diff --git a/inc/auth.php b/inc/auth.php
index be6b7ebbe4a21191937ef4423ea6f19d0cd15c3e..1c0bf5b4fef7bfe43d8cf6e63bef80780566e6a1 100644
--- a/inc/auth.php
+++ b/inc/auth.php
@@ -136,22 +136,30 @@ function auth_loadACL() {
 
     $acl = file($config_cascade['acl']['default']);
 
-    //support user wildcard
     $out = array();
     foreach($acl as $line) {
         $line = trim($line);
         if($line{0} == '#') continue;
         list($id,$rest) = preg_split('/\s+/',$line,2);
 
+        // substitue user wildcard first (its 1:1)
+        if(strstr($line, '%USER%')){
+            // if user is not logged in, this ACL line is meaningless - skip it
+            if (!isset($_SERVER['REMOTE_USER'])) continue;
+
+            $id   = str_replace('%USER%',cleanID($_SERVER['REMOTE_USER']),$id);
+            $rest = str_replace('%USER%',auth_nameencode($_SERVER['REMOTE_USER']),$rest);
+        }
+
+        // substitute group wildcard (its 1:m)
         if(strstr($line, '%GROUP%')){
+            // if user is not logged in, grps is empty, no output will be added (i.e. skipped)
             foreach((array) $USERINFO['grps'] as $grp){
                 $nid   = str_replace('%GROUP%',cleanID($grp),$id);
                 $nrest = str_replace('%GROUP%','@'.auth_nameencode($grp),$rest);
                 $out[] = "$nid\t$nrest";
             }
         } else {
-            $id   = str_replace('%USER%',cleanID($_SERVER['REMOTE_USER']),$id);
-            $rest = str_replace('%USER%',auth_nameencode($_SERVER['REMOTE_USER']),$rest);
             $out[] = "$id\t$rest";
         }
     }