1/ enrollment with one "L" only :-D
2/ case 'enrol': you can not enrol using any plugin, the plugin must explicitly allow it and you must check separate permission
3/ I do not like the error handling in ajax - why not just detect the exception type? it would eliminate try/catch or if ($success) - this may need more tweaking with exception types, but in the long term it would be much much easier to write the ajax scripts imo
4/ case 'assign': no cap test for role assign, no test if role assign even allowed in this context
5/ why $action = optional_param('action', '', PARAM_ACTION); - it is required, right?
6/ I think that the current use of static vars in methods breaks badly if you use multiple instances for different course sat the same time
There seems to be some misunderstanding with define('AJAX_SCRIPT', true); - it set's up a different exception handler which encoded the exceptions using json, it also forces exceptions instead of redirects in code like require_login(), redirect(), etc. Ideally all moodle ajax should use the same structure of ajax responses encoded with json.
going to try the ui now...