From 80797e97d7f48d9216c1464e7ced8df53b79100b Mon Sep 17 00:00:00 2001
From: Isaac Connor <isaac@zoneminder.com>
Date: Mon, 20 Feb 2023 10:16:44 -0500
Subject: [PATCH] Move actions process to after the unauth check.  In the past
 the action did the logging in but that is no longer the case.  We can now
 assume in actions that the user is at least logged in.

---
 web/index.php | 18 +++++++++---------
 1 file changed, 9 insertions(+), 9 deletions(-)

diff --git a/web/index.php b/web/index.php
index 85a1eaf4d..014a72126 100644
--- a/web/index.php
+++ b/web/index.php
@@ -212,15 +212,6 @@ if (
   csrf_check();
 }
 
-# Need to include actions because it does auth
-if ( $action and $view and !$request ) {
-  if ( file_exists('includes/actions/'.$view.'.php') ) {
-    require_once('includes/actions/'.$view.'.php');
-  } else {
-    ZM\Warning("No includes/actions/$view.php for action $action");
-  }
-}
-
 # If I put this here, it protects all views and popups, but it has to go after actions.php because actions.php does the actual logging in.
 if ( ZM_OPT_USE_AUTH and (!isset($user)) and ($view != 'login') and ($view != 'none') ) {
   if ($request) {
@@ -239,6 +230,15 @@ if ( ZM_OPT_USE_AUTH and (!isset($user)) and ($view != 'login') and ($view != 'n
   $request = null;
 }
 
+# Need to include actions because it does auth
+if ( $action and $view and !$request ) {
+  if ( file_exists('includes/actions/'.$view.'.php') ) {
+    require_once('includes/actions/'.$view.'.php');
+  } else {
+    ZM\Debug("No includes/actions/$view.php for action $action");
+  }
+}
+
 if ( isset($_REQUEST['redirect']) ) {
   $redirect = '?view='.detaintPath($_REQUEST['redirect']);
 }