SECURITY: Move 'UserGetRights' call before application of Session::getAllowedUserRights()
This prevents hook functions from accidentally adding rights that should
be denied based on the session grants.
If some extension really needs to be able to override session grants,
add a new hook where the old call was, with documentation explicitly
warning about the security implications.