For maintainers, please notice checkAccess() can be empty. I added that check there for be sure we cover all possible scenarios. Let me kown if keep the function empty is good enough.

Pinging @joomla/security

I looked at com_config and saw that the code provided in this PR does not cover all the cases yet. I suggest use the code like below:

protected function checkAccess()
{
	$task = $this->input->getCmd('task');

	// sendtestmail expects json response, so we leave the method to handle the permission and send response itself
	if ($task === 'application.sendtestmail') {
		return;
	}

	$option = $this->input->getCmd('component');
	$user   = $this->app->getIdentity();

	if ($option && !in_array(strtolower($option), ['com_joomlaupdate', 'com_privacy'], true)) {
		$canAccess = $user->authorise('core.admin', $option) || $user->authorise('core.options', $option);
	} else {
		$canAccess = $user->authorise('core.admin');
	}

	if (!$canAccess) {
		throw new NotAllowed($this->app->getLanguage()->_('JERROR_ALERTNOAUTHOR'), 403);
	}
}

Explanation:

• The checkAccess method should throw NotAllowed exception if user does not have permission to perform the action like we do for all other extensions (not perform redirection like in proposed code)
• When component is provided in the request, we check for core.admin or core.options permissions for all components except com_privacy, com_joomlaupdate . For the two components, we need to have global core.admin permission.
• For all other actions in com_config, users need to have global core.admin permission.
• We need special case for sendtestmail here because the ajax request expect json response, so if we throws Exception, I think the javascript code which handle response would have some error.

The checkAccess method should throw NotAllowed exception if user does not have permission to perform the action like we do for all other extensions (not perform redirection like in proposed code)

Throw a error page it should not be the result for a user. Redirect with a message of why cant access I think is how should work in this case.

Throw a error page it should not be the result for a user. Redirect with a message of why cant access I think is how should work in this case.

Users should not be presented with the link if they do not have permission. If they type the URL directly, they get error is expected behavior. Anyway, that's how it works for all component dispatchers which we implemented.

Btw, good catch about "sendtestmail"

@joomdonation is done

@joomdonation After checked all references to the function, I removed the function param $authCheck because is not used. Also, is not relate with the way we check now the permissions.

@carlitorweb Unfortunately, your last commits messed up the code. The general rule is you are not allowed to change the behavior of a public method (which could be used by other extensions - potential cause backward incompatible change).

Thinking more about the issue, I realized we need to check it more carefully to avoid user bypass permission check by passing the component input in the request. I come up with this code which should be more secure and a bit more clean than the current code https://github.com/joomla/joomla-cms/compare/4.2-dev...joomdonation:joomla-cms:com_config_dispatcher?expand=1

Please take a look at the code and feel free to ask it to your PR.

You are correct about b/c.

@joomdonation I will close this PR, please up yours.

@carlitorweb OK. If you don't want to continue, you can close the PR and I will open a new PR to replace this one. Thanks for trying !