[BUGFIX] Respect requested scope for extension restriction
Previously, the extension restriction was automatically
skipped if the current fe_user had either the admin or
reviewer user group assigned. This however prevented
such users to restrict tokens to a subset of their extensions
it they just wanted a token for their personal use.
This is now fixed. The restriction process is now only
skipped if such user also requests the
extension:review scope for the token to be created,
since this indicates that the token should be used as a
so called "controller" token.
Closes #496 (closed)