If you are using ColdBox give me one good reason why placing it outside of the webroot is your preference?
there are absolutely ZERO good reasons to keep everything inside the webroot, so there is nothing to discuss.
Lol, you guys crack me up.
Andrew, I told you why we keep the majority of our code out of the webroot. It is simply for the purposes of sharing that code between multiple applications. For instance, we currently have three separate sites that share the majority of handlers, views, js, images, css, models, interceptors, plugins, you name it. We rely heavily on the external locations (as well as some IIS mappings) and store the shared stuff in a “common” directory. It has little to do with security and everything to do with plain convenience. I’m not really trying to “prevent” anything-- it just makes perfect sense to us to only have those files once in source control.
That being said, we don’t keep everything outside the webroot. We “override” views and handlers (that will usually extend the common handler) when we want one of the sites to behave a little differently than the rest.
All that aside, we’re still straying from the OP’s question which is how to reliably access static assets from a module regardless of where the user of your module chooses to put it. Should ColdBox modules be “drop and play”, or is it a valid expectations to require module devs to distribute them with installation instructions that identify portions of the module that will need to be publicly accessible if it is not placed in the web root. ?