Report required permission(s) when authorization fails

[arielshaqed]

Currently authorization simply fails the request. Add to this response the missing permission(s).

Why do this?

We see that users who fail to perform some action are unsure what to do. This is an easy response.

Is this safe?

• This is an authenticated user - they can know their permissions simply by trying to do stuff.
• Required permissions are known to attackers - even if our docs are out of date, pkg/api/controller.go is the open source of truth.

Alternatives

• Report only the first missing permission. This is slightly easier to code.
• Report all required permissions. This avoids giving the user any information about their permissions.