Allow ModuleSecurityInfo objects to be reused even after they have been

applied to ttheir modules.

When trusted code or module refreshes ask for a ModuleSecurityInfo object
that was already applied, previously a new one would be created, including
new ones for the parent packages. This could cause declartion for *other*
packages to be removed when this new Info object is reapplied later on.

lib/python/AccessControl/SecurityInfo.py

@@ -198,6 +198,7 @@ class ClassSecurityInformation(ClassSecurityInfo):
     access = 0
 
 _moduleSecurity = {}
+_appliedModuleSecurity = {}
 
 def secureModule(mname, *imp):
     modsec = _moduleSecurity.get(mname, None)
@@ -209,6 +210,7 @@ def secureModule(mname, *imp):
         apply(__import__, (mname,) + tuple(imp))
     module = sys.modules[mname]
     modsec.apply(module.__dict__)
+    _appliedModuleSecurity[mname] = modsec
     return module
 
 def ModuleSecurityInfo(module_name=None):
@@ -216,6 +218,17 @@ def ModuleSecurityInfo(module_name=None):
         modsec = _moduleSecurity.get(module_name, None)
         if modsec is not None:
             return modsec
+        modsec = _appliedModuleSecurity.get(module_name, None)
+        if modsec is not None:
+            # Move security info back to to-apply dict (needed for product
+            # refresh). Also invoke this check for parent packages already
+            # applied
+            del _appliedModuleSecurity[module_name]
+            _moduleSecurity[module_name] = modsec
+            dot = module_name.rfind('.')
+            if dot > 0:
+                ModuleSecurityInfo(module_name[:dot])
+            return modsec
         dot = module_name.rfind('.')
         if dot > 0:
             # If the module is in a package, recursively make sure