Only let users log in to an OAuth server if they can see it

Summary:
Fixes T7169. We just weren't doing a policy-aware query. Basic idea here is that if you set an app to be visible only to specific users, those specific users are the only ones who should be able to authorize it.

In the Phacility cluster, this allows us to prevent users who haven't been invited from logging in to an instance.

Test Plan:
  - Tried to log into an instance I was not a member of.
  - Logged into an instance I am a member of.

Reviewers: btrahan

Reviewed By: btrahan

Subscribers: epriestley

Maniphest Tasks: T7169

Differential Revision: https://secure.phabricator.com/D11696

src/applications/oauthserver/controller/PhabricatorOAuthServerAuthController.php

@@ -39,8 +39,23 @@ final class PhabricatorOAuthServerAuthController
     // one giant try / catch around all the exciting database stuff so we
     // can return a 'server_error' response if something goes wrong!
     try {
-      $client = id(new PhabricatorOAuthServerClient())
-        ->loadOneWhere('phid = %s', $client_phid);
+      try {
+        $client = id(new PhabricatorOAuthServerClientQuery())
+          ->setViewer($viewer)
+          ->withPHIDs(array($client_phid))
+          ->executeOne();
+      } catch (PhabricatorPolicyException $ex) {
+        // We require that users must be able to see an OAuth application
+        // in order to authorize it. This allows an application's visibility
+        // policy to be used to restrict authorized users.
+
+        // None of the OAuth error responses are a perfect fit for this, but
+        // 'invalid_client' seems closest.
+        return $this->buildErrorResponse(
+          'invalid_client',
+          pht('Not Authorized'),
+          pht('You are not authorized to authenticate.'));
+      }
 
       if (!$client) {
         return $this->buildErrorResponse(