From b5bf40e8d585ba61c205221c22cc2e3638533dcf Mon Sep 17 00:00:00 2001
From: Nikita Bulai <bulaj.nikita@gmail.com>
Date: Fri, 20 Apr 2018 14:13:06 +0300
Subject: [PATCH] Use #scopes to work with original/default scopes

#1002: validate scopes based on the request or default server scopes.
---
 .../oauth/password_access_token_request.rb    |  2 +-
 spec/requests/flows/password_spec.rb          | 22 +++++++++++++++----
 2 files changed, 19 insertions(+), 5 deletions(-)

diff --git a/lib/doorkeeper/oauth/password_access_token_request.rb b/lib/doorkeeper/oauth/password_access_token_request.rb
index 4970c8395..df4a68c01 100644
--- a/lib/doorkeeper/oauth/password_access_token_request.rb
+++ b/lib/doorkeeper/oauth/password_access_token_request.rb
@@ -30,7 +30,7 @@ def validate_scopes
         application_scopes = client.try(:scopes)
         return true if @original_scopes.blank? && application_scopes.blank?
 
-        ScopeChecker.valid? @original_scopes, server.scopes, application_scopes
+        ScopeChecker.valid?(scopes.to_s, server.scopes, application_scopes)
       end
 
       def validate_resource_owner
diff --git a/spec/requests/flows/password_spec.rb b/spec/requests/flows/password_spec.rb
index 635a37341..76ff91d2e 100644
--- a/spec/requests/flows/password_spec.rb
+++ b/spec/requests/flows/password_spec.rb
@@ -140,7 +140,7 @@
     end
   end
 
-  context 'when application scope is present and no scope is passed' do
+  context 'when application scopes are present and differs from configured default scopes and no scope is passed' do
     before do
       default_scopes_exist :public
       @client.update_attributes(scopes: 'abc')
@@ -167,12 +167,12 @@
 
   context 'when application scopes contain some of the default scopes and no scope is passed' do
     before do
-      default_scopes_exist :public
       @client.update_attributes(scopes: 'read write public')
     end
 
-    it 'should issue new token with default scopes that are present in application scopes' do
-      skip 'this is a failing test case for issue #1002: remove this line once fixed'
+    it 'should issue new token with one default scope that are present in application scopes' do
+      default_scopes_exist :public
+
       expect do
         post password_token_endpoint_url(client: @client, resource_owner: @resource_owner)
       end.to change { Doorkeeper::AccessToken.count }.by(1)
@@ -183,6 +183,20 @@
       should_have_json 'access_token', token.token
       should_have_json 'scope', 'public'
     end
+
+    it 'should issue new token with multiple default scopes that are present in application scopes' do
+      default_scopes_exist :public, :read
+
+      expect do
+        post password_token_endpoint_url(client: @client, resource_owner: @resource_owner)
+      end.to change { Doorkeeper::AccessToken.count }.by(1)
+
+      token = Doorkeeper::AccessToken.first
+
+      expect(token.application_id).to eq @client.id
+      should_have_json 'access_token', token.token
+      should_have_json 'scope', 'public read'
+    end
   end
 
   context 'with invalid scopes' do