diff --git a/agent/modals/account/account_edit.php b/agent/modals/account/account_edit.php
index 2ba25c8f..dec5bbad 100644
--- a/agent/modals/account/account_edit.php
+++ b/agent/modals/account/account_edit.php
@@ -21,8 +21,9 @@ ob_start();
     </button>
 </div>
 <form action="post.php" method="post" autocomplete="off">
-    <input type="hidden" name="account_id" value="<?php echo $account_id; ?>">
     <input type="hidden" name="csrf_token" value="<?php echo $_SESSION['csrf_token'] ?>">
+    <input type="hidden" name="account_id" value="<?php echo $account_id; ?>">
+
     <div class="modal-body">
         <div class="form-group">
             <label>Account Name <strong class="text-danger">*</strong></label>
diff --git a/agent/post/account.php b/agent/post/account.php
index d0e5626c..cd776049 100644
--- a/agent/post/account.php
+++ b/agent/post/account.php
@@ -7,10 +7,12 @@
 defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
 
 if (isset($_POST['add_account'])) {
-    
-    enforceUserPermission('module_financial', 2);
+
     validateCSRFToken($_POST['csrf_token']);
 
+    enforceUserPermission('module_financial', 2);
+
+
     $name = sanitizeInput($_POST['name']);
     $opening_balance = floatval($_POST['opening_balance']);
     $currency_code = sanitizeInput($_POST['currency_code']);
@@ -27,10 +29,11 @@ if (isset($_POST['add_account'])) {
 }
 
 if (isset($_POST['edit_account'])) {
-    
-    enforceUserPermission('module_financial', 2);
+
     validateCSRFToken($_POST['csrf_token']);
 
+    enforceUserPermission('module_financial', 2);
+
     $account_id = intval($_POST['account_id']);
     $name = sanitizeInput($_POST['name']);
     $notes = sanitizeInput($_POST['notes']);
@@ -46,10 +49,11 @@ if (isset($_POST['edit_account'])) {
 }
 
 if (isset($_GET['archive_account'])) {
-    
-    enforceUserPermission('module_financial', 2);
 
     validateCSRFToken($_GET['csrf_token']);
+
+    enforceUserPermission('module_financial', 2);
+
     $account_id = intval($_GET['archive_account']);
 
     $account_name = sanitizeInput(getFieldById('accounts', $account_id, 'account_name'));
@@ -66,7 +70,9 @@ if (isset($_GET['archive_account'])) {
 
 // Not used anywhere?
 if (isset($_GET['delete_account'])) {
-    
+
+    validateCSRFToken($_GET['csrf_token']);
+
     enforceUserPermission('module_financial', 3);
 
     $account_id = intval($_GET['delete_account']);