/tcl (read by bootstrap code)
/www ("/package-key/foo" is mapped to "/package-key/www/foo" rp requires user have read priv)
/www/admin (request processor requires user have admin privs)
One issue is that currently packages put .gif, .jpg, .png and other image elements under various /www directories. An issue for performance is the fact that references are then permission checked by the request processor, which typically isn't necessary.
Sloan created a global /graphics directory which is then not checked by the request processor, but this doesn't allow APMs packages by third parties to take advantage (as their files are all supposed to be in their package directory tree)
My proposal to fix this is simple: define "/www/resources" to be a directory that isn't permission checked by the request processor. We already have the "/www/admin" precedent for treating a subdirectory of "/www" specially. Package could then stash their little left and right arrow .gifs and the like there knowing that they'd be available whether or not the user's logged in and without any permission checking overhead.
The other issue concerns templates that are meant to be included, rather than referenced by URL. For instance file-storage has a template named "folder-chunk" under its /www directory. Now ... if permission checking is done by the caller of an includable template rather than the template itself, a security hole is introduced (potentially at least.) Outsiders can call folder-chunk directly, in this example (though I think it does the proper permission checking, perhaps I should check!) One way around this: put the template someplace where the request processor won't see it.
My suggestion is simple: /templates under the package key. If an includable template is stuck there no one can reference it with an HTTP request, so relying on the caller doing security checking is no longer a security issue (if it is done properly, of course!)
So my suggestion is that we support the following structure:
What do others think? I'd make the simple request processor change needed for /www/resources shortly. Of course current packages would still work fine with files stored as they are, but I'd anticipate people would start taking advantage of the /www/resources directory to avoid permission checking quite soon, particularly in .LRN ...