diff --git a/modules/base/tool_test.go b/modules/base/tool_test.go
index 62de7229ac..cc9d869a18 100644
--- a/modules/base/tool_test.go
+++ b/modules/base/tool_test.go
@@ -46,8 +46,9 @@ func TestBasicAuthDecode(t *testing.T) {
 func TestVerifyTimeLimitCode(t *testing.T) {
 	defer test.MockVariableValue(&setting.InstallLock, true)()
 	initGeneralSecret := func(secret string) {
-		setting.InstallLock = true
 		setting.CfgProvider, _ = setting.NewConfigProviderFromData(fmt.Sprintf(`
+[security]
+INSTALL_LOCK=true
 [oauth2]
 JWT_SECRET = %s
 `, secret))
diff --git a/modules/setting/setting.go b/modules/setting/setting.go
index f056fbfc6c..7ee2b1b07e 100644
--- a/modules/setting/setting.go
+++ b/modules/setting/setting.go
@@ -121,8 +121,8 @@ func loadCommonSettingsFrom(cfg ConfigProvider) error {
 
 	mustCurrentRunUserMatch(cfg) // it depends on the SSH config, only non-builtin SSH server requires this check
 
-	loadOAuth2From(cfg)
 	loadSecurityFrom(cfg)
+	loadOAuth2From(cfg)
 	if err := loadAttachmentFrom(cfg); err != nil {
 		return err
 	}