Merge branch 'main' into clean-transactional-propsal

2025-08-12 00:57:33 +00:00 · 2025-07-30 07:42:11 +02:00
parent 13b772aa8c 6d98b33c56
commit 7b47b82b93
117 changed files with 5490 additions and 1075 deletions
--- a/internal/query/administrators.go
+++ b/internal/query/administrators.go
@@ -165,12 +165,13 @@ func administratorProjectGrantCheckPermission(ctx context.Context, resourceOwner
 }

 func (q *Queries) SearchAdministrators(ctx context.Context, queries *MembershipSearchQuery, permissionCheck domain.PermissionCheck) (*Administrators, error) {
-	permissionCheckV2 := PermissionV2(ctx, permissionCheck)
-	admins, err := q.searchAdministrators(ctx, queries, permissionCheckV2)
+	// removed as permission v2 is not implemented yet for project grant level permissions
+	// permissionCheckV2 := PermissionV2(ctx, permissionCheck)
+	admins, err := q.searchAdministrators(ctx, queries, false)
 	if err != nil {
 		return nil, err
 	}
-	if permissionCheck != nil && !authz.GetFeatures(ctx).PermissionCheckV2 {
+	if permissionCheck != nil { // && !authz.GetFeatures(ctx).PermissionCheckV2 {
 		administratorsCheckPermission(ctx, admins, permissionCheck)
 	}
 	return admins, nil
@@ -184,7 +185,7 @@ func (q *Queries) searchAdministrators(ctx context.Context, queries *MembershipS
 	eq := sq.Eq{membershipInstanceID.identifier(): authz.GetInstance(ctx).InstanceID()}
 	stmt, args, err := queries.toQuery(query).Where(eq).ToSql()
 	if err != nil {
-		return nil, zerrors.ThrowInvalidArgument(err, "QUERY-TODO", "Errors.Query.InvalidRequest")
+		return nil, zerrors.ThrowInvalidArgument(err, "QUERY-xhEnpLFNpJ", "Errors.Query.InvalidRequest")
 	}
 	latestState, err := q.latestState(ctx, orgMemberTable, instanceMemberTable, projectMemberTable, projectGrantMemberTable)
 	if err != nil {
@@ -334,7 +335,7 @@ func prepareAdministratorsQuery(ctx context.Context, queries *MembershipSearchQu
 			}

 			if err := rows.Close(); err != nil {
-				return nil, zerrors.ThrowInternal(err, "QUERY-TODO", "Errors.Query.CloseRows")
+				return nil, zerrors.ThrowInternal(err, "QUERY-ajYcn0eK7f", "Errors.Query.CloseRows")
 			}

 			return &Administrators{
--- a/internal/query/organization_settings.go
+++ b/internal/query/organization_settings.go
@@ -0,0 +1,196 @@
+package query
+
+import (
+	"context"
+	"database/sql"
+	"slices"
+	"time"
+
+	sq "github.com/Masterminds/squirrel"
+
+	"github.com/zitadel/zitadel/internal/api/authz"
+	"github.com/zitadel/zitadel/internal/domain"
+	"github.com/zitadel/zitadel/internal/query/projection"
+	"github.com/zitadel/zitadel/internal/telemetry/tracing"
+	"github.com/zitadel/zitadel/internal/zerrors"
+)
+
+var (
+	organizationSettingsTable = table{
+		name:          projection.OrganizationSettingsTable,
+		instanceIDCol: projection.OrganizationSettingsInstanceIDCol,
+	}
+	OrganizationSettingsColumnID = Column{
+		name:  projection.OrganizationSettingsIDCol,
+		table: organizationSettingsTable,
+	}
+	OrganizationSettingsColumnCreationDate = Column{
+		name:  projection.OrganizationSettingsCreationDateCol,
+		table: organizationSettingsTable,
+	}
+	OrganizationSettingsColumnChangeDate = Column{
+		name:  projection.OrganizationSettingsChangeDateCol,
+		table: organizationSettingsTable,
+	}
+	OrganizationSettingsColumnResourceOwner = Column{
+		name:  projection.OrganizationSettingsResourceOwnerCol,
+		table: organizationSettingsTable,
+	}
+	OrganizationSettingsColumnInstanceID = Column{
+		name:  projection.OrganizationSettingsInstanceIDCol,
