From bcd92f500f1b0ae4fb88c696a5300e8e51cfe15d Mon Sep 17 00:00:00 2001
From: Lucas Druschke <ldruschk@posteo.de>
Date: Wed, 29 Apr 2020 22:40:46 +0200
Subject: [PATCH] return errorForbidden when anonymous user tries to create
 freeUrl pad (closes #1499)

Signed-off-by: Lucas Druschke <ldruschk@posteo.de>
---
 lib/note/index.js | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/lib/note/index.js b/lib/note/index.js
index be18bc4f..b9b7c9e3 100644
--- a/lib/note/index.js
+++ b/lib/note/index.js
@@ -61,6 +61,8 @@ async function showNote (req, res) {
     // if allow free url enable, auto create note
     if (!config.allowFreeURL || config.forbiddenNoteIDs.includes(noteId)) {
       return errorNotFound(req, res)
+    } else if (!config.allowAnonymous && !userId) {
+      return errorForbidden(req, res)
     }
     note = await createNote(userId, noteId)
   }