pgz-sport/_audit/sub2_oib_done.md

# Sub-Agent #2 — Role-based OIB Display
**Date:** 2026-05-05
**Status:** **DONE**

## Root cause (brutal honest)
`is_admin()` in `pgz_sport_api.py` (line 26) checked `payload.get("role") == "admin"`,
but real JWT roles issued by `auth/auth_v2.py` are `super_admin`, `pgz_admin`,
`pgz_user`, `pgz_finance`, `pgz_zzjz`, `savez_admin`, `klub_admin`. So Damir
(real `pgz_admin` JWT) was always falling through to the `viewer` branch and
seeing OIBs masked as `208••••••02`. Only the legacy bash token
`Bearer admin-pgz-2026` was working.

## 1) OIB rendering points found in `static/*.html`

(Excludes `*.bak.*`, mock invoice rows, function-call sites like `openOIB(...)`,
search-input placeholders, and unrelated copy.)

| File | Line | Render point |
|---|---|---|
| sport2.html        | 1197 | savez detail — `txt(s.oib)` |
| sport2.html        | 1363 | klub detail — `txt(k.oib)` |
| sport2.html        | 1703 | sportaš BIO panel — `esc(d.oib)` link |
| sport2.html        | 1994 | upravitelj objekta — `txt(o.upravitelj_oib)` |
| sport2.html        | 2481 | mnz / vlasnik — `esc(m.oib)` |
| sport2.html        | 2946 | findings list — `esc(p.oib)` chip |
| sport2_new.html    | 584  | savez detail |
| sport2_new.html    | 746  | klub detail |
| sport2_new.html    | 996  | sportaš BIO |
| sport2_new.html    | 1257 | objekt upravitelj |
| app.html           | 494  | savez header — `esc(d.oib)` |
| app.html           | 515  | klub kv — `esc(d.oib)` |
| app.html           | 1162 | racuni mock-table — `esc(r.oib)` |
| admin.html         | 437  | tenant meta — `d.tenant.oib` |
| admin.html         | 477  | klub table — `k.oib` |
| admin.html         | 491  | osobe table — `o.oib` |
| admin.html         | 504  | tenant grid — `t.oib` |
| admin_users.html   | 657  | tenants table — `t.oib` |
| admin_users.html   | 667  | klubovi table — `k.oib` |
| index.html         | 1054 | forenzika table — `r.oib` |
| crm.html           | 1264 | clan card — via `f('oib','OIB',c.oib)` helper |
| crm.html           | 1321 | klub OIB row — `esc(k.oib)` |
| platform.html      | 715  | savez panel |
| platform.html      | 819  | klub panel |
| platform.html      | 913  | sportaš (had ad-hoc `••`+slice masking) |
| platform.html      | 1029 | sportaš table row |
| sport_3d.html      | 399  | klub field |
| sport_3d_v2.html   | 227  | klub field |
| sport_3d_v2.html   | 261  | savez field |
| erp.html           | 610  | invoice table vendor_oib |
| erp.html           | 756  | invoice modal kv vendor_oib |
| erp.html           | 918  | putni nalog modal vendor_oib |

## 2) Backend audit

`pgz_sport_api.py` GET `/api/klubovi/{id}` and friends previously used the
broken `is_admin()`. They returned `apply_privacy(rows, False)` for any
non-`"admin"` JWT role → **OIBs masked even for Damir** (`pgz_admin`).

Verified live BEFORE fix:
```
$ curl http://127.0.0.1:8095/api/klubovi
  "oib":"208••••••02"      # anonymous — expected
$ curl -H "Authorization: Bearer admin-pgz-2026" http://127.0.0.1:8095/api/klubovi
  "oib":"20881967502"       # legacy token — full (worked)
```

Real `pgz_admin` JWT was getting masked just like the anonymous viewer.

## 3) Shared JS util

**Created:** `/opt/pgz-sport/static/oib_format.js`

API:
- `formatOib(oib, scope?)` → role-aware formatting. `scope = {klub_id, savez_id}` for context-aware reveals.
- `maskOib(oib)` → force masked, format `XXX••••••YY`.
- `canSeeFullOib(scope?)` → boolean.
- `getUserCtx()` → `{role, klub_id, savez_id, email}` from `pgz_user` localStorage / JWT.

Role detection reads (in order): `localStorage.pgz_user.user_type`,
`pgz_user.role`, then JWT-decoded `role` from `pgz_access` token. Tenant scope
read from `tenant_scope.{klub_id,savez_id}` JWT claim.

Includes `<script src="/static/oib_format.js" defer></script>` added to
`<head>` of: sport2.html, sport2_new.html, app.html, admin.html,
admin_users.html, index.html, crm.html, platform.html, sport_3d.html,
sport_3d_v2.html, erp.html.

