Mobile app enrols users on all enrol_auto-enabled courses without user entering them

[tonyjbutler]

Testing with Moodle 3.5.1 and the latest release of the official Moodle mobile app (version code 3510 on Android 8.1.0), if a user goes to 'Site home' -> 'Available courses', the user is automatically enrolled on all courses that have an enabled instance of the enrol_auto method. I've only had chance to debug this so far and it may well be caused by a bug in Moodle core and/or the mobile app, but it seemed sensible to report it here as you have the greatest interest in getting it fixed.

It seems that the 'Site home' -> 'Available courses' page calls core_course_get_courses_by_field() (get_courses_by_field() in course/externallib.php) with no params, which fetches all courses from the database and then iterates through them doing various checks. One of these checks is \external_api::validate_context, which seems to be the source of the trouble (presumably because it calls require_login() for the course). This enrols the user on the course and even logs an access in the course log.