Currently there are many index.html with zero bytes. Fine.
How about having a Forbidd routine with respect to
system directories generating straight from the system
This would therefore:
create gerater security.
allow admins to stop uploads into module directories.
backups would be sensible, like one does not need to
backup module/xcgal/albums/userpics but only uploads, etc.
changing user permissions would be easy to maintain.