We're using https://github.com/jenkinsci/github-branch-source-plugin's github build status notifications to update our github instance with the status of builds.

This initially posts links to https://<our-jenkins>/job/Builds/job/<pipeline name>/job/<branch-name>/display/redirect, although they later change to https://<our-jenkins>/job/Builds/job/<pipeline name>/job/<branch-name>/<build-number>/display/redirect.

The users with view permissions visiting https://<our-jenkins>/job/Builds/job/<pipeline name>/job/<branch-name>/display/redirect without the Job/Build permission get an error page saying `Access Denied <username> is missing the Job/Build permission`. 

However, they are able to view https://<our-jenkins>/job/Builds/job/<pipeline name>/job/<branch-name> with just regular read permissions.

Why does the redirect page require different and (seemingly) completely unrelated permissions from the page it redirects to?

 

(Note that https://<our-jenkins>/job/Builds/job/<pipeline name>/job/<branch-name>/<build-number>/display/redirect. doesn't seem to require job/build permissions)