1 files changed, 11 insertions, 4 deletions

diff --git a/lib/response.js b/lib/response.js
index b18fd7a3..d6fb3b42 100644
--- a/lib/response.js
+++ b/lib/response.js
@@ -17,7 +17,13 @@ var utils = require('./utils')
 // public
 var response = {
   errorForbidden: function (res) {
-    responseError(res, '403', 'Forbidden', 'oh no.')
+    const {req} = res
+    if (req.user) {
+      responseError(res, '403', 'Forbidden', 'oh no.')
+    } else {
+      req.flash('error', 'You are not allowed to access this page. Maybe try logging in?')
+      res.redirect(config.serverURL)
+    }
   },
   errorNotFound: function (res) {
     responseError(res, '404', 'Not Found', 'oops.')
@@ -59,7 +65,7 @@ function showIndex (req, res, next) {
     url: config.serverURL,
     useCDN: config.useCDN,
     allowAnonymous: config.allowAnonymous,
-    allowAnonymousEdits: config.allowAnonymousedits,
+    allowAnonymousEdits: config.allowAnonymousEdits,
     facebook: config.isFacebookEnable,
     twitter: config.isTwitterEnable,
     github: config.isGitHubEnable,
@@ -94,7 +100,7 @@ function responseHackMD (res, note) {
     title: title,
     useCDN: config.useCDN,
     allowAnonymous: config.allowAnonymous,
-    allowAnonymousEdits: config.allowAnonymousedits,
+    allowAnonymousEdits: config.allowAnonymousEdits,
     facebook: config.isFacebookEnable,
     twitter: config.isTwitterEnable,
     github: config.isGitHubEnable,
@@ -226,7 +232,8 @@ function showPublishNote (req, res, next) {
         lastchangeuserprofile: note.lastchangeuser ? models.User.getProfile(note.lastchangeuser) : null,
         robots: meta.robots || false, // default allow robots
         GA: meta.GA,
-        disqus: meta.disqus
+        disqus: meta.disqus,
+        cspNonce: res.locals.nonce
       }
       return renderPublish(data, res)
     }).catch(function (err) {