It is my opinion that user should be able to change all details associated with their person, including their e-mail address.
Minimum security measure should be: Ask the user to enter their password!:
E-mail changes should be handled with the same care as password changes:
Asking for their password would prevent somebody from changing the e-mail address for an already logged-in user; after changing the e-mail address, it is usually trivially easy to get a valid password for the account, effectively taking over the account completely.
E-mail confirmation scheme:
Added security measures can come in various ways, usually consisting of some sore of e-mail confirmation.
The difficulty with e-mail confirmation is that a common reason for users to change their current e-mail address is because they can no longer access it (changed jobs, changed providers, etc, etc).
A common scheme of e-mail change confirmation is the following:
- Send an e-mail to the new address with an "confirm e-mail change" link (make sure it is a working e-mail address).
- Uppon receiving the confirmation from the new address
- Change the e-mail address.
- Send an e-mail to the old e-mail address with the option to "Revoke e-mail change" link (this option should be valid for 30 days or so).
Extended security with e-mail confirmation:
For some high-risk accounts, you could only allow 'limited access' to the account for as long as the 'revocation period' is still active (the above mentioned 30 days or so).
In addition to the "Revoke e-mail change" link, you can provide a "Confirm e-mail change" link in the e-mail send to the old address. Clicking the link would make the change of address permanent, ending the revocation- and 'limited access' period immediately.
UPDATE
There seems to be some confusion about what is compromised if somebody is 'Logged in'.
There are quite some options for a fraudulent person to gain access to a logged-in account without knowing the password.
Consider for example the option where somebody simply walks away from the keyboard, or, has chosen to use some sort of 'remember me' functionality (either provided by the browser or by the website itself)
While this is bad, a well designed system would/should limit the damage by not allowing any account-damaging actions to happen without asking for the user's password again.
The prime example for this is:
Ask the user for his/her current password if they want to change it.