diff --git a/enrol/cohort/addinstance.php b/enrol/cohort/addinstance.php
index d35e098a8ed..bafb7167016 100644
--- a/enrol/cohort/addinstance.php
+++ b/enrol/cohort/addinstance.php
@@ -35,6 +35,7 @@ $context = get_context_instance(CONTEXT_COURSE, $course->id, MUST_EXIST);
 
 require_login($course);
 require_capability('moodle/course:enrolconfig', $context);
+require_capability('enrol/cohort:config', $context);
 
 $PAGE->set_url('/enrol/cohort/addinstance.php', array('id'=>$course->id));
 $PAGE->set_pagelayout('admin');
diff --git a/enrol/cohort/ajax.php b/enrol/cohort/ajax.php
index 83888a8b7b1..ccb84129ff5 100644
--- a/enrol/cohort/ajax.php
+++ b/enrol/cohort/ajax.php
@@ -74,6 +74,7 @@ switch ($action) {
         break;
     case 'enrolcohort':
         require_capability('moodle/course:enrolconfig', $context);
+        require_capability('enrol/cohort:config', $context);
         $roleid = required_param('roleid', PARAM_INT);
         $cohortid = required_param('cohortid', PARAM_INT);
         
@@ -87,10 +88,16 @@ switch ($action) {
         enrol_cohort_sync($manager->get_course()->id);
         break;
     case 'enrolcohortusers':
-        require_capability('moodle/course:enrolconfig', $context);
+        require_capability('enrol/manual:enrol', $context);
         $roleid = required_param('roleid', PARAM_INT);
         $cohortid = required_param('cohortid', PARAM_INT);
         $result = enrol_cohort_enrol_all_users($manager, $cohortid, $roleid);
+
+        $roles = $manager->get_assignable_roles();
+        $cohorts = enrol_cohort_get_cohorts($manager);
+        if (!array_key_exists($cohortid, $cohorts) || !array_key_exists($roleid, $roles)) {
+            throw new enrol_ajax_exception('errorenrolcohort');
+        }
         if ($result === false) {
             throw new enrol_ajax_exception('errorenrolcohortusers');
         }
diff --git a/enrol/cohort/lib.php b/enrol/cohort/lib.php
index aa0c3203fce..d8cd4e1cb1d 100644
--- a/enrol/cohort/lib.php
+++ b/enrol/cohort/lib.php
@@ -163,7 +163,7 @@ class enrol_cohort_plugin extends enrol_plugin {
         $button->strings_for_js('users', 'moodle');
 
         // No point showing this at all if the user cant manually enrol users
-        $hasmanualinstance = has_capability('enrol/manual:manage', $manager->get_context()) && $manager->has_instance('manual');
+        $hasmanualinstance = has_capability('enrol/manual:enrol', $manager->get_context()) && $manager->has_instance('manual');
 
         $modules = array('moodle-enrol_cohort-quickenrolment', 'moodle-enrol_cohort-quickenrolment-skin');
         $function = 'M.enrol_cohort.quickenrolment.init';