Moodle is vulnerable to access restriction bypasses. Authenticated users are able to bypass restrictions by selecting an activity that is configured for a group of other users. They are able to do this because lib/modinfolib.php
does not check for a group-membership requirement when deciding what activities are unavailable or hidden.