The event core.modify_posting_auth documents the use of the is_authed and error variables to perform extra authorizations from extensions, however, neither of both works as expected.

The is_authed var, if set to true, stops execution, but the message shown is wrong.

The error var is not considered at all, does not stop execution, or is presented to the end user, as it should.

Also, the mode is modified before the event, and used after it, assuming that the event will make the same change, without documenting it (in fact, documenting that it should NOT be modified).