In the core auth plugins, "oauth2" and "mnet", the privacy provider function "delete_data_for_user" may exit the function without actually doing what they need to do.

The code loops through the provided contextlist and exits the function if it encounters a context that is not CONTEXT_USER:

foreach ($contextlist->get_contexts() as $context) {

 if ($context->contextlevel != CONTEXT_USER) {

 return;

 }

 // Because we only use user contexts the instance ID is the user ID.

 $DB->delete_records('mnet_log', ['userid' => $context->instanceid]);

}

If the contextlist has multiple contexts that include a CONTEXT_USER, but encounters a non CONTEXT_USER before them, it will exit without processing the CONTEXT_USER. Shouldn't it be written as:

foreach ($contextlist->get_contexts() as $context) {

 if ($context->contextlevel != CONTEXT_USER) {

 continue;

 }

 // Because we only use user contexts the instance ID is the user ID.

 $DB->delete_records('mnet_log', ['userid' => $context->instanceid]);

}

I have replaced "return" with "continue".