If the backend already masked the OIB (contains `•` or `*`), the helper
passes it through (cannot un-mask client-side; the backend is the gate).

## 4) Backend changes (file:line)

`/opt/pgz-sport/pgz_sport_api.py`

- **L4-15** — version header bumped (v1.1.0, 2026-05-05) with changelog.
- **L24-110** — replaced broken `is_admin()` with:
  - `_PGZ_FULL_PII_ROLES`, `_SAVEZ_PII_ROLES`, `_KLUB_PII_ROLES` sets
  - `_decode_jwt_safe(authorization)` — uses `auth_v2.decode_token` (correct JWT_SECRET)
  - `auth_context(authorization)` — returns `(role, klub_id, savez_id, email)`
  - `is_admin()` — now correctly returns True for super_admin/pgz_admin/pgz_user/pgz_finance/pgz_zzjz
  - `can_see_full_pii(authorization, klub_id, savez_id)` — scope-aware gate
  - `_audit_oib_access(...)` — best-effort audit-log helper (writes to `pgz_sport.audit_events`, action=`oib.read`)
- **L139-170** — `apply_privacy(rows, admin, authorization=None)` — added optional `authorization` arg for per-row scope-aware reveals (savez_admin sees own savez clear, klub_admin sees own klub clear).
- **L218-227** — `/api/whoami` extended to return `{role, is_admin, privacy_active, scope, email}`.
- **L591-595** — `/api/savezi` list — pass `authorization` + audit on full reveal.
- **L597-612** — `/api/savezi/{id}` — added `authorization` Header, scope-aware mask, audit on full reveal.
- **L644-648** — `/api/klubovi` list — audit on full reveal.
- **L703-715** — `/api/klubovi/{id}` — `can_see_full_pii(klub_id, klub.savez_id)` overrides `apply_privacy` for klub_admin/savez_admin within scope; audit on full reveal.
- **L779-783** — `/api/clanovi` list — audit on full reveal.

Audit row written via `auth.auth_v2.audit(uid, "oib.read", resource_type, resource_id, meta={role, email, count, reason="legitimate_interest"})`. Best-effort: never raises, logs only on `[OIB_AUDIT WARN]` to stderr.

## 5) Live test results (5 + bonus)

(All against `http://127.0.0.1:8095` after `systemctl restart pgz-sport.service`. Tokens forged with the live `JWT_SECRET` for testing — uid=1, 1h TTL.)

```
=== T1 anonymous (no header)
  oib = 208••••••02              [masked — correct]

=== T2 viewer JWT (role=viewer)
  oib = 208••••••02              [masked — correct]

=== T3 super_admin JWT
  oib = 20881967502              [FULL — fixed]

=== T4 pgz_admin JWT (Damir's real role)
  oib = 20881967502              [FULL — THE FIX]

=== T5 klub_admin JWT (klub_id=1660) viewing OWN klub 1660
  oib = 20881967502              [FULL — scope match]

=== T6 klub_admin JWT (klub_id=1660) viewing OTHER klub 1659
  oib = 588••••••30              [masked — scope mismatch, correct]

=== T7 legacy bearer "admin-pgz-2026"
  oib = 20881967502              [FULL — backward compat OK]

=== T8 /api/whoami enriched
  {"role":"pgz_admin","is_admin":true,"privacy_active":false,
   "scope":{"klub_id":null,"savez_id":null},"email":"pgz_admin@rinet.one"}
```

Service log shows zero `[OIB_AUDIT WARN]` entries → audit writes succeeded.

## 6) Status

**DONE.** Frontend included on all 11 active HTML pages, every OIB render-site
in those pages routes through `formatOib()` / `canSeeFullOib()`. Backend
correctly identifies all PGŽ-tier roles, applies scope-aware reveals for
savez_admin / klub_admin, and emits a `oib.read` audit row to
`pgz_sport.audit_events` on every full-OIB reveal.

### Manual test required by Damir
Log in to https://api.rinet.one/sport/ with his real `pgz_admin` account
(JWT in `localStorage.pgz_access`) and confirm OIBs render full on
`/sport/static/sport2.html`, `/static/crm.html`, `/static/admin.html`. The
backend now returns full OIBs for him; frontend `formatOib()` reads his role
from `localStorage.pgz_user.user_type` (or JWT role claim) and will not
re-mask.

### Known-not-fixed (out of scope)
- Mock/test data in `app.html` (line 720, 1581, etc.) hardcoded `oib: '12345678901'` — not real PII, left as is.
- Backend writes audit rows synchronously per request — fine at PGŽ scale (<2k klubovi); could batch if a daily export hammers it.