+		table: organizationSettingsTable,
+	}
+	OrganizationSettingsColumnSequence = Column{
+		name:  projection.OrganizationSettingsSequenceCol,
+		table: organizationSettingsTable,
+	}
+	OrganizationSettingsColumnOrganizationScopedUsernames = Column{
+		name:  projection.OrganizationSettingsOrganizationScopedUsernamesCol,
+		table: organizationSettingsTable,
+	}
+)
+
+type OrganizationSettingsList struct {
+	SearchResponse
+	OrganizationSettingsList []*OrganizationSettings
+}
+
+func organizationSettingsListCheckPermission(ctx context.Context, organizationSettingsList *OrganizationSettingsList, permissionCheck domain.PermissionCheck) {
+	organizationSettingsList.OrganizationSettingsList = slices.DeleteFunc(organizationSettingsList.OrganizationSettingsList,
+		func(organizationSettings *OrganizationSettings) bool {
+			return organizationSettingsCheckPermission(ctx, organizationSettings.ResourceOwner, organizationSettings.ID, permissionCheck) != nil
+		},
+	)
+}
+
+func organizationSettingsCheckPermission(ctx context.Context, resourceOwner string, id string, permissionCheck domain.PermissionCheck) error {
+	return permissionCheck(ctx, domain.PermissionPolicyRead, resourceOwner, id)
+}
+
+type OrganizationSettings struct {
+	ID            string
+	CreationDate  time.Time
+	ChangeDate    time.Time
+	ResourceOwner string
+	Sequence      uint64
+
+	OrganizationScopedUsernames bool
+}
+
+type OrganizationSettingsSearchQueries struct {
+	SearchRequest
+	Queries []SearchQuery
+}
+
+func (q *OrganizationSettingsSearchQueries) toQuery(query sq.SelectBuilder) sq.SelectBuilder {
+	query = q.SearchRequest.toQuery(query)
+	for _, q := range q.Queries {
+		query = q.toQuery(query)
+	}
+	return query
+}
+
+func organizationSettingsPermissionCheckV2(ctx context.Context, query sq.SelectBuilder, enabled bool, queries *OrganizationSettingsSearchQueries) sq.SelectBuilder {
+	if !enabled {
+		return query
+	}
+	join, args := PermissionClause(
+		ctx,
+		OrganizationSettingsColumnID,
+		domain.PermissionPolicyRead,
+		SingleOrgPermissionOption(queries.Queries),
+	)
+	return query.JoinClause(join, args...)
+}
+
+func (q *Queries) SearchOrganizationSettings(ctx context.Context, queries *OrganizationSettingsSearchQueries, permissionCheck domain.PermissionCheck) (*OrganizationSettingsList, error) {
+	permissionCheckV2 := PermissionV2(ctx, permissionCheck)
+	settings, err := q.searchOrganizationSettings(ctx, queries, permissionCheckV2)
+	if err != nil {
+		return nil, err
+	}
+	if permissionCheck != nil && !authz.GetFeatures(ctx).PermissionCheckV2 {
+		organizationSettingsListCheckPermission(ctx, settings, permissionCheck)
+	}
+	return settings, nil
+}
+
+func (q *Queries) searchOrganizationSettings(ctx context.Context, queries *OrganizationSettingsSearchQueries, permissionCheckV2 bool) (settingsList *OrganizationSettingsList, err error) {
+	ctx, span := tracing.NewSpan(ctx)
+	defer func() { span.EndWithError(err) }()
+
+	query, scan := prepareOrganizationSettingsListQuery()
+	query = organizationSettingsPermissionCheckV2(ctx, query, permissionCheckV2, queries)
+	eq := sq.Eq{OrganizationSettingsColumnInstanceID.identifier(): authz.GetInstance(ctx).InstanceID()}
+	stmt, args, err := queries.toQuery(query).Where(eq).ToSql()
+	if err != nil {
+		return nil, zerrors.ThrowInvalidArgument(err, "QUERY-qNPeOXlMwj", "Errors.Query.InvalidRequest")
+	}
+
+	err = q.client.QueryContext(ctx, func(rows *sql.Rows) error {
+		settingsList, err = scan(rows)
+		return err
+	}, stmt, args...)
