From 6e5b0b5c205c4404643692207898154a0d056c4a Mon Sep 17 00:00:00 2001
From: =?utf8?q?V=C3=ADctor=20D=C3=A9niz=20Falc=C3=B3n?= <victor@moodle.com>
Date: Wed, 1 Jul 2020 09:37:46 +0100
Subject: [PATCH] MDL-69093 enrol_manual: added check for allowed roles a user
 can assign

---
 enrol/manual/ajax.php | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/enrol/manual/ajax.php b/enrol/manual/ajax.php
index 29cb40e1053..22ccef20ebb 100644
--- a/enrol/manual/ajax.php
+++ b/enrol/manual/ajax.php
@@ -100,6 +100,13 @@ switch ($action) {
 
         if (empty($roleid)) {
             $roleid = null;
+        } else {
+            if (!has_capability('moodle/role:assign', $context)) {
+                throw new enrol_ajax_exception('assignnotpermitted');
+            }
+            if (!array_key_exists($roleid, get_assignable_roles($context, ROLENAME_ALIAS, false))) {
+                throw new enrol_ajax_exception('invalidrole');
+            }
         }
 
         if (empty($startdate)) {
-- 
2.17.1