CI/CD settings of a subgroup are available to members of other subgroup

Summary

gitlab.com/groups/mygroup/mysubgroup/-/settings/ci_cd is available to members of mygroup that are not administrators of mygroup/mysubgroup. The UI element "Settings / CI/CD" is not available to non-admins, but typing the url in the browser directly allows access.

Steps to reproduce

Take this example Group setup:

mygroup
  mysubgroup
  myothersubgroup

An admin of mygroup/myothersubgroup can access the view /groups/mygroup/mysubgroup/-/settings/ci_cd by typing the url into their browser even though the UI link is hidden.

This is somewhat concerning because someone can grab the gitlab ci runner registration token from that page, deploy a runner, and get jobs scheduled onto that new (potentially malicious) runner.

What is the expected correct behavior?

In the example above, only admins of mysubgroup (and maybe admins of mygroup) should be able to access /groups/mygroup/mysubgroup/-/settings/ci_cd.

Output of checks

This bug happens on GitLab.com