+	if err != nil {
+		return nil, err
+	}
+	return settingsList, nil
+}
+
+func NewOrganizationSettingsOrganizationIDSearchQuery(ids []string) (SearchQuery, error) {
+	list := make([]interface{}, len(ids))
+	for i, value := range ids {
+		list[i] = value
+	}
+	return NewListQuery(OrganizationSettingsColumnID, list, ListIn)
+}
+
+func NewOrganizationSettingsOrganizationScopedUsernamesSearchQuery(organizationScopedUsernames bool) (SearchQuery, error) {
+	return NewBoolQuery(OrganizationSettingsColumnOrganizationScopedUsernames, organizationScopedUsernames)
+}
+
+func prepareOrganizationSettingsListQuery() (sq.SelectBuilder, func(*sql.Rows) (*OrganizationSettingsList, error)) {
+	return sq.Select(
+			OrganizationSettingsColumnID.identifier(),
+			OrganizationSettingsColumnCreationDate.identifier(),
+			OrganizationSettingsColumnChangeDate.identifier(),
+			OrganizationSettingsColumnResourceOwner.identifier(),
+			OrganizationSettingsColumnSequence.identifier(),
+			OrganizationSettingsColumnOrganizationScopedUsernames.identifier(),
+			countColumn.identifier(),
+		).From(organizationSettingsTable.identifier()).
+			PlaceholderFormat(sq.Dollar),
+		func(rows *sql.Rows) (*OrganizationSettingsList, error) {
+			settingsList := make([]*OrganizationSettings, 0)
+			var (
+				count uint64
+			)
+			for rows.Next() {
+				settings := new(OrganizationSettings)
+				err := rows.Scan(
+					&settings.ID,
+					&settings.CreationDate,
+					&settings.ChangeDate,
+					&settings.ResourceOwner,
+					&settings.Sequence,
+					&settings.OrganizationScopedUsernames,
+					&count,
+				)
+				if err != nil {
+					return nil, err
+				}
+				settingsList = append(settingsList, settings)
+			}
+
+			if err := rows.Close(); err != nil {
+				return nil, zerrors.ThrowInternal(err, "QUERY-mmC1K0t5Fq", "Errors.Query.CloseRows")
+			}
+
+			return &OrganizationSettingsList{
+				OrganizationSettingsList: settingsList,
+				SearchResponse: SearchResponse{
+					Count: count,
+				},
+			}, nil
+		}
+}
--- a/internal/query/organization_settings_test.go
+++ b/internal/query/organization_settings_test.go
@@ -0,0 +1,180 @@
+package query
+
+import (
+	"database/sql"
+	"database/sql/driver"
+	"errors"
+	"fmt"
+	"regexp"
+	"testing"
+)
+
+var (
+	prepareOrganizationSettingsListStmt = `SELECT projections.organization_settings.id,` +
+		` projections.organization_settings.creation_date,` +
+		` projections.organization_settings.change_date,` +
+		` projections.organization_settings.resource_owner,` +
+		` projections.organization_settings.sequence,` +
+		` projections.organization_settings.organization_scoped_usernames,` +
+		` COUNT(*) OVER ()` +
+		` FROM projections.organization_settings`
+	prepareOrganizationSettingsListCols = []string{
+		"id",
+		"creation_date",
+		"change_date",
+		"resource_owner",
+		"sequence",
+		"organization_scoped_usernames",
+		"count",
+	}
+)
+
+func Test_OrganizationSettingsListPrepares(t *testing.T) {
+	type want struct {
+		sqlExpectations sqlExpectation
+		err             checkErr
+	}
+	tests := []struct {
+		name    string
+		prepare interface{}
+		want    want
+		object  interface{}
+	}{
+		{
+			name:    "prepareOrganizationSettingsListQuery no result",
+			prepare: prepareOrganizationSettingsListQuery,
+			want: want{
+				sqlExpectations: mockQueries(
+					regexp.QuoteMeta(prepareOrganizationSettingsListStmt),
+					nil,
+					nil,
+				),
+			},
+			object: &OrganizationSettingsList{OrganizationSettingsList: []*OrganizationSettings{}},
+		},
+		{
+			name:    "prepareOrganizationSettingsListQuery one result",
+			prepare: prepareOrganizationSettingsListQuery,
+			want: want{
+				sqlExpectations: mockQueries(
+					regexp.QuoteMeta(prepareOrganizationSettingsListStmt),
+					prepareOrganizationSettingsListCols,
+					[][]driver.Value{
+						{
+							"id",
+							testNow,
+							testNow,
+							"ro",
+							uint64(20211108),
+							true,
+						},
+					},
+				),
+			},
+			object: &OrganizationSettingsList{
+				SearchResponse: SearchResponse{
+					Count: 1,
+				},
+				OrganizationSettingsList: []*OrganizationSettings{
+					{
+						ID:                          "id",
+						CreationDate:                testNow,
+						ChangeDate:                  testNow,
+						ResourceOwner:               "ro",
+						Sequence:                    20211108,
+						OrganizationScopedUsernames: true,
+					},
+				},
+			},
+		},
+		{
+			name:    "prepareOrganizationSettingsListQuery multiple result",
+			prepare: prepareOrganizationSettingsListQuery,
+			want: want{
+				sqlExpectations: mockQueries(
+					regexp.QuoteMeta(prepareOrganizationSettingsListStmt),
+					prepareOrganizationSettingsListCols,
+					[][]driver.Value{
+						{
+							"id-1",
+							testNow,
+							testNow,
+							"ro",
+							uint64(20211108),
+							true,
+						},
+						{
+							"id-2",
+							testNow,
+							testNow,
+							"ro",
+							uint64(20211108),
+							false,
+						},
+						{
+							"id-3",
+							testNow,
+							testNow,
+							"ro",
+							uint64(20211108),
+							true,
+						},
+					},
+				),
+			},
+			object: &OrganizationSettingsList{
+				SearchResponse: SearchResponse{
+					Count: 3,
+				},
+				OrganizationSettingsList: []*OrganizationSettings{
+					{
+						ID:                          "id-1",
+						CreationDate:                testNow,
+						ChangeDate:                  testNow,
+						ResourceOwner:               "ro",
+						Sequence:                    20211108,
+						OrganizationScopedUsernames: true,
+					},
+					{
+						ID:                          "id-2",
+						CreationDate:                testNow,
+						ChangeDate:                  testNow,
+						ResourceOwner:               "ro",
+						Sequence:                    20211108,
+						OrganizationScopedUsernames: false,
+					},
+					{
+						ID:                          "id-3",
+						CreationDate:                testNow,
+						ChangeDate:                  testNow,
+						ResourceOwner:               "ro",
+						Sequence:                    20211108,
+						OrganizationScopedUsernames: true,
+					},
+				},
+			},
+		},
+		{
+			name:    "prepareOrganizationSettingsListQuery sql err",
+			prepare: prepareOrganizationSettingsListQuery,
+			want: want{
+				sqlExpectations: mockQueryErr(
+					regexp.QuoteMeta(prepareOrganizationSettingsListStmt),
+					sql.ErrConnDone,
+				),
+				err: func(err error) (error, bool) {
+					if !errors.Is(err, sql.ErrConnDone) {
+						return fmt.Errorf("err should be sql.ErrConnDone got: %w", err), false
+					}
+					return nil, true
+				},
+			},
+			object: (*OrganizationSettingsList)(nil),
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			assertPrepare(t, tt.prepare, tt.object, tt.want.sqlExpectations, tt.want.err)
+		})
+	}
+}
--- a/internal/query/project.go
+++ b/internal/query/project.go
@@ -282,12 +282,13 @@ func projectPermissionCheckV2(ctx context.Context, query sq.SelectBuilder, enabl
 }

 func (q *Queries) SearchGrantedProjects(ctx context.Context, queries *ProjectAndGrantedProjectSearchQueries, permissionCheck domain.PermissionCheck) (*GrantedProjects, error) {
-	permissionCheckV2 := PermissionV2(ctx, permissionCheck)
-	projects, err := q.searchGrantedProjects(ctx, queries, permissionCheckV2)
+	// removed as permission v2 is not implemented yet for project grant level permissions
