CakePHP: plugins in production environment

Question

In a production deployment, you wouldn't have your /app folder in the public webroot; it only takes one sloppy fingered mistake to turn private business assets such as PHP files into plaintext on the web. The advanced and production installation instructions in the book describe how to topologically isolate the webroot directory, so you can make folders containing PHP files readable only by you. This technique has worked great for me for a while - but now I want to use and develop plugins.

The CakePHP book omits the discussion of plugins in production deployments. For those of you that use CakePHP in production with plugins, how do you make the assets in a given plugin's webroot directory publicly accessible?

Do you create a plugins folder in webroot and then symlink plugins/my_plugin_name to the plugin webroot? Do you manually copy the plugin webroot folder into webroot? Do you bite the bullet and just relocate the plugins folder to webroot? Do you use some kind of fancy content feeding plugin?

What's the best solution?

Answer 1

Sounds to me like you should manually copy files from the plugin webroot to your own webroot. If it's in production, I presume you aren't going to be turning the plugin on/off frequently (as one might do in development), so this would be a one-time process.

Also, doing it this way keeps your private assets out of publicly-accessible folders, maintaining the security you are concerned about.

On the other hand

If the plugin is open source, take the easy way out and drop that whole sucker in the webroot. If it get's compromised, you shouldn't really care, since the files are freely distributed anyway.