In our school, teachers must be able to look into all courses within their department, including subcategories. For example, if someone teaches French, he/she can look into every course within his/her level of French. This way we want to encourage teachers to share material and ideas. We created a role for this based on the non-editing teacher, and use category enrolment on categories to apply these roles. Keeping these category enrolments up-to-date is a feasable task. So far everything works perfectly.
There are however a few exceptional courses that contain sensitive information, that are within the same structure of categories. We would like to override the role inherited by course category and block access to these courses for most teachers. The solution seems simple: disable category enrolment for these courses.
After doing so, testuser Nick Mason 's category enrolment changed to 'not current'. Seems correct. There is no other type enrolment for this user to this course or any related category.
However, user Nick can still open this course. I allowed a lot of time to pass to make sure the category enrolment sync was up to date but still he had access.
Is my understanding of these enrolments correct and is this a bug, or am I expecting the wrong thing to happen? We could always move these sensitive courses to a separate category, but we prefer the above to work.
Tested on Moodle 3.6.2 and 3.9
Further: I know category enrolments are not encouraged, and that cohort sync is the proposed alternative. But for the enormous amount of courses we have, enrolling a cohort to each new course is not an option. I still dream of a cohort-category sync altough I know that's never going to happen.