Index: file.php
===================================================================
RCS file: /cvsroot/moodle/moodle/file.php,v
retrieving revision 1.46.2.5
diff -u -r1.46.2.5 file.php
--- file.php	9 Apr 2009 09:30:32 -0000	1.46.2.5
+++ file.php	14 Nov 2010 10:09:52 -0000
@@ -88,6 +88,46 @@
         }
     }
 
+    // security: only editing teachers can access AICC/SCORM packages
+    if ((count($args) == 2)
+        and in_array(strtolower(substr(basename($args[1]),strrpos(basename($args[1]),'.'))), array('.pif', '.zip'))
+        and file_exists($pathname)) {
+        $scorm = get_record('scorm', 'reference', basename($args[1]));
+        if ($scorm and !has_capability('moodle/course:manageactivities', get_context_instance(CONTEXT_COURSE, $course->id))) {
+            error('Access not allowed');
+        } else {
+            $lifetime = 0; //disable browser caching for backups 
+        }
+    }
+
+    // security: only editing teachers can access AICC package descriptor files
+    if ((count($args) == 5)
+        and (strtolower($args[1]) == 'moddata')
+        and (strtolower($args[2]) == 'scorm')
+        // AICC - CMI Guidelines for Interoperability, §8.4
+        and in_array(strtolower(substr(basename($args[4]),strrpos(basename($args[4]),'.'))), array('.crs', '.des', '.au', '.cst', '.ort', '.pre', '.cmp'))
+        and file_exists($pathname)) {
+        $crspathname = substr($pathname, 0, -3).'crs';
+        if (file_exists($crspathname) and !has_capability('moodle/course:manageactivities', get_context_instance(CONTEXT_COURSE, $course->id))) {
+            error('Access not allowed');
+        } else {
+            $lifetime = 0; //disable browser caching for backups 
+        }
+    }
+
+    // security: only editing teachers can access SCORM package descriptor file
+    if ((count($args) == 5)
+        and (strtolower($args[1]) == 'moddata')
+        and (strtolower($args[2]) == 'scorm')
+        and (strtolower($args[4]) == 'imsmanifest.xml')
+        and file_exists($pathname)) {
+        if (!has_capability('moodle/course:manageactivities', get_context_instance(CONTEXT_COURSE, $course->id))) {
+            error('Access not allowed');
+        } else {
+            $lifetime = 0; //disable browser caching for backups 
+        }
+    }
+
     if (is_dir($pathname)) {
         if (file_exists($pathname.'/index.html')) {
             $pathname = rtrim($pathname, '/').'/index.html';