+	// permissionCheckV2 := PermissionV2(ctx, permissionCheck)
+	projects, err := q.searchGrantedProjects(ctx, queries, false)
 	if err != nil {
 		return nil, err
 	}
-	if permissionCheck != nil && !authz.GetFeatures(ctx).PermissionCheckV2 {
+	if permissionCheck != nil { // && !authz.GetFeatures(ctx).PermissionCheckV2 {
 		grantedProjectsCheckPermission(ctx, projects, permissionCheck)
 	}
 	return projects, nil
--- a/internal/query/project_grant.go
+++ b/internal/query/project_grant.go
@@ -200,12 +200,13 @@ func (q *Queries) ProjectGrantByIDAndGrantedOrg(ctx context.Context, id, granted
 }

 func (q *Queries) SearchProjectGrants(ctx context.Context, queries *ProjectGrantSearchQueries, permissionCheck domain.PermissionCheck) (grants *ProjectGrants, err error) {
-	permissionCheckV2 := PermissionV2(ctx, permissionCheck)
-	projectsGrants, err := q.searchProjectGrants(ctx, queries, permissionCheckV2)
+	// removed as permission v2 is not implemented yet for project grant level permissions
+	// permissionCheckV2 := PermissionV2(ctx, permissionCheck)
+	projectsGrants, err := q.searchProjectGrants(ctx, queries, false)
 	if err != nil {
 		return nil, err
 	}
-	if permissionCheck != nil && !authz.GetFeatures(ctx).PermissionCheckV2 {
+	if permissionCheck != nil { // && !authz.GetFeatures(ctx).PermissionCheckV2 {
 		projectGrantsCheckPermission(ctx, projectsGrants, permissionCheck)
 	}
 	return projectsGrants, nil
--- a/internal/query/projection/event_test.go
+++ b/internal/query/projection/event_test.go
@@ -99,7 +99,7 @@ func assertReduce(t *testing.T, stmt *handler.Statement, err error, projection s
 		want.executer.Validate(t)
 		return
 	}
-	err = stmt.Execute(want.executer, projection)
+	err = stmt.Execute(t.Context(), want.executer, projection)
 	if err != nil {
 		t.Errorf("unexpected error: %v", err)
 	}
--- a/internal/query/projection/organization_settings.go
+++ b/internal/query/projection/organization_settings.go
@@ -0,0 +1,141 @@
+package projection
+
+import (
+	"context"
+
+	"github.com/zitadel/zitadel/internal/eventstore"
+	old_handler "github.com/zitadel/zitadel/internal/eventstore/handler"
+	"github.com/zitadel/zitadel/internal/eventstore/handler/v2"
+	"github.com/zitadel/zitadel/internal/repository/instance"
+	"github.com/zitadel/zitadel/internal/repository/org"
+	settings "github.com/zitadel/zitadel/internal/repository/organization_settings"
+)
+
+const (
+	OrganizationSettingsTable                          = "projections.organization_settings"
+	OrganizationSettingsIDCol                          = "id"
+	OrganizationSettingsCreationDateCol                = "creation_date"
+	OrganizationSettingsChangeDateCol                  = "change_date"
+	OrganizationSettingsResourceOwnerCol               = "resource_owner"
+	OrganizationSettingsInstanceIDCol                  = "instance_id"
+	OrganizationSettingsSequenceCol                    = "sequence"
+	OrganizationSettingsOrganizationScopedUsernamesCol = "organization_scoped_usernames"
+)
+
+type organizationSettingsProjection struct{}
+
+func newOrganizationSettingsProjection(ctx context.Context, config handler.Config) *handler.Handler {
+	return handler.NewHandler(ctx, &config, new(organizationSettingsProjection))
+}
+
+func (*organizationSettingsProjection) Name() string {
+	return OrganizationSettingsTable
+}
+
+func (*organizationSettingsProjection) Init() *old_handler.Check {
+	return handler.NewTableCheck(
+		handler.NewTable([]*handler.InitColumn{
+			handler.NewColumn(OrganizationSettingsIDCol, handler.ColumnTypeText),
+			handler.NewColumn(OrganizationSettingsCreationDateCol, handler.ColumnTypeTimestamp),
+			handler.NewColumn(OrganizationSettingsChangeDateCol, handler.ColumnTypeTimestamp),
