Don't forget that the "directory structure" that you present to your user may or may not exist. You may show them a tree like /home/user/books, but the actual implementation may be that the data is stored in the database, and your path is really a category, rather than a real path.

The important part is this: check whether the user has the authority to see whatever they have requested.

Make sure that everything is protected, but the more "super security" that you build in, the more chance there will be for bugs to creep in, and to reduce the actual security.

Clint