I think that just replacing:
fullpath = os.path.realpath(os.path.join(directory, path))
# -->
fullpath = os.path.abspath(os.path.join(directory, path))
Should fix the problem of external symlinks as it stops resolving the path part of the resource. Then, if it is a symlink it should not be resolved and the security check should not fail.
@glutanimate, can you change the code and see if it works?