feat: improve oidc only mode

lib/mv_web/plugs/check_page_permission.ex

@@ -54,7 +54,7 @@ defmodule MvWeb.Plugs.CheckPagePermission do
         conn
         |> fetch_session()
         |> fetch_flash()
-        |> put_flash(:error, "You don't have permission to access this page.")
+        |> maybe_put_access_denied_flash(user)
         |> redirect(to: redirect_to)
         |> halt()
       end
@@ -75,6 +75,13 @@ defmodule MvWeb.Plugs.CheckPagePermission do
 
   defp redirect_target(user), do: redirect_target_for_user(user)
 
+  # Only set "no permission" flash when user is logged in; unauthenticated users get redirect only, no flash.
+  defp maybe_put_access_denied_flash(conn, nil), do: conn
+
+  defp maybe_put_access_denied_flash(conn, _user) do
+    put_flash(conn, :error, "You don't have permission to access this page.")
+  end
+
   @doc """
   Returns true if the path is public (no auth/permission check).
   Used by LiveView hook to skip redirect on sign-in etc.