3 files changed, 6 insertions, 4 deletions

diff --git a/server/index.js b/server/index.js
index 212db01..e946788 100644
--- a/server/index.js
+++ b/server/index.js
@@ -125,8 +125,8 @@ site.route = function () {
 	app.get('/project', middleware.ensureAuthenticated, views.modal)
 	app.get('/project/new', middleware.ensureAuthenticated, views.modal)
 	app.get('/project/new/:layout', middleware.ensureAuthenticated, views.editor_new)
-	app.get('/project/:slug', middleware.ensureProject, views.reader)
-	app.get('/project/:slug/view', middleware.ensureProject, views.reader)
+	app.get('/project/:slug', middleware.ensureProject, middleware.ensureIsCollaborator, views.reader)
+	app.get('/project/:slug/view', middleware.ensureProject, middleware.ensureIsCollaborator, views.reader)
 	app.get('/project/:slug/edit', middleware.ensureProject, middleware.ensureIsCollaborator, views.editor)
 
 	app.get('/api/layout', middleware.ensureAuthenticated, api.layouts.index)
diff --git a/server/lib/api/collaborator.js b/server/lib/api/collaborator.js
index 4b55f09..f39022f 100644
--- a/server/lib/api/collaborator.js
+++ b/server/lib/api/collaborator.js
@@ -54,9 +54,9 @@ var collaborator = {
       return res.json({ error: "can't find project" })
     }
 		var data = util.cleanQuery(req.body)
-		delete data.user_id
-
+    data.email = util.sanitize( data.email )
 		data.project_id = req.project._id
+		delete data.user_id
 
     Collaborator.makeNonce(function(nonce){
       data.nonce = nonce
diff --git a/server/lib/views.js b/server/lib/views.js
index 4faf80f..7137041 100644
--- a/server/lib/views.js
+++ b/server/lib/views.js
@@ -57,6 +57,8 @@ views.reader = function (req, res) {
 			date: moment(req.project.updated_at).format("M/DD/YYYY"),
 			author: user.displayName,
 			authorlink: "/profile/" + user.username,
+			canEdit: req.isOwner || req.isCollaborator,
+			editlink: "/project/" + req.project.slug + "/edit",
 			noui: !! (req.query.noui === '1'),
 		})
 	})