I don't think so, cannot trigger it anymore. I'll reopen it or a new one if I
find otherwise.

Is this still an issue after the roundup update?

I have now disabled editcsv for roundup.

I do think it is useful, as various coordinators use it to add components etc.
Of course, we could also create forms for it, or have people submit such
requests to this tracker, so I create the components through the command line -
however, the CSV interface is really convenient for distributed administration.

We could either ditch EditCSVAction entirely or add permission checks to it, if
it's an useful action. To solve this class of problems, I think it'd be
necessary to add another kind of permission ('EditCSV') to Roles and check for that.

Here's a temporary fix, given the potential hassle described in private email.

actions_query.diff is not appropriate to solve this problem: it puts knowledge
of a "keywords" class into roundup.

I don't quite understand the problem. If it is possible to edit arbitrary
queries through CSV, why is it not possible to edit arbitrary issues through CSV?

(I'm assuming it is not possible to edit arbitrary issues - if it was, we are in
much bigger problems)

And this one removes the UI :)

I think 'keyword' (implying 'Developer') might not be strict enough...

Any User has the ability to edit or create Queries, which equates to Admin's
ability to edit Classes, as far as Queries are concerned. This ignores Query
ownership in the CSV interface, allowing one to edit, steal or delete someone
else's Queries.

Attached patch blocks this path.