+			handler.NewColumn(OrganizationSettingsResourceOwnerCol, handler.ColumnTypeText),
+			handler.NewColumn(OrganizationSettingsInstanceIDCol, handler.ColumnTypeText),
+			handler.NewColumn(OrganizationSettingsSequenceCol, handler.ColumnTypeInt64),
+			handler.NewColumn(OrganizationSettingsOrganizationScopedUsernamesCol, handler.ColumnTypeBool),
+		},
+			handler.NewPrimaryKey(OrganizationSettingsInstanceIDCol, OrganizationSettingsResourceOwnerCol, OrganizationSettingsIDCol),
+			handler.WithIndex(handler.NewIndex("resource_owner", []string{OrganizationSettingsResourceOwnerCol})),
+		),
+	)
+}
+
+func (p *organizationSettingsProjection) Reducers() []handler.AggregateReducer {
+	return []handler.AggregateReducer{
+		{
+			Aggregate: settings.AggregateType,
+			EventReducers: []handler.EventReducer{
+				{
+					Event:  settings.OrganizationSettingsSetEventType,
+					Reduce: p.reduceOrganizationSettingsSet,
+				},
+				{
+					Event:  settings.OrganizationSettingsRemovedEventType,
+					Reduce: p.reduceOrganizationSettingsRemoved,
+				},
+			},
+		},
+		{
+			Aggregate: org.AggregateType,
+			EventReducers: []handler.EventReducer{
+				{
+					Event:  org.OrgRemovedEventType,
+					Reduce: p.reduceOrgRemoved,
+				},
+			},
+		},
+		{
+			Aggregate: instance.AggregateType,
+			EventReducers: []handler.EventReducer{
+				{
+					Event:  instance.InstanceRemovedEventType,
+					Reduce: reduceInstanceRemovedHelper(OrganizationSettingsInstanceIDCol),
+				},
+			},
+		},
+	}
+}
+
+func (p *organizationSettingsProjection) reduceOrganizationSettingsSet(event eventstore.Event) (*handler.Statement, error) {
+	e, err := assertEvent[*settings.OrganizationSettingsSetEvent](event)
+	if err != nil {
+		return nil, err
+	}
+
+	return handler.NewUpsertStatement(e,
+		[]handler.Column{
+			handler.NewCol(OrganizationSettingsInstanceIDCol, e.Aggregate().InstanceID),
+			handler.NewCol(OrganizationSettingsResourceOwnerCol, e.Aggregate().ResourceOwner),
+			handler.NewCol(OrganizationSettingsIDCol, e.Aggregate().ID),
+		},
+		[]handler.Column{
+			handler.NewCol(OrganizationSettingsInstanceIDCol, e.Aggregate().InstanceID),
+			handler.NewCol(OrganizationSettingsResourceOwnerCol, e.Aggregate().ResourceOwner),
+			handler.NewCol(OrganizationSettingsIDCol, e.Aggregate().ID),
+			handler.NewCol(OrganizationSettingsCreationDateCol, handler.OnlySetValueOnInsert(OrganizationSettingsTable, e.CreationDate())),
+			handler.NewCol(OrganizationSettingsChangeDateCol, e.CreationDate()),
+			handler.NewCol(OrganizationSettingsSequenceCol, e.Sequence()),
+			handler.NewCol(OrganizationSettingsOrganizationScopedUsernamesCol, e.OrganizationScopedUsernames),
+		},
+	), nil
+}
+
+func (p *organizationSettingsProjection) reduceOrganizationSettingsRemoved(event eventstore.Event) (*handler.Statement, error) {
+	e, err := assertEvent[*settings.OrganizationSettingsRemovedEvent](event)
+	if err != nil {
+		return nil, err
+	}
+
+	return handler.NewDeleteStatement(e,
+		[]handler.Condition{
+			handler.NewCond(OrganizationSettingsInstanceIDCol, e.Aggregate().InstanceID),
+			handler.NewCond(OrganizationSettingsResourceOwnerCol, e.Aggregate().ResourceOwner),
+			handler.NewCond(OrganizationSettingsIDCol, e.Aggregate().ID),
+		},
+	), nil
+}
+
+func (p *organizationSettingsProjection) reduceOrgRemoved(event eventstore.Event) (*handler.Statement, error) {
+	e, err := assertEvent[*org.OrgRemovedEvent](event)
+	if err != nil {
+		return nil, err
+	}
+
+	return handler.NewDeleteStatement(
+		e,
+		[]handler.Condition{
+			handler.NewCond(OrganizationSettingsInstanceIDCol, e.Aggregate().InstanceID),
+			handler.NewCond(OrganizationSettingsResourceOwnerCol, e.Aggregate().ResourceOwner),
