diff --git a/lauth/app/repositories/grant_repo.rb b/lauth/app/repositories/grant_repo.rb
index 0a5cd2b7..7afcd21c 100644
--- a/lauth/app/repositories/grant_repo.rb
+++ b/lauth/app/repositories/grant_repo.rb
@@ -16,10 +16,18 @@ def for_user_and_uri(username, uri)
           .left_join(users.name.dataset, userid: grants[:userid])
           .left_join(institution_memberships.name.dataset, inst: grants[:inst])
           .where(Sequel.ilike(uri, locations[:dlpsPath]))
-          .where(Sequel.or({
-            users[:userid] => username,
-            institution_memberships[:userid] => username
-          }))
+          .where(
+            Sequel.|(
+              Sequel.&(
+                Sequel.~(users[:userid] => nil),
+                {users[:userid] => username}
+              ),
+              Sequel.&(
+                Sequel.~(institution_memberships[:userid] => nil),
+                {institution_memberships[:userid] => username}
+              )
+            )
+          )
 
         rel = grants.class.new(ds)
         rel.combine(:user, collections: :locations, institutions: {institution_memberships: :users}).to_a
diff --git a/lauth/spec/repositories/grant_repo_spec.rb b/lauth/spec/repositories/grant_repo_spec.rb
index 978406aa..15f959d3 100644
--- a/lauth/spec/repositories/grant_repo_spec.rb
+++ b/lauth/spec/repositories/grant_repo_spec.rb
@@ -54,7 +54,7 @@
   end
 
   context "when authorizing locations within a collection using identity-only authentication" do
-    context "for a member of an authorized institution" do
+    context "with a member of an authorized institution" do
       let!(:collection) { Factory[:collection, :restricted_by_username] }
       let!(:institution) { Factory[:institution] }
       let!(:user) { Factory[:user, userid: "lauth-inst-member"] }
@@ -67,6 +67,24 @@
 
         expect(grant_ids).to contain_exactly(grant.uniqueIdentifier)
       end
+
+      it "finds nothing for a nonmember" do
+        grants = repo.for_user_and_uri("lauth-denied", "/restricted-by-username/")
+
+        expect(grants).to be_empty
+      end
+
+      it "finds nothing for an empty user" do
+        grants = repo.for_user_and_uri("", "/restricted-by-username/")
+
+        expect(grants).to be_empty
+      end
+
+      it "finds nothing for a nil user" do
+        grants = repo.for_user_and_uri(nil, "/restricted-by-username/")
+
+        expect(grants).to be_empty
+      end
     end
   end
 end