Anonymous tokens can create intentions

I have setup a consul cluster with ACL’s with default deny. However in the GUI, the anonymous user has the ability to create Intentions.

Is this a bug? How can I disable creating intentions for anonymous users?