Somehow a user, or perhaps the app independent of the user, managed to remove their role in a course form the mobile app.
Here is the situation: Running Moodle 3.1.7+, the user is a student in a course. The student somehow had their role removed, resulting in removing the grades as well. I was able to restore the grades, so no real problem here, but when I checked into the logs to see who had removed this user's role, I found that the origin was "ws" (web services, or the mobile app) and the IP address was the student's mobile IP address, identifiable as a mobile carrier's IP address and the same address from which normal activity on the user's account originates, so pretty good indicator this is the user's device. Here's a sanitized log entry for the event:
My question is: if a student in a course is not allowed to remove their own role through the web browser, how did this role unassignment happen from the mobile app? Any insight is appreciated; I have disabled web services for my Moodle until I get a handle on this issue.
Thanks in advance!