ClientProtectedResourceMixin allows access if no allowed_scopes are set

Using client credentials as authentication method for API views, we introduced a field for OAuth2 applications that needs to be filled with the scopes these client credentials should have access to. If there are no allowed scopes, the access shouldn't be granted as nothing is allowed. With the current code base, access is also allowed if there no allowed scopes.