When creating custom display objects using ajax, the response from any file inside of the site /includes directory will be a simple message, "Access Restricted". This is by design, but it is easy to get around.

The message comes from Mura's default Application.cfc file, which is inside the /includes directory, and contains only the message, and a tag. The purpose of this file is to keep any content stored inside the /includes directory from being delivered directly, i.e. if a user guessed the path to a display object, or some poorly-executed code was to somehow direct a user to a file in /includes.

But, since the Application.cfc has a cascading priority, you can simply place your own Application.cfc file inside the directory where your desired content is stored.

So for example, if I have an ajax form that posts to /siteid/includes/display_objects/custom/forms/handler.cfm I simply need to create the file /siteid/includes/display_objects/custom/forms/Application.cfc

with the following content:

view plain print about
1<cfcomponent output="false">
2<!--- this prevents Mura from blocking access to this folder --->
3</cfcomponent>

You can put anything you like in the Application.cfc, but a blank cfc is all that is needed to prevent the "Access Denied" and abort, overriding the Application.cfc in the parent folder.