Problems with python resolver in theming with PloneHotfix20210518?

Does anyone have problems with their Diazo theme when using PloneHotfix20210518 (any version)?
I myself don't, but today I tried to take over the hotfix change in the package, and ran into test failures. I thought I had run all non-robot core tests before releasing the hotfix and found no problems, but it seems my testing was not correct.

Here is the PR for merging the fix: Hotfix 20210518 [4.1.x] by mauritsvanrees · Pull Request #197 · plone/ · GitHub
The first commit contains the hotfix code, the second commit fixes the tests.

Where it goes wrong in the tests, and maybe also in practice, is in this way:

  • Go to the Theming Control panel, Advanced settings.
  • In the Rules file, instead of for example /++theme++barceloneta/rules.xml, put a python package path: python://plonetheme.barceloneta/theme/rules.xml, which should be the same.

Your theme is now broken. But this is already the case when you do this without the hotfix. I cannot get a rules file with python path to work. Maybe I need a different absolute prefix, or some changes in the rules themselves. Or it only works for simple rules files that do not point to a theme or resources. Or maybe you should just not use a python package path to point to a rules file, and only use this inside the rules or the theme file.

But the tests (in do use this. Problem is that this is translated to a path on the file system, for example /Users/maurits/.../barceloneta/theme/rules.xml. Then Diazo reads this file and sees <theme href="index.html" />. So Diazo then tries to resolve the path /Users/maurits/.../barceloneta/theme/index.html.

The first problem, both with and without the hotfix, is that the internal resolver is called, which means Diazo looks for this file in the Plone site. It will try http://localhost:8080/Plone/Users/maurits/.../barceloneta/theme/index.html in a subrequest and give a 404 NotFound. This is ignored and Diazo tries some other resolvers. (Not very efficient, which can be a reason not to point to a rules file using python://, but that is not the point here.)

Problem with the hotfix, is that Diazo then looks on the file system, finds the file, and the resolver from the hotfix forbids this for security reasons. It should be fine to allow in this case, but there is no way for the resolver to know that it is okay. Possibly Diazo could be improved here, but it gets tricky.

Anyway, that is the background.
Main question remains: is anyone having problems with theming using the hotfix, that go away when you remove the hotfix?