[dancer-users] Why does send_file() require a path relative to pubdir?

[Warren Young]

Dancer::send_file() gives a "No such file" error if you pass it an 
absolute path or one that is not directly relative to $pubdir.

I'm using send_file() to send dynamically generated PDF files to the 
client from behind pretty routes.  That is, I want '/pdf/foo.pdf' to 
generate and send:

  	/home/me/app/pdfbuild/foo-$user-$yymmdd-$hhmmss.pdf

The generated PDF file has the user name in it so that other users don't 
clobber each others' generated PDFs.  The file name contains a timestamp 
because the data that goes into the PDF changes frequently, so a second 
access of the URL needs to re-generate the PDF.

Because of all this dynamic generation, I'm doing the background work in 
this pdfbuild directory, because I don't want to expose the intermediate 
files.

I've fixed this by putting the intermediate files in pdfbuild and the 
final output PDF in .../pdfbuild/../public/pdf but this effectively 
exposes all generated PDFs: any user can pull up any other user's 
dynamic PDF if they know another user name and can make sensible guesses 
about the timestamp.  Obviously I could add a nonce to the file name to 
make guessing impossible, but that's solving the symptom, rather than 
attacking the actual source of the problem.

Why doesn't send_file() just return a binary blob to Dancer, which it 
recognizes and inserts literally into the response content body?  Why 
does it care where on the filesystem that data comes from?