diff --git a/src/handlers/auth_handler.cr b/src/handlers/auth_handler.cr
index 1db4376..3f094eb 100644
--- a/src/handlers/auth_handler.cr
+++ b/src/handlers/auth_handler.cr
@@ -74,10 +74,17 @@ class AuthHandler < Kemal::Handler
     end
 
     if request_path_startswith env, ["/admin", "/api/admin", "/download"]
-      unless validate_token_admin(env) ||
-             Storage.default.username_is_admin Config.current.default_username
-        env.response.status_code = 403
+      # The token (if exists) takes precedence over the default user option.
+      #   this is why we check the default username first before checking the
+      #   token.
+      should_reject = true
+      if Storage.default.username_is_admin Config.current.default_username
+        should_reject = false
       end
+      if env.session.string? "token"
+        should_reject = !validate_token_admin(env)
+      end
+      env.response.status_code = 403 if should_reject
     end
 
     call_next env
diff --git a/src/util/web.cr b/src/util/web.cr
index 647a536..504bbaa 100644
--- a/src/util/web.cr
+++ b/src/util/web.cr
@@ -4,13 +4,16 @@ macro layout(name)
   base_url = Config.current.base_url
   begin
     is_admin = false
-    if token = env.session.string? "token"
-      is_admin = @context.storage.verify_admin token
-    end
+    # The token (if exists) takes precedence over the default user option.
+    #   this is why we check the default username first before checking the
+    #   token.
     if Config.current.disable_login
       is_admin = @context.storage.
         username_is_admin Config.current.default_username
     end
+    if token = env.session.string? "token"
+      is_admin = @context.storage.verify_admin token
+    end
     page = {{name}}
     render "src/views/#{{{name}}}.html.ecr", "src/views/layout.html.ecr"
   rescue e