From: Michael Tremer <michael.tremer@ipfire.org>
Date: Sun, 26 Jan 2025 12:05:49 +0000 (+0000)
Subject: web: Log in the user before checking the XSRF cookie
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=14fbe937aec7b7de7ed0af62a79d51526acc4316;p=pbs.git

web: Log in the user before checking the XSRF cookie

In case the cookie validation fails, we need to be able to send an error
message which accesses current_user.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
---

diff --git a/src/web/base.py b/src/web/base.py
index 8b9104c4..beeedd48 100644
--- a/src/web/base.py
+++ b/src/web/base.py
@@ -383,13 +383,13 @@ class BaseHandler(tornado.web.RequestHandler):
 				k : self.decode_argument(v, name=k) for (k, v) in kwargs.items()
 			}
 
+			# Automatically log the user
+			self.current_user = await self.get_current_user()
+
 			# Check the XSRF cookie
 			if not self.request.method in ("GET", "HEAD", "OPTIONS"):
 				self.check_xsrf_cookie()
 
-			# Automatically log the user
-			self.current_user = await self.get_current_user()
-
 			# Prepare the request
 			result = self.prepare()
 			if result: