Either should be fine if you can display that only authorized trainers can tag a person as trained. The plan is great...but does it work? Can you show it? What safeguards? What testing?
Using many systems like this that I've built myself, I've found it far more convenient to click the button then enter the password. You never know who's account you may be working in at the given time and logging out then back in is a PITA when you have to do it 50 times in a day.
Make the button available to all accounts, and the first action after clicking it is a password entry request. This way a trainer can mark a training record complete even when the trainee is the one logged in.