Authenticate before Authorization

When user is not logged in and given Dashboard has some `permissions`
defined, `require_perms` decorator was raising `NotAuthorized('You are
not authorized to access %s')` instead of `NotAuthenticated('Please log
in to continue.')`.
This was caused by the order of decorating the views. The decorator
which is applied last is called first in the chain as it wraps the
decorators which were applied before.
This means that to check for authentication before checking permissions
we need to apply the `require_auth` decorator after `require_perms`.

Closes-Bug: 1869708
Change-Id: I94d3fa5c1472bb72c9111cab14c6e05180f88589
(cherry picked from commit e4fd69292c4a8340eba33f5c9d516796472e9269)

1 files changed, 3 insertions, 3 deletions

diff --git a/horizon/base.py b/horizon/base.py
index 2fe3bffc7..1112d6c6d 100644
--- a/horizon/base.py
+++ b/horizon/base.py
@@ -564,13 +564,13 @@ class Dashboard(Registry, HorizonComponent):
         urlpatterns.append(
             url(r'', _wrapped_include(default_panel._decorated_urls)))
 
-        # Require login if not public.
-        if not self.public:
-            _decorate_urlconf(urlpatterns, require_auth)
         # Apply access controls to all views in the patterns
         permissions = getattr(self, 'permissions', [])
         _decorate_urlconf(urlpatterns, require_perms, permissions)
         _decorate_urlconf(urlpatterns, _current_component, dashboard=self)
+        # Require login if not public.
+        if not self.public:
+            _decorate_urlconf(urlpatterns, require_auth)
 
         # Return the three arguments to django.conf.urls.include
         return urlpatterns, self.slug, self.slug