Move actions process to after the unauth check. In the past the action did the logging in but that is no longer the case. We can now assume in actions that the user is at least logged in.

web/index.php

@@ -212,15 +212,6 @@ if (
   csrf_check();
 }
 
-# Need to include actions because it does auth
-if ( $action and $view and !$request ) {
-  if ( file_exists('includes/actions/'.$view.'.php') ) {
-    require_once('includes/actions/'.$view.'.php');
-  } else {
-    ZM\Warning("No includes/actions/$view.php for action $action");
-  }
-}
-
 # If I put this here, it protects all views and popups, but it has to go after actions.php because actions.php does the actual logging in.
 if ( ZM_OPT_USE_AUTH and (!isset($user)) and ($view != 'login') and ($view != 'none') ) {
   if ($request) {
@@ -239,6 +230,15 @@ if ( ZM_OPT_USE_AUTH and (!isset($user)) and ($view != 'login') and ($view != 'n
   $request = null;
 }
 
+# Need to include actions because it does auth
+if ( $action and $view and !$request ) {
+  if ( file_exists('includes/actions/'.$view.'.php') ) {
+    require_once('includes/actions/'.$view.'.php');
+  } else {
+    ZM\Debug("No includes/actions/$view.php for action $action");
+  }
+}
+
 if ( isset($_REQUEST['redirect']) ) {
   $redirect = '?view='.detaintPath($_REQUEST['redirect']);
 }