Microsoft Project Server 2003 Web Access provides a mechanism for developer to customize the menu.  However, any menu added by “server configuration” in admin page will no security validation, that all user can view it, even if it is under admin submenu.

Solution

The reason is that the default global permission of a custom menu is 0, which means every user has permission to view it.  Since the PWA does not provide an interface to change the permission setting, the custom menu cannot act like other menus.  However, the custom menu uses the same data structure as the build-in menu.  Therefore developers can directly modify the database to make menu secure.

The project server database uses two tables to store the menu information, MSP_WEB_SECURITY_MENUS and MSP_WEB_SECURITY_PAGES.  MSP_WEB_SECURITY_MENUS saves the information of each menu, such as menu ID, menu name, indicator that menu is a top