Maybe there should be some way to mark a certain view as being restricted? I.e. when a CU or an ACC looks at the ip info as part of being a CU or ACC, that log should only be visible to CU/stewards/Ombuds (and maybe??? also oversighters) but any other time they look at ip info it should be normal and auditable by admins

@mmartorana I disagree with the prioritisation. This has potential to leak NDA-only information to untrusted parties. In my opinion, that's High priority at least.

Unless someone else comes with a better solution, I plan to deploy the following as soon as possible (ie. on Monday morning):

urbanecm@notebook  ~/unsynced/gerrit/operations/mediawiki-config
$ git diff
diff --git a/wmf-config/CommonSettings.php b/wmf-config/CommonSettings.php
index d2e0c2823..2a51db051 100644
--- a/wmf-config/CommonSettings.php
+++ b/wmf-config/CommonSettings.php
@@ -3994,9 +3994,6 @@ if ( $wmgUseIPInfo ) {
        $wgGroupPermissions['autoconfirmed']['ipinfo'] = true;
        $wgGroupPermissions['autoconfirmed']['ipinfo-view-basic'] = true;

-       $wgGroupPermissions['sysop']['ipinfo-view-full'] = true;
-       $wgGroupPermissions['sysop']['ipinfo-view-log'] = true;
-
        $wgGroupPermissions['checkuser']['ipinfo-view-full'] = true;
        $wgGroupPermissions['checkuser']['ipinfo-view-log'] = true;
 }
urbanecm@notebook  ~/unsynced/gerrit/operations/mediawiki-config
$

Only ipinfo-view-log needs to be removed – sysops are intended to have ipinfo-view-full.

In T309411#7980997, @JJMC89 wrote:

Only ipinfo-view-log needs to be removed – sysops are intended to have ipinfo-view-full.

Thanks for catching that. My brain read that as "view-full-log" for some reason. Updated patch:

urbanecm@notebook  ~/unsynced/gerrit/operations/mediawiki-config
$ git diff
diff --git a/wmf-config/CommonSettings.php b/wmf-config/CommonSettings.php
index d2e0c2823..36fc9c3fc 100644
--- a/wmf-config/CommonSettings.php
+++ b/wmf-config/CommonSettings.php
@@ -3995,7 +3995,6 @@ if ( $wmgUseIPInfo ) {
        $wgGroupPermissions['autoconfirmed']['ipinfo-view-basic'] = true;

        $wgGroupPermissions['sysop']['ipinfo-view-full'] = true;
-       $wgGroupPermissions['sysop']['ipinfo-view-log'] = true;

        $wgGroupPermissions['checkuser']['ipinfo-view-full'] = true;
        $wgGroupPermissions['checkuser']['ipinfo-view-log'] = true;
urbanecm@notebook  ~/unsynced/gerrit/operations/mediawiki-config
$

I was midway through collating things for T309928: Remove `ipinfo-view-log` from sysops as a centralisation task — entirely support @Urbanecm's proposal to remove access pending Legal's response (T307164#7963866)

n.b. consideration given to the fact that T309928 is public — I don't believe it reveals anything sensitive.
I also don't believe the above patch needs to be done outside of Gerrit (if that was your thinking @Urbanecm?)

+1 to removing ipinfo-view-log from sysop no later than Monday morning. I don't think this quite justifies an emergency Sunday change, but I also don't think we need to wait for Legal here.

In T309411#7981021, @TheresNoTime wrote:

[...]
I also don't believe the above patch needs to be done outside of Gerrit (if that was your thinking @Urbanecm?)

It's actually not possible for config patches to not go into Gerrit :). I merely meant to give a heads-up "I am going to do this Monday morning" here, and I used the patch to indicate what I'm going to do exactly. Sorry if it confused you!

Thanks for the deploy, @Urbanecm!

gerritbot: https://gerrit.wikimedia.org/r/c/operations/mediawiki-config/+/803236