controllers: return 400 instead of 403 for GET requests with body.

Fix for 3184e77de. Return 400 Bad Request instead of 403 Forbidden for
GET requests with a body.

app/controllers/application_controller.rb

@@ -118,12 +118,12 @@ class ApplicationController < ActionController::Base
       render_error_page(500, exception, template: "static/search_timeout", message: "The database timed out running your query.")
     when ActionController::BadRequest
       render_error_page(400, exception, message: exception.message)
+    when RequestBodyNotAllowedError
+      render_error_page(400, exception, message: "Request body not allowed for #{request.method} request")
     when SessionLoader::AuthenticationFailure
       render_error_page(401, exception, message: exception.message, template: "sessions/new")
     when ActionController::InvalidAuthenticityToken, ActionController::UnpermittedParameters, ActionController::InvalidCrossOriginRequest, ActionController::Redirecting::UnsafeRedirectError
       render_error_page(403, exception, message: exception.message)
-    when RequestBodyNotAllowedError
-      render_error_page(403, exception, message: "Request body not allowed for #{request.method} request")
     when ActiveSupport::MessageVerifier::InvalidSignature, # raised by `find_signed!`
          User::PrivilegeError,
          Pundit::NotAuthorizedError