diff --git a/web/index.php b/web/index.php
index 85a1eaf4d..014a72126 100644
--- a/web/index.php
+++ b/web/index.php
@@ -212,15 +212,6 @@ if (
   csrf_check();
 }
 
-# Need to include actions because it does auth
-if ( $action and $view and !$request ) {
-  if ( file_exists('includes/actions/'.$view.'.php') ) {
-    require_once('includes/actions/'.$view.'.php');
-  } else {
-    ZM\Warning("No includes/actions/$view.php for action $action");
-  }
-}
-
 # If I put this here, it protects all views and popups, but it has to go after actions.php because actions.php does the actual logging in.
 if ( ZM_OPT_USE_AUTH and (!isset($user)) and ($view != 'login') and ($view != 'none') ) {
   if ($request) {
@@ -239,6 +230,15 @@ if ( ZM_OPT_USE_AUTH and (!isset($user)) and ($view != 'login') and ($view != 'n
   $request = null;
 }
 
+# Need to include actions because it does auth
+if ( $action and $view and !$request ) {
+  if ( file_exists('includes/actions/'.$view.'.php') ) {
+    require_once('includes/actions/'.$view.'.php');
+  } else {
+    ZM\Debug("No includes/actions/$view.php for action $action");
+  }
+}
+
 if ( isset($_REQUEST['redirect']) ) {
   $redirect = '?view='.detaintPath($_REQUEST['redirect']);
 }