Bug in client's scope restriction

afilippov1985 · afilippov1985 · commit e2aff18da283 · 2015-11-17T14:22:19.000+04:00
If set `scope` column in `oauth_clients` table to empty string, then client allowed to any scope even if it not exists in `oauth_scopes` table.
diff --git a/src/OAuth2/Controller/AuthorizeController.php b/src/OAuth2/Controller/AuthorizeController.php
@@ -236,8 +236,8 @@ public function validateAuthorizeRequest(RequestInterface $request, ResponseInte
             // restrict scope by client specific scope if applicable,
             // otherwise verify the scope exists
             $clientScope = $this->clientStorage->getClientScope($client_id);
-            if ((is_null($clientScope) && !$this->scopeUtil->scopeExists($requestedScope))
-                || ($clientScope && !$this->scopeUtil->checkScope($requestedScope, $clientScope))) {
+            if ((empty($clientScope) && !$this->scopeUtil->scopeExists($requestedScope))
+                || (!empty($clientScope) && !$this->scopeUtil->checkScope($requestedScope, $clientScope))) {
                 $response->setRedirect($this->config['redirect_status_code'], $redirect_uri, $state, 'invalid_scope', 'An unsupported scope was requested', null);
 
                 return false;
