The reasoning is that, in return for files under resources being available to anybody with no permission checking, we also do no processing on them, so we don't have any risk that they do anything bad on the server.
However, if you request them from /mountedinstance/resources, they *do* get executed.
So either we can
1) live with it, which I think is confusing and dangerous
2) have them not be processed when requested as /mountedinstance/resources, which is trickier than just not serving them, and is more likely to cause potential confusion with developers who don't understand why their .tcl file doesn't get executed.
3) refuse to serve them, which I prefer because it's the easist to implement
If we move it to /resources, then that's even simpler.
/Lars