+			handler.NewCond(OrganizationSettingsIDCol, e.Aggregate().ID),
+		},
+	), nil
+}
--- a/internal/query/projection/organization_settings_test.go
+++ b/internal/query/projection/organization_settings_test.go
@@ -0,0 +1,154 @@
+package projection
+
+import (
+	"testing"
+
+	"github.com/zitadel/zitadel/internal/eventstore"
+	"github.com/zitadel/zitadel/internal/eventstore/handler/v2"
+	"github.com/zitadel/zitadel/internal/repository/instance"
+	"github.com/zitadel/zitadel/internal/repository/org"
+	settings "github.com/zitadel/zitadel/internal/repository/organization_settings"
+	"github.com/zitadel/zitadel/internal/zerrors"
+)
+
+func TestOrganizationSettingsProjection_reduces(t *testing.T) {
+	type args struct {
+		event func(t *testing.T) eventstore.Event
+	}
+	tests := []struct {
+		name   string
+		args   args
+		reduce func(event eventstore.Event) (*handler.Statement, error)
+		want   wantReduce
+	}{
+		{
+			name: "reduce organization settings set",
+			args: args{
+				event: getEvent(
+					testEvent(
+						settings.OrganizationSettingsSetEventType,
+						settings.AggregateType,
+						[]byte(`{"organizationScopedUsernames": true}`),
+					), eventstore.GenericEventMapper[settings.OrganizationSettingsSetEvent],
+				),
+			},
+			reduce: (&organizationSettingsProjection{}).reduceOrganizationSettingsSet,
+			want: wantReduce{
+				aggregateType: eventstore.AggregateType("organization_settings"),
+				sequence:      15,
+				executer: &testExecuter{
+					executions: []execution{
+						{
+							expectedStmt: "INSERT INTO projections.organization_settings (instance_id, resource_owner, id, creation_date, change_date, sequence, organization_scoped_usernames) VALUES ($1, $2, $3, $4, $5, $6, $7) ON CONFLICT (instance_id, resource_owner, id) DO UPDATE SET (creation_date, change_date, sequence, organization_scoped_usernames) = (projections.organization_settings.creation_date, EXCLUDED.change_date, EXCLUDED.sequence, EXCLUDED.organization_scoped_usernames)",
+							expectedArgs: []interface{}{
+								"instance-id",
+								"ro-id",
+								"agg-id",
+								anyArg{},
+								anyArg{},
+								uint64(15),
+								true,
+							},
+						},
+					},
+				},
+			},
+		},
+		{
+			name: "reduce organization settings removed",
+			args: args{
+				event: getEvent(
+					testEvent(
+						settings.OrganizationSettingsRemovedEventType,
+						settings.AggregateType,
+						[]byte(`{}`),
+					), eventstore.GenericEventMapper[settings.OrganizationSettingsRemovedEvent],
+				),
+			},
+			reduce: (&organizationSettingsProjection{}).reduceOrganizationSettingsRemoved,
+			want: wantReduce{
+				aggregateType: eventstore.AggregateType("organization_settings"),
+				sequence:      15,
+				executer: &testExecuter{
+					executions: []execution{
+						{
+							expectedStmt: "DELETE FROM projections.organization_settings WHERE (instance_id = $1) AND (resource_owner = $2) AND (id = $3)",
+							expectedArgs: []interface{}{
+								"instance-id",
+								"ro-id",
+								"agg-id",
+							},
+						},
+					},
+				},
+			},
+		},
+		{
+			name: "reduceOrgRemoved",
+			args: args{
+				event: getEvent(
+					testEvent(
+						org.OrgRemovedEventType,
+						org.AggregateType,
+						nil,
+					), org.OrgRemovedEventMapper),
+			},
+			reduce: (&organizationSettingsProjection{}).reduceOrgRemoved,
+			want: wantReduce{
+				aggregateType: eventstore.AggregateType("org"),
+				sequence:      15,
+				executer: &testExecuter{
+					executions: []execution{
+						{
+							expectedStmt: "DELETE FROM projections.organization_settings WHERE (instance_id = $1) AND (resource_owner = $2) AND (id = $3)",
+							expectedArgs: []interface{}{
+								"instance-id",
+								"ro-id",
+								"agg-id",
+							},
+						},
+					},
+				},
+			},
+		},
+		{
+			name: "instance reduceInstanceRemoved",
+			args: args{
+				event: getEvent(
+					testEvent(
+						instance.InstanceRemovedEventType,
+						instance.AggregateType,
+						nil,
+					), instance.InstanceRemovedEventMapper),
+			},
+			reduce: reduceInstanceRemovedHelper(OrganizationSettingsInstanceIDCol),
+			want: wantReduce{
+				aggregateType: eventstore.AggregateType("instance"),
+				sequence:      15,
+				executer: &testExecuter{
+					executions: []execution{
+						{
+							expectedStmt: "DELETE FROM projections.organization_settings WHERE (instance_id = $1)",
+							expectedArgs: []interface{}{
+								"agg-id",
+							},
+						},
+					},
+				},
+			},
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			event := baseEvent(t)
+			got, err := tt.reduce(event)
+			if ok := zerrors.IsErrorInvalidArgument(err); !ok {
+				t.Errorf("no wrong event mapping: %v, got: %v", err, got)
+			}
+
+			event = tt.args.event(t)
+			got, err = tt.reduce(event)
+			assertReduce(t, got, err, OrganizationSettingsTable, tt.want)
+		})
+	}
+}
--- a/internal/query/projection/projection.go
+++ b/internal/query/projection/projection.go
@@ -89,6 +89,7 @@ var (
 	WebKeyProjection                    *handler.Handler
 	DebugEventsProjection               *handler.Handler
 	HostedLoginTranslationProjection    *handler.Handler
+	OrganizationSettingsProjection      *handler.Handler

 	ProjectGrantFields      *handler.FieldHandler
 	OrgDomainVerifiedFields *handler.FieldHandler
@@ -185,6 +186,7 @@ func Create(ctx context.Context, sqlClient *database.DB, es handler.EventStore,
 	WebKeyProjection = newWebKeyProjection(ctx, applyCustomConfig(projectionConfig, config.Customizations["web_keys"]))
 	DebugEventsProjection = newDebugEventsProjection(ctx, applyCustomConfig(projectionConfig, config.Customizations["debug_events"]))
 	HostedLoginTranslationProjection = newHostedLoginTranslationProjection(ctx, applyCustomConfig(projectionConfig, config.Customizations["hosted_login_translation"]))
+	OrganizationSettingsProjection = newOrganizationSettingsProjection(ctx, applyCustomConfig(projectionConfig, config.Customizations["organization_settings"]))

 	ProjectGrantFields = newFillProjectGrantFields(applyCustomConfig(projectionConfig, config.Customizations[fieldsProjectGrant]))
 	OrgDomainVerifiedFields = newFillOrgDomainVerifiedFields(applyCustomConfig(projectionConfig, config.Customizations[fieldsOrgDomainVerified]))
@@ -366,5 +368,6 @@ func newProjectionsList() {
 		WebKeyProjection,
 		DebugEventsProjection,
 		HostedLoginTranslationProjection,
+		OrganizationSettingsProjection,
 	}
 }
--- a/internal/query/user_grant.go
+++ b/internal/query/user_grant.go
@@ -305,12 +305,13 @@ func (q *Queries) UserGrant(ctx context.Context, shouldTriggerBulk bool, queries
 }

 func (q *Queries) UserGrants(ctx context.Context, queries *UserGrantsQueries, shouldTriggerBulk bool, permissionCheck domain.PermissionCheck) (*UserGrants, error) {
-	permissionCheckV2 := PermissionV2(ctx, permissionCheck)
-	grants, err := q.userGrants(ctx, queries, shouldTriggerBulk, permissionCheckV2)
+	// removed as permission v2 is not implemented yet for project grant level permissions
+	// permissionCheckV2 := PermissionV2(ctx, permissionCheck)
+	grants, err := q.userGrants(ctx, queries, shouldTriggerBulk, false)
 	if err != nil {
 		return nil, err
 	}
-	if permissionCheck != nil && !authz.GetFeatures(ctx).PermissionCheckV2 {
+	if permissionCheck != nil { // && !authz.GetFeatures(ctx).PermissionCheckV2 {
 		userGrantsCheckPermission(ctx, grants, permissionCheck)
 	}
 	return grants, nil