Accessing the following specific URLs as a user who has only read access to a repository can see repository settings if they specifically use the following URLs

{BITBUCKET_URL}/projects/{PROJECT_SLUG}/repos/{REPO_SLUG}/settings/merge-checks
{BITBUCKET_URL}/projects/{PROJECT_SLUG}/repos/{REPO_SLUG}/settings/hooks
{BITBUCKET_URL}/projects/{PROJECT_SLUG}/settings/merge-checks
{BITBUCKET_URL}/projects/{PROJECT_SLUG}/settings/hooks

Expected Outcome:
Users receive a 401

Actual Outcome:
Users can see the checks and hooks. When you attempt to change them you receive a permissions error