diff --git a/core/modules/node/lib/Drupal/node/NodeGrantDatabaseStorage.php b/core/modules/node/lib/Drupal/node/NodeGrantDatabaseStorage.php
index a7847d69123b5c9da11751e2f713e0ee9389ec3b..9503713396b63f282a19aa162496c94f466c6dee 100644
--- a/core/modules/node/lib/Drupal/node/NodeGrantDatabaseStorage.php
+++ b/core/modules/node/lib/Drupal/node/NodeGrantDatabaseStorage.php
@@ -9,6 +9,7 @@
 
 use Drupal\Core\Database\Connection;
 use Drupal\Core\Database\Query\SelectInterface;
+use Drupal\Core\Database\Query\Condition;
 use Drupal\Core\Entity\ContentEntityBase;
 use Drupal\Core\Extension\ModuleHandlerInterface;
 use Drupal\Core\Session\AccountInterface;
@@ -79,14 +80,7 @@ public function access(NodeInterface $node, $operation, $langcode, AccountInterf
     $query->condition($nids);
     $query->range(0, 1);
 
-    $grants = $query->orConditionGroup();
-    foreach (node_access_grants($operation, $account) as $realm => $gids) {
-      foreach ($gids as $gid) {
-        $grants->condition(db_and()
-            ->condition('gid', $gid)
-            ->condition('realm', $realm));
-      }
-    }
+    $grants = static::buildGrantsQueryCondition(node_access_grants($operation, $account));
 
     if (count($grants) > 0) {
       $query->condition($grants);
@@ -105,15 +99,8 @@ public function checkAll(AccountInterface $account) {
       ->condition('nid', 0)
       ->condition('grant_view', 1, '>=');
 
-    $grants = db_or();
-    foreach (node_access_grants('view', $account) as $realm => $gids) {
-      foreach ($gids as $gid) {
-        $grants->condition(db_and()
-            ->condition('gid', $gid)
-            ->condition('realm', $realm)
-        );
-      }
-    }
+    $grants = static::buildGrantsQueryCondition(node_access_grants('view', $account));
+
     if (count($grants) > 0 ) {
       $query->condition($grants);
     }
@@ -139,17 +126,9 @@ public function alterQuery($query, array $tables, $op, AccountInterface $account
         $subquery = $this->database->select('node_access', 'na')
           ->fields('na', array('nid'));
 
-        $grant_conditions = db_or();
         // If any grant exists for the specified user, then user has access to the
         // node for the specified operation.
-        foreach ($grants as $realm => $gids) {
-          foreach ($gids as $gid) {
-            $grant_conditions->condition(db_and()
-                ->condition('na.gid', $gid)
-                ->condition('na.realm', $realm)
-            );
-          }
-        }
+        $grant_conditions = static::buildGrantsQueryCondition($grants);
 
         // Attach conditions to the subquery for nodes.
         if (count($grant_conditions->conditions())) {
@@ -264,4 +243,29 @@ public function deleteNodeRecords(array $nids) {
       ->execute();
   }
 
+  /**
+   * Creates a query condition from an array of node access grants.
+   *
+   * @param array $node_access_grants
+   *   An array of grants, as returned by node_access_grants().
+   * @return \Drupal\Core\Database\Query\Condition
+   *   A condition object to be passed to $query->condition().
+   *
+   * @see node_access_grants()
+   */
+  static function buildGrantsQueryCondition(array $node_access_grants) {
+    $grants = new Condition("OR");
+    foreach ($node_access_grants as $realm => $gids) {
+      if (!empty($gids)) {
+        $and = new Condition('AND');
+        $grants->condition($and
+          ->condition('gid', $gids, 'IN')
+          ->condition('realm', $realm)
+        );
+      }
+    }
+
+    return $grants;
+  }
+
 }