From f84b89f6565307d80f2d67868fccdd6fd3754dbb Mon Sep 17 00:00:00 2001
From: Iraq Jaber <iraq+github@zitadel.com>
Date: Fri, 21 Mar 2025 09:28:04 +0400
Subject: [PATCH] fixup! fixup! fixup! fixup! fixup! fixup! fixup! fixup! Merge
 branch 'main' into syste-users-permissions

---
 cmd/mirror/projections.go    | 5 +++--
 internal/query/permission.go | 2 +-
 internal/query/user.go       | 2 +-
 3 files changed, 5 insertions(+), 4 deletions(-)

diff --git a/cmd/mirror/projections.go b/cmd/mirror/projections.go
index e347a7b9f6..4c7aa7e305 100644
--- a/cmd/mirror/projections.go
+++ b/cmd/mirror/projections.go
@@ -84,6 +84,7 @@ type ProjectionsConfig struct {
 	ExternalDomain  string
 	ExternalSecure  bool
 	InternalAuthZ   internal_authz.Config
+	SystemAuthZ     internal_authz.Config
 	SystemDefaults  systemdefaults.SystemDefaults
 	Telemetry       *handlers.TelemetryPusherConfig
 	Login           login.Config
@@ -147,7 +148,7 @@ func projections(
 		sessionTokenVerifier,
 		func(q *query.Queries) domain.PermissionCheck {
 			return func(ctx context.Context, permission, orgID, resourceID string) (err error) {
-				return internal_authz.CheckPermission(ctx, &authz_es.UserMembershipRepo{Queries: q}, nil, config.InternalAuthZ.RolePermissionMappings, permission, orgID, resourceID)
+				return internal_authz.CheckPermission(ctx, &authz_es.UserMembershipRepo{Queries: q}, config.SystemAuthZ.RolePermissionMappings, config.InternalAuthZ.RolePermissionMappings, permission, orgID, resourceID)
 			}
 		},
 		0,
@@ -184,7 +185,7 @@ func projections(
 		keys.Target,
 		&http.Client{},
 		func(ctx context.Context, permission, orgID, resourceID string) (err error) {
-			return internal_authz.CheckPermission(ctx, authZRepo, nil, config.InternalAuthZ.RolePermissionMappings, permission, orgID, resourceID)
+			return internal_authz.CheckPermission(ctx, authZRepo, config.SystemAuthZ.RolePermissionMappings, config.InternalAuthZ.RolePermissionMappings, permission, orgID, resourceID)
 		},
 		sessionTokenVerifier,
 		config.OIDC.DefaultAccessTokenLifetime,
diff --git a/internal/query/permission.go b/internal/query/permission.go
index b1ea0b72fe..712bf1536e 100644
--- a/internal/query/permission.go
+++ b/internal/query/permission.go
@@ -35,7 +35,7 @@ func wherePermittedOrgs(ctx context.Context, query sq.SelectBuilder, filterOrgId
 		var err error
 		systemUserPermissionsJson, err = json.Marshal(systemUserPermissions)
 		if err != nil {
-			return query, zerrors.ThrowInternal(err, "AUTHZ-HS4us", "Errors.Internal")
+			return query, err
 		}
 	}
 
diff --git a/internal/query/user.go b/internal/query/user.go
index acee7d1406..724ccead68 100644
--- a/internal/query/user.go
+++ b/internal/query/user.go
@@ -657,7 +657,7 @@ func (q *Queries) searchUsers(ctx context.Context, queries *UserSearchQueries, f
 	if permissionCheckV2 {
 		query, err = wherePermittedOrgsOrCurrentUser(ctx, query, filterOrgIds, UserResourceOwnerCol.identifier(), UserIDCol.identifier(), domain.PermissionUserRead)
 		if err != nil {
-			return nil, err
+			return nil, zerrors.ThrowInternal(err, "AUTHZ-HS4us", "Errors.Internal")
 		}
 	}