be restricted for viewing only by those with regular admin access.

thanks to Manfre for this