Forward-port fix for #12 from 2.13 branch.

zopefoundation · Dec 21, 2015 · e47723e · e47723e
1 parent 8f10021
commit e47723e
Show file tree

Hide file tree

Showing 2 changed files with 8 additions and 1 deletion.
diff --git a/CHANGES.txt b/CHANGES.txt
@@ -3,12 +3,18 @@ Changelog
 
 For changes before verison 3.0, see ``HISTORY.txt``.
 
+3.0.12 (unreleased)
+-------------------
+
+- Avoid acquiring ``access`` from module wrapped by
+  ``SecurityInfo._ModuleSecurityInfo``.  See:
+  https://github.com/zopefoundation/AccessControl/issues/12
+
 3.0.11 (2014-11-02)
 -------------------
 
 - Harden test fix for machines that do not define `localhost`.
 
-
 3.0.10 (2014-11-02)
 -------------------
 

diff --git a/src/AccessControl/SecurityInfo.py b/src/AccessControl/SecurityInfo.py
@@ -295,6 +295,7 @@ class _ModuleSecurityInfo(SecurityInfo):
     """Encapsulate security information for modules."""
 
     __roles__ = ACCESS_PRIVATE
+    access = False  # deny by default, prevent acquiring 'access' from module
 
     def __init__(self, module_name=None):
         self.names = {}