From 0f0249abea36f65d53173fb7bfe11d8980526064 Mon Sep 17 00:00:00 2001
From: Karl Persson <kalle.persson@grafana.com>
Date: Thu, 30 Nov 2023 16:32:04 +0100
Subject: [PATCH] RBAC: Fix filter so that check for access on service account
 is correct (#78907)

Fix filter so that check for access on service account is in correct place
---
 pkg/services/accesscontrol/resourcepermissions/store.go | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/pkg/services/accesscontrol/resourcepermissions/store.go b/pkg/services/accesscontrol/resourcepermissions/store.go
index 21c706d92d2..5722cbc2a00 100644
--- a/pkg/services/accesscontrol/resourcepermissions/store.go
+++ b/pkg/services/accesscontrol/resourcepermissions/store.go
@@ -393,14 +393,14 @@ func (s *store) getResourcePermissions(sess *db.Session, orgID int64, query GetR
 			return nil, err
 		}
 
-		filter := "(" + userFilter.Where + " AND NOT u.is_service_account)"
+		filter := "((" + userFilter.Where + " AND NOT u.is_service_account)"
 
 		saFilter, err := accesscontrol.Filter(query.User, "u.id", "serviceaccounts:id:", serviceaccounts.ActionRead)
 		if err != nil {
 			return nil, err
 		}
 
-		filter += " OR (" + saFilter.Where + " AND u.is_service_account)"
+		filter += " OR (" + saFilter.Where + " AND u.is_service_account))"
 
 		userQuery += " AND " + filter
 		args = append(args, userFilter.Args...)