From 48a90a215ba3f6f6d57ef5dbb172da9d3efa2288 Mon Sep 17 00:00:00 2001
From: Juan Leyva <juanleyvadelgado@gmail.com>
Date: Tue, 22 Sep 2015 15:29:49 +0200
Subject: [PATCH] MDL-51415 webservice: Check course access using
 can_access_course()

This function check both user enrolled and course:view capabilities
---
 group/externallib.php | 5 +++--
 notes/externallib.php | 2 +-
 user/externallib.php  | 2 +-
 3 files changed, 5 insertions(+), 4 deletions(-)

diff --git a/group/externallib.php b/group/externallib.php
index 9c44f0a2e56..6034fc744eb 100644
--- a/group/externallib.php
+++ b/group/externallib.php
@@ -1363,13 +1363,14 @@ class core_group_external extends external_api {
             }
 
             // Validate if the user is enrolled in the course.
-            if (!is_enrolled($coursecontext, $user->id)) {
+            $course = get_course($cm->course);
+            if (!can_access_course($course, $user, '', true)) {
                 // We return a warning because the function does not fail for not enrolled users.
                 $warning = array();
                 $warning['item'] = 'course';
                 $warning['itemid'] = $cm->course;
                 $warning['warningcode'] = '1';
-                $warning['message'] = "User $user->id is not enrolled in course $cm->course";
+                $warning['message'] = "User $user->id cannot access course $cm->course";
                 $warnings[] = $warning;
             }
         }
diff --git a/notes/externallib.php b/notes/externallib.php
index fab1f22f20b..8f23cae410f 100644
--- a/notes/externallib.php
+++ b/notes/externallib.php
@@ -690,7 +690,7 @@ class core_notes_external extends external_api {
                 throw new moodle_exception('invaliduserid');
             }
 
-            if ($course->id != SITEID and !is_enrolled($context, $user, '', true)) {
+            if ($course->id != SITEID and !can_access_course($course, $user, '', true)) {
                 throw new moodle_exception('notenrolledprofile');
             }
         }
diff --git a/user/externallib.php b/user/externallib.php
index cb617b47189..972ee2b9452 100644
--- a/user/externallib.php
+++ b/user/externallib.php
@@ -1394,7 +1394,7 @@ class core_user_external extends external_api {
             profile_view($user, $usercontext);
         } else {
             // Case like user/view.php.
-            if (!$currentuser and !is_enrolled($coursecontext, $user->id)) {
+            if (!$currentuser and !can_access_course($course, $user, '', true)) {
                 throw new moodle_exception('notenrolledprofile');
             }