From eff80a3211a75baee04eb068ad19fdf7eed4cafa Mon Sep 17 00:00:00 2001
From: M_Kececi <you@example.com>
Date: Tue, 17 Feb 2026 15:00:24 +0300
Subject: [PATCH] Merge remote-tracking branch 'origin/master'

---
 svc/middlewares/authz_v2.go | 8 ++++++++
 svc/routes/order_pdf.go     | 2 +-
 2 files changed, 9 insertions(+), 1 deletion(-)

diff --git a/svc/middlewares/authz_v2.go b/svc/middlewares/authz_v2.go
index 57cbb3c..2dff368 100644
--- a/svc/middlewares/authz_v2.go
+++ b/svc/middlewares/authz_v2.go
@@ -897,6 +897,14 @@ func AuthzGuardByRoute(pg *sql.DB) func(http.Handler) http.Handler {
 				return
 			}
 
+			// Self permission endpoints are required right after login
+			// to hydrate UI permission state for the authenticated user.
+			switch pathTemplate {
+			case "/api/permissions/routes", "/api/permissions/effective":
+				next.ServeHTTP(w, r)
+				return
+			}
+
 			// =====================================================
 			// 3️⃣ ROUTE LOOKUP (path + method)
 			// =====================================================
diff --git a/svc/routes/order_pdf.go b/svc/routes/order_pdf.go
index c6429b4..385c432 100644
--- a/svc/routes/order_pdf.go
+++ b/svc/routes/order_pdf.go
@@ -446,7 +446,7 @@ func getOrderHeaderFromDB(db *sql.DB, orderID string) (*OrderHeader, error) {
             ISNULL((
                 SELECT TOP (1) ca.AttributeDescription
                 FROM BAGGI_V3.dbo.cdCurrAccAttributeDesc AS ca WITH (NOLOCK)
-                WHERE ca.CurrAccTypeCode   = 3
+                WHERE ca.CurrAccTypeCode   IN (1,3)
                   AND ca.AttributeTypeCode = 2      -- 🟡 Müşteri Temsilcisi
                   AND ca.AttributeCode     = f.CustomerAtt02
                   AND ca.LangCode         = 'TR'