patches/Restricted: Fix the way we allow classes

make our type checker falseish, so that ZopeGuard security checks don't
short circuit this.

product/ERP5Type/patches/Restricted.py

@@ -81,18 +81,22 @@ def allow_class_attribute(klass, access=1):
   assert(inspect.isclass(klass))
   _safe_class_attribute_dict[klass] = access
 
-def _check_type_access(name, v):
+
+class TypeAccessChecker:
+  """Check Access for class instances (whose type() is `type`).
+  """
+  def __call__(self, name, v):
     """
-    Create a method which checks the access if the context type is <type 'type'>s.
+    Create a callable which checks the access if the context type is <type 'type'>s.
     Since the 'type' can be any types of classes, we support the three ways
     defined in AccessControl/SimpleObjectPolicies.  We implement this
     as "a method which returing a method" because we can not know what is the
     type until it is actually called. So the three ways are simulated the
-    returning method inide this method.
+    function returned by this method.
     """
     def factory(inst, name):
       """
-     Check function used with ContainerAssetions checked by cAccessControl.
+      Check function used with ContainerAssertions checked by cAccessControl.
       """
       access = _safe_class_attribute_dict.get(inst, 0)
       # The next 'dict' only checks the access configuration type
@@ -110,7 +114,15 @@ def _check_type_access(name, v):
       return v
     return factory
 
-ContainerAssertions[type] = _check_type_access
+  def __nonzero__(self):
+    # If Containers(type(x)) is true, ZopeGuard checks will short circuit,
+    # thinking it's a simple type, but we don't want this for type, because
+    # type(x) is type for classes, being trueish would skip security check on
+    # classes.
+    return False
+
+ContainerAssertions[type] = TypeAccessChecker()
+
 
 class SafeIterItems(SafeIter):