Hmm- it looks like you have a point there. In which case it may be easier to use a standard PerlRequestHandler, and if they are allowed access, use $r->sendfile($filename) to send the file.

Clint