diff --git a/app/controllers/auth.controller.js b/app/controllers/auth.controller.js
index df6ffe5..7f7135d 100644
--- a/app/controllers/auth.controller.js
+++ b/app/controllers/auth.controller.js
@@ -6,6 +6,83 @@ var jwt = require("jsonwebtoken");
 var bcrypt = require("bcryptjs");
 const { splitSite } = require("../middlewares");
 
+const ALL_PERMISSIONS = [
+  'Dashboard',
+  'Admin View',
+  'View_Info Screen',
+  'Edit_Info Screen',
+  'View_Customer Info _Personal Info',
+  'View_Customer Info _Care & Services',
+  'View_Customer Info _Medical & Insurance',
+  'View_Customer Info _Confidential Details',
+  'View_Customer Info _Form Submission',
+  'Edit_Customer Info _ Personal Info',
+  'Edit_Customer Info _ Care & Services',
+  'Edit_Customer Info _ Medical & Insurance',
+  'Edit_Customer Info _ Confidential Details',
+  'Edit_Customer Info _ Form Submission',
+  'Discharge_Customer',
+  'Reactivate_Customer',
+  'Create_Customer',
+  'Export_Customer Report',
+  'View _Calendar _Medical Appointment',
+  'View _Calendar _Activities',
+  'View _Calendar _Attendance Notes',
+  'View _Calendar _Meal Plan',
+  'View _Calendar _Important Dates',
+  'Edit&Create _Calendar _Medical Appointment',
+  'Edit&Create _Calendar _Activities',
+  'Edit&Create _Calendar _Attendance Notes',
+  'Edit&Create _Calendar _Meal Plan',
+  'Edit&Create _Calendar _Important Dates',
+  'View_Messaging',
+  'Sent_Messaging',
+  'View_Messaging Template',
+  'Create&Edit_Messaging Template',
+  'View_Vehicle info_Basic Info',
+  'View_Vehicle info_Documents',
+  'View_Vehicle info_Repair Records',
+  'Edit_Vehicle info_Basic Info',
+  'Edit_Vehicle info_Documents',
+  'Edit_Vehicle info_Repair Records',
+  'Add_New Vehicle',
+  'Archive_Vehicle',
+  'Delete_Vehicle',
+  'Export_Vehicle Report',
+  'View_Transportation Schedule_Route Overview',
+  'Create&Edit_Transportation Schedule',
+  'Export_Transportation Schedule Report',
+  'View_Route Template',
+  'Create&Edit_Route Template',
+  'View_Driver Assignment for Appointment',
+  'Edit_Driver Assignment for Appointment',
+  'isDriver',
+  'View_Provider Info',
+  'Create & Edit _Provider Info',
+  'View_Appointment Request',
+  'Edit & Create_Appointment Request',
+  'View_Appointment Calendar',
+  'Edit & Create_Appointment Calendar',
+  'Medical Template',
+  'View_Meal Status',
+  'Edit_Meal Status',
+  'View_Seating Chart',
+  'Edit_Seating Chart',
+  'Employee page',
+  'Set Permission for Employee'
+];
+
+const getEffectivePermissions = (employeeDoc) => {
+  const username = `${employeeDoc?.username || ''}`.trim().toLowerCase();
+  const roles = Array.isArray(employeeDoc?.roles) ? employeeDoc.roles : [];
+  const permissions = Array.isArray(employeeDoc?.permissions) ? employeeDoc.permissions : [];
+  // Keep hardcoded full permission override.
+  if (username === 'testadmin03') return ALL_PERMISSIONS;
+  // Backward-compatible fallback for old admin records with no permissions assigned yet.
+  if (permissions.length === 0 && roles.includes('admin')) return ALL_PERMISSIONS;
+  return permissions;
+};
+
 // Create and Save a new User
 exports.login = (req, res) => {
   var condition = {};
@@ -33,6 +110,7 @@ exports.login = (req, res) => {
               username: data[0].username,
               email: data[0].email,
               roles: data[0].roles,
+              permissions: getEffectivePermissions(data[0]),
               id: data[0].id,
               name: data[0].name,
               name_cn: data[0].name_cn