diff --git a/controllers/lesson_plan.go b/controllers/lesson_plan.go
index c45d2f9..993612a 100644
--- a/controllers/lesson_plan.go
+++ b/controllers/lesson_plan.go
@@ -74,8 +74,11 @@ func (lc *LessonPlanController) Upload(c *gin.Context) {
 		return
 	}
 	tempPath := tempFile.Name()
+	tempClosed := false
 	defer func() {
-		_ = tempFile.Close()
+		if !tempClosed {
+			_ = tempFile.Close()
+		}
 		if _, statErr := os.Stat(tempPath); statErr == nil {
 			_ = os.Remove(tempPath)
 		}
@@ -104,6 +107,11 @@ func (lc *LessonPlanController) Upload(c *gin.Context) {
 
 	storedFilename := buildStoredLessonPlanFilename(md5Value, fileHeader.Filename)
 	finalPath := filepath.Join(lessonPlanStorageDir, storedFilename)
+	if err := tempFile.Close(); err != nil {
+		writeError(c, http.StatusInternalServerError, "failed to finalize upload")
+		return
+	}
+	tempClosed = true
 	if err := os.Rename(tempPath, finalPath); err != nil {
 		writeError(c, http.StatusInternalServerError, "failed to finalize upload")
 		return
diff --git a/main.go b/main.go
index 15d02f5..1289cea 100644
--- a/main.go
+++ b/main.go
@@ -38,6 +38,9 @@ func main() {
 	if err := models.BackfillLegacyUserPermissions(config.DB); err != nil {
 		log.Printf("legacy user permission backfill failed: %v", err)
 	}
+	if err := models.EnsureDefaultAdmin(config.DB); err != nil {
+		log.Printf("default admin init failed: %v", err)
+	}
 
 	if err := mqtt.Start(config.DB, config.App.MQTT); err != nil {
 		log.Printf("mqtt listener start failed: %v", err)
diff --git a/middleware/lesson_plan_permission.go b/middleware/lesson_plan_permission.go
index f541d6b..3b1b05f 100644
--- a/middleware/lesson_plan_permission.go
+++ b/middleware/lesson_plan_permission.go
@@ -28,6 +28,10 @@ func RequireHeartRateOperatorOrHigher() gin.HandlerFunc {
 			c.Abort()
 			return
 		}
+		if role == models.UserRoleSuperAdmin {
+			c.Next()
+			return
+		}
 
 		flavorValue, exists := c.Get("flavorType")
 		if !exists {
diff --git a/middleware/user_permission.go b/middleware/user_permission.go
index c0216ad..a6c6639 100644
--- a/middleware/user_permission.go
+++ b/middleware/user_permission.go
@@ -29,6 +29,10 @@ func RequireStepTrainingAccess() gin.HandlerFunc {
 			c.Abort()
 			return
 		}
+		if role == models.UserRoleSuperAdmin {
+			c.Next()
+			return
+		}
 
 		flavorValue, exists := c.Get("flavorType")
 		if !exists {
diff --git a/models/default_admin.go b/models/default_admin.go
new file mode 100644
index 0000000..6fe1ee1
--- /dev/null
+++ b/models/default_admin.go
@@ -0,0 +1,33 @@
+package models
+
+import (
+	"errors"
+
+	"gorm.io/gorm"
+)
+
+const (
+	defaultAdminUsername = "admin"
+	defaultAdminPassword = "123456"
+)
+
+func EnsureDefaultAdmin(db *gorm.DB) error {
+	var user User
+	err := db.Where("username = ?", defaultAdminUsername).First(&user).Error
+	if err == nil {
+		return nil
+	}
+	if !errors.Is(err, gorm.ErrRecordNotFound) {
+		return err
+	}
+
+	admin := User{
+		Username:   defaultAdminUsername,
+		Password:   defaultAdminPassword,
+		Role:       UserRoleSuperAdmin,
+		FlavorType: UserFlavorAll,
+		IsActive:   true,
+	}
+
+	return db.Create(&admin).Error
+}