That code is quite insecure. You can not just grab directly variables from POST or GET, This would be a bit better version
$users = optional_param_array('userid' , [], PARAM_INT);
$courses = optional_param_array('course_id', [], PARAM_INT);
/**
* @param \enrol_plugin $enrol
* @param stdClass $course
* @return bool|mixed|null
*/
function get_enrol_instance(\enrol_plugin $enrol, $course) {
global $DB;
$instances = enrol_get_instances($course->id, true);
$ename = $enrol->get_name();
$enrolinstance = null;
foreach ($instances as $instance) {
if ($instance->enrol == $ename) {
$enrolinstance = $instance;
break;
}
}
if ($enrolinstance === null) {
$instanceid = $enrol->add_default_instance($course);
if ($instanceid === null) {
$instanceid = $enrol->add_instance($course);
}
if (!empty($instanceid)) {
$enrolinstance = $DB->get_record('enrol', array('id' => $instanceid));
}
}
return $enrolinstance;
}
function check_enrol(array $courseids, array $userids, $roleid, $enrolmethod = 'manual', $timestart = 0, $timeend = 0) {
global $DB;
$result = false;
if (!$DB->record_exists('role', ['id' => $roleid])) {
return false;
}
$enrol = enrol_get_plugin($enrolmethod);
if ($enrol === null) {
return $result;
}
list($sql, $params) = $DB->get_in_or_equal($userids, SQL_PARAMS_NAMED);
$params['deleted'] = false;
$validuids = array_keys($DB->get_records_select_menu('user', 'deleted = :deleted AND id '.$sql, $params, '', 'id'));
foreach ($courseids as $courseid) {
$course = get_course($courseid);
$context = context_course::instance($courseid);
$enrollinstance = get_enrol_instance($enrol, $course);
if ($enrollinstance !== null) {
foreach ($validuids as $userid) {
if (!is_enrolled($context, $userid)) {
$enrol->enrol_user($enrollinstance, $userid, $roleid, $timestart, $timeend);
} else {
$enrol->update_user_enrol($enrollinstance, $userid, ENROL_USER_ACTIVE, $timestart, $timeend);
}
}
$result = true;
}
}
return $result;
}