When creating custom display objects using ajax, the response from any file inside of the site /includes directory will be a simple message, "Access Restricted". This is by design, but it is easy to get around.
The message comes from Mura's default Application.cfc file, which is inside the /includes directory, and contains only the message, and a
But, since the Application.cfc has a cascading priority, you can simply place your own Application.cfc file inside the directory where your desired content is stored.
So for example, if I have an ajax form that posts to /siteid/includes/display_objects/custom/forms/handler.cfm I simply need to create the file /siteid/includes/display_objects/custom/forms/Application.cfc
with the following content:
<!--- this prevents Mura from blocking access to this folder --->
You can put anything you like in the Application.cfc, but a blank cfc is all that is needed to prevent the "Access Denied" and abort, overriding the Application.cfc in the parent folder.