Wrong auth logic

I generally use authkit in my pylons projects for authentication and authorization. I have recently realized that the logic I use is wrong. The thing is that whenever I encounter a user that is authenticated but not authorized, I redirect to a login screen, practically without a word of explanation. Now, that's wrong. I should be showing the login screen only when the user is not authenticated, otherwise I should only display an explanatory message. Now, why am I writing this? Why...? Why? Perhaps not to forget and implement it properly in my next project, now with repoze.who though.