From d6dfa89533b194ca657afcb5f7708d99905a4fe6 Mon Sep 17 00:00:00 2001
From: Justin Richer <jricher@mit.edu>
Date: Sun, 12 Apr 2015 21:15:03 -0500
Subject: [PATCH] check client information on delete of resource set

---
 .../uma/web/ResourceSetRegistrationEndpoint.java    | 13 +++++++++++--
 1 file changed, 11 insertions(+), 2 deletions(-)

diff --git a/openid-connect-server/src/main/java/org/mitre/uma/web/ResourceSetRegistrationEndpoint.java b/openid-connect-server/src/main/java/org/mitre/uma/web/ResourceSetRegistrationEndpoint.java
index 1e2cbfa09..1b0b1e5ef 100644
--- a/openid-connect-server/src/main/java/org/mitre/uma/web/ResourceSetRegistrationEndpoint.java
+++ b/openid-connect-server/src/main/java/org/mitre/uma/web/ResourceSetRegistrationEndpoint.java
@@ -221,13 +221,22 @@ public class ResourceSetRegistrationEndpoint {
 				logger.warn("Unauthorized resource set request from bad user; expected " + rs.getOwner() + " got " + auth.getName());
 				
 				// it wasn't issued to this user
-				m.addAttribute("code", HttpStatus.FORBIDDEN);
+				m.addAttribute(HttpCodeView.CODE, HttpStatus.FORBIDDEN);
+				return JsonErrorView.VIEWNAME;
+			} else if (auth instanceof OAuth2Authentication && 
+					!((OAuth2Authentication)auth).getOAuth2Request().getClientId().equals(rs.getClientId())){
+				
+				logger.warn("Unauthorized resource set request from bad client; expected " + rs.getClientId() + " got " + ((OAuth2Authentication)auth).getOAuth2Request().getClientId());
+				
+				// it wasn't issued to this user
+				m.addAttribute(HttpCodeView.CODE, HttpStatus.FORBIDDEN);
 				return JsonErrorView.VIEWNAME;
 			} else {
 				
+				// user and client matched
 				resourceSetService.remove(rs);
 				
-				m.addAttribute("code", HttpStatus.NO_CONTENT);
+				m.addAttribute(HttpCodeView.CODE, HttpStatus.NO_CONTENT);
 				return HttpCodeView.VIEWNAME;
 			}