web: Log in the user before checking the XSRF cookie

In case the cookie validation fails, we need to be able to send an error
message which accesses current_user.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

diff --git a/src/web/base.py b/src/web/base.py
index 8b9104c498a79e83d8103e1e4ee012762ee691eb..beeedd48b684c2b6fe79c6e95ad87f83217aab31 100644 (file)
--- a/src/web/base.py
+++ b/src/web/base.py
@@ -383,13 +383,13 @@ class BaseHandler(tornado.web.RequestHandler):
                                k : self.decode_argument(v, name=k) for (k, v) in kwargs.items()
                        }
 
+                       # Automatically log the user
+                       self.current_user = await self.get_current_user()
+
                        # Check the XSRF cookie
                        if not self.request.method in ("GET", "HEAD", "OPTIONS"):
                                self.check_xsrf_cookie()
 
-                       # Automatically log the user
-                       self.current_user = await self.get_current_user()
-
                        # Prepare the request
                        result = self.prepare()
                        if result: