From 517f8c00191585ddd6e8d68d66a42f95da75b76e Mon Sep 17 00:00:00 2001
From: Shish <shish@shishnet.org>
Date: Tue, 12 Mar 2024 10:34:13 +0000
Subject: [PATCH] [core] differentiate permission denied due to missing
 permission vs error, see #1103

---
 core/event.php | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/core/event.php b/core/event.php
index 65e5cdc0..abf2be83 100644
--- a/core/event.php
+++ b/core/event.php
@@ -217,10 +217,10 @@ class PageRequestEvent extends Event
         // if we matched the method and the path, but the page requires
         // authentication and the user is not authenticated, then complain
         if($authed && $this->is_authed === false) {
-            throw new PermissionDenied("Permission Denied");
+            throw new PermissionDenied("Permission Denied: Missing CSRF Token");
         }
         if($permission !== null && !$user->can($permission)) {
-            throw new PermissionDenied("Permission Denied");
+            throw new PermissionDenied("Permission Denied: {$user->name} lacks permission {$permission}");
         }
 
         return true;