From 0f6fc0ddce733d7cb1249471c41e6f5df611f979 Mon Sep 17 00:00:00 2001
From: Loick Piera <pyrech@gmail.com>
Date: Sun, 13 Jul 2014 19:45:09 +0200
Subject: [PATCH] Fixed wrong scope(s) associated to accessToken

Conflicts:
	lib/OAuth2/OAuth2.php
---
 lib/OAuth2.php       | 13 ++++++----
 tests/OAuth2Test.php | 58 ++++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 66 insertions(+), 5 deletions(-)

diff --git a/lib/OAuth2.php b/lib/OAuth2.php
index 322a917..73d97aa 100644
--- a/lib/OAuth2.php
+++ b/lib/OAuth2.php
@@ -830,13 +830,16 @@ public function grantAccessToken(Request $request = null)
                          'access_token_lifetime' => $this->getVariable(self::CONFIG_ACCESS_LIFETIME),
                          'issue_refresh_token' => true, 'refresh_token_lifetime' => $this->getVariable(self::CONFIG_REFRESH_LIFETIME));
 
-        // Check scope, if provided
-        if ($input["scope"] && (!isset($stored["scope"]) || !$this->checkScope($input["scope"], $stored["scope"]))) {
-            throw new OAuth2ServerException(self::HTTP_BAD_REQUEST, self::ERROR_INVALID_SCOPE, 'An unsupported scope was requested.');
+        $scope = $stored['scope'];
+        if ($input["scope"]) {
+            // Check scope, if provided
+            if (!isset($stored["scope"]) || !$this->checkScope($input["scope"], $stored["scope"])) {
+                throw new OAuth2ServerException(self::HTTP_BAD_REQUEST, self::ERROR_INVALID_SCOPE, 'An unsupported scope was requested.');
+            }
+            $scope = $input["scope"];
         }
 
-        $token = $this->createAccessToken($client, $stored['data'], $stored['scope'], $stored['access_token_lifetime'], $stored['issue_refresh_token'], $stored['refresh_token_lifetime']);
-
+        $token = $this->createAccessToken($client, $stored['data'], $scope, $stored['access_token_lifetime'], $stored['issue_refresh_token'], $stored['refresh_token_lifetime']);
         return new Response(json_encode($token), 200, $this->getJsonHeaders());
     }
 
diff --git a/tests/OAuth2Test.php b/tests/OAuth2Test.php
index 61a2d34..7be2cb8 100644
--- a/tests/OAuth2Test.php
+++ b/tests/OAuth2Test.php
@@ -525,6 +525,39 @@ public function testGrantAccessTokenWithGrantUserWithReducedScope()
             array('date' => null)
         ));
 
+        $this->assertRegExp('{"access_token":"[^"]+","expires_in":3600,"token_type":"bearer","scope":"scope1"}', $response->getContent());
+
+        $token = $stub->getLastAccessToken();
+        $this->assertSame('cid', $token->getClientId());
+        $this->assertSame('scope1', $token->getScope());
+    }
+
+    public function testGrantAccessTokenWithGrantUserWithNoScope()
+    {
+        $stub = new OAuth2GrantUserStub;
+        $stub->addClient(new OAuth2Client('cid', 'cpass'));
+        $stub->addUser('foo', 'bar', 'scope1 scope2');
+        $stub->setAllowedGrantTypes(array('authorization_code', 'password'));
+
+        $oauth2 = new OAuth2($stub);
+
+        $response = $oauth2->grantAccessToken(new Request(array(
+            'grant_type' => 'password',
+            'client_id' => 'cid',
+            'client_secret' => 'cpass',
+            'username' => 'foo',
+            'password' => 'bar',
+        )));
+
+        $this->assertSame(array(
+            'content-type' => array('application/json'),
+            'cache-control' => array('no-store, private'),
+            'pragma' => array('no-cache'),
+        ), array_diff_key(
+            $response->headers->all(),
+            array('date' => null)
+        ));
+
         $this->assertRegExp('{"access_token":"[^"]+","expires_in":3600,"token_type":"bearer","scope":"scope1 scope2"}', $response->getContent());
 
         $token = $stub->getLastAccessToken();
@@ -532,6 +565,31 @@ public function testGrantAccessTokenWithGrantUserWithReducedScope()
         $this->assertSame('scope1 scope2', $token->getScope());
     }
 
+    public function testGrantAccessTokenWithGrantUserWithNewScopeThrowsError()
+    {
+        $stub = new OAuth2GrantUserStub;
+        $stub->addClient(new OAuth2Client('cid', 'cpass'));
+        $stub->addUser('foo', 'bar', 'scope1 scope2');
+        $stub->setAllowedGrantTypes(array('authorization_code', 'password'));
+
+        $oauth2 = new OAuth2($stub);
+        
+        try {
+            $response = $oauth2->grantAccessToken(new Request(array(
+                'grant_type' => 'password',
+                'client_id' => 'cid',
+                'client_secret' => 'cpass',
+                'username' => 'foo',
+                'password' => 'bar',
+                'scope' => 'scope3',
+            )));
+            $this->fail('The expected exception OAuth2ServerException was not thrown');
+        } catch (OAuth2ServerException $e) {
+            $this->assertSame('invalid_scope', $e->getMessage());
+            $this->assertSame('An unsupported scope was requested.', $e->getDescription());
+        }
+    }
+
         /**
      * Tests OAuth2->grantAccessToken() with client credentials
      *