dashfolders: fixes #10820

pkg/services/sqlstore/dashboard.go

@@ -363,10 +363,10 @@ func GetFoldersForSignedInUser(query *m.GetFoldersForSignedInUserQuery) error {
 
 	if query.SignedInUser.OrgRole == m.ROLE_ADMIN {
 		sql := `SELECT distinct d.id, d.title
-		FROM dashboard AS d WHERE d.is_folder = ?
+		FROM dashboard AS d WHERE d.is_folder = ? AND d.org_id = ?
 		ORDER BY d.title ASC`
 
-		err = x.Sql(sql, dialect.BooleanStr(true)).Find(&query.Result)
+		err = x.Sql(sql, dialect.BooleanStr(true), query.OrgId).Find(&query.Result)
 	} else {
 		params := make([]interface{}, 0)
 		sql := `SELECT distinct d.id, d.title

pkg/services/sqlstore/dashboard_folder_test.go

@@ -219,13 +219,14 @@ func TestDashboardFolderDataAccess(t *testing.T) {
 
 			folder1 := insertTestDashboard("1 test dash folder", 1, 0, true, "prod")
 			folder2 := insertTestDashboard("2 test dash folder", 1, 0, true, "prod")
+			insertTestDashboard("folder in another org", 2, 0, true, "prod")
 
 			adminUser := createUser("admin", "Admin", true)
 			editorUser := createUser("editor", "Editor", false)
 			viewerUser := createUser("viewer", "Viewer", false)
 
 			Convey("Admin users", func() {
-				Convey("Should have write access to all dashboard folders", func() {
+				Convey("Should have write access to all dashboard folders in their org", func() {
 					query := m.GetFoldersForSignedInUserQuery{
 						OrgId:        1,
 						SignedInUser: &m.SignedInUser{UserId: adminUser.Id, OrgRole: m.ROLE_ADMIN},