diff --git a/svc/middlewares/authz_v2.go b/svc/middlewares/authz_v2.go
index 57cbb3c..2dff368 100644
--- a/svc/middlewares/authz_v2.go
+++ b/svc/middlewares/authz_v2.go
@@ -897,6 +897,14 @@ func AuthzGuardByRoute(pg *sql.DB) func(http.Handler) http.Handler {
 				return
 			}
 
+			// Self permission endpoints are required right after login
+			// to hydrate UI permission state for the authenticated user.
+			switch pathTemplate {
+			case "/api/permissions/routes", "/api/permissions/effective":
+				next.ServeHTTP(w, r)
+				return
+			}
+
 			// =====================================================
 			// 3️⃣ ROUTE LOOKUP (path + method)
 			// =====================================================
diff --git a/svc/routes/order_pdf.go b/svc/routes/order_pdf.go
index c6429b4..385c432 100644
--- a/svc/routes/order_pdf.go
+++ b/svc/routes/order_pdf.go
@@ -446,7 +446,7 @@ func getOrderHeaderFromDB(db *sql.DB, orderID string) (*OrderHeader, error) {
             ISNULL((
                 SELECT TOP (1) ca.AttributeDescription
                 FROM BAGGI_V3.dbo.cdCurrAccAttributeDesc AS ca WITH (NOLOCK)
-                WHERE ca.CurrAccTypeCode   = 3
+                WHERE ca.CurrAccTypeCode   IN (1,3)
                   AND ca.AttributeTypeCode = 2      -- 🟡 Müşteri Temsilcisi
                   AND ca.AttributeCode     = f.CustomerAtt02
                   AND ca.LangCode         = 'TR'