return FORBIDDEN if $session->user->anonymous;