Thanks for your reply, Dave. I really appreciate your feedback. As you suggested, the bit of code I was using is from admin/user.php. My main concern was to avoid any risk that may arise from writing my own script. But the more I researched the more I realized that, as you said, changing user permission is not a simple matter and could be very dangerous.
So, I ended up writing my own script in the plugin that just does the suspend outside of changing any permissions. As a security precaution, it does verify login and sesskey before performing the suspend on the currently logged in user.
The only thing that I did different from your recommendation is that the question and answer script is separate from the suspend script. So, the modal does an AJAX call to the question and answer script then, if the user fails to answer the question, the page is redirected to the suspend script (the only parameter passed, via GET, is the SESSKEY) where the logged in user is suspended, logged out and redirected to the login URL.
If there is any other validation you recommend should be done in addition to the require_login() and confirm_sesskey(), I would be grateful for your feedback so that the custom script can be as secure as possible. Lastly, this is my first Moodle plugin and I am installing it in the local directory. It occurred to me that the availability directory may be appropriate as well. Thoughts? Thank you again.
So, I ended up writing my own script in the plugin that just does the suspend outside of changing any permissions. As a security precaution, it does verify login and sesskey before performing the suspend on the currently logged in user.
The only thing that I did different from your recommendation is that the question and answer script is separate from the suspend script. So, the modal does an AJAX call to the question and answer script then, if the user fails to answer the question, the page is redirected to the suspend script (the only parameter passed, via GET, is the SESSKEY) where the logged in user is suspended, logged out and redirected to the login URL.
If there is any other validation you recommend should be done in addition to the require_login() and confirm_sesskey(), I would be grateful for your feedback so that the custom script can be as secure as possible. Lastly, this is my first Moodle plugin and I am installing it in the local directory. It occurred to me that the availability directory may be appropriate as well. Thoughts? Thank you again.