diff --git a/modules/base/tool_test.go b/modules/base/tool_test.go
index b7365e40c4..85d28836f1 100644
--- a/modules/base/tool_test.go
+++ b/modules/base/tool_test.go
@@ -29,8 +29,10 @@ func TestShortSha(t *testing.T) {
 func TestVerifyTimeLimitCode(t *testing.T) {
 	defer test.MockVariableValue(&setting.InstallLock, true)()
 	initGeneralSecret := func(secret string) {
-		setting.InstallLock = true
 		setting.CfgProvider, _ = setting.NewConfigProviderFromData(fmt.Sprintf(`
+[security]
+INTERNAL_TOKEN = dummy
+INSTALL_LOCK = true
 [oauth2]
 JWT_SECRET = %s
 `, secret))
diff --git a/modules/setting/security.go b/modules/setting/security.go
index 743df61681..a1fd0bce2e 100644
--- a/modules/setting/security.go
+++ b/modules/setting/security.go
@@ -109,7 +109,6 @@ func generateSaveInternalToken(rootCfg ConfigProvider) {
 
 func loadSecurityFrom(rootCfg ConfigProvider) {
 	sec := rootCfg.Section("security")
-	InstallLock = HasInstallLock(rootCfg)
 	LogInRememberDays = sec.Key("LOGIN_REMEMBER_DAYS").MustInt(31)
 	SecretKey = loadSecret(sec, "SECRET_KEY_URI", "SECRET_KEY")
 	if SecretKey == "" {
diff --git a/modules/setting/setting.go b/modules/setting/setting.go
index dc60d99bd6..f2b6274edc 100644
--- a/modules/setting/setting.go
+++ b/modules/setting/setting.go
@@ -108,6 +108,9 @@ func LoadCommonSettings() {
 
 // loadCommonSettingsFrom loads common configurations from a configuration provider.
 func loadCommonSettingsFrom(cfg ConfigProvider) error {
+	// a lot of logic depends on InstallLock value, so it must be loaded before any other settings
+	InstallLock = HasInstallLock(cfg)
+
 	// WARNING: don't change the sequence except you know what you are doing.
 	loadRunModeFrom(cfg)
 	loadLogGlobalFrom(cfg)