Unfortunately the fix we had in mind for bug 1508115 proved impractical for a number of reasons, so we had to go with a simpler interim fix, which does not have the side-effect of fixing this bug.
So we're still in the process of working through options - basically it boils down to what Angus said in comment #14, the subtext of which is there's considerable hidden complexity around our (inconsistent) application of the user_resource flag in the environment (you can't rely on it always being false for templates loaded from the global environment, which IMO is a bug), and also around our usage of the generate_class derived subclass for facade validation.
I hope we'll have better news soon but if not then we'll probably have to revisit the path restriction workaround posted by Angus in comment #7. My objections to that approach stand, but I now understand the reasons for it much better :(
Unfortunately the fix we had in mind for bug 1508115 proved impractical for a number of reasons, so we had to go with a simpler interim fix, which does not have the side-effect of fixing this bug.
So we're still in the process of working through options - basically it boils down to what Angus said in comment #14, the subtext of which is there's considerable hidden complexity around our (inconsistent) application of the user_resource flag in the environment (you can't rely on it always being false for templates loaded from the global environment, which IMO is a bug), and also around our usage of the generate_class derived subclass for facade validation.
I hope we'll have better news soon but if not then we'll probably have to revisit the path restriction workaround posted by Angus in comment #7. My objections to that approach stand, but I now understand the reasons for it much better :(