SECURITY: rate-limit and prevent blocked users from changing email

[lhc/web/wiklou.git] / includes / api / ApiOptions.php

diff --git a/includes/api/ApiOptions.php b/includes/api/ApiOptions.php
index 3ea827c..c4de31f 100644 (file)
--- a/includes/api/ApiOptions.php
+++ b/includes/api/ApiOptions.php
@@ -52,9 +52,9 @@ class ApiOptions extends ApiBase {
                        $this->dieWithError( [ 'apierror-missingparam', 'optionname' ] );
                }
 
-               if ( $params['reset'] ) {
-                       $this->resetPreferences( $params['resetkinds'] );
-                       $changed = true;
+               $resetKinds = $params['resetkinds'];
+               if ( !$params['reset'] ) {
+                       $resetKinds = [];
                }
 
                $changes = [];
@@ -68,6 +68,14 @@ class ApiOptions extends ApiBase {
                        $newValue = $params['optionvalue'] ?? null;
                        $changes[$params['optionname']] = $newValue;
                }
+
+               Hooks::run( 'ApiOptions', [ $this, $user, $changes, $resetKinds ] );
+
+               if ( $resetKinds ) {
+                       $this->resetPreferences( $resetKinds );
+                       $changed = true;
+               }
+
                if ( !$changed && !count( $changes ) ) {
                        $this->dieWithError( 'apierror-nochanges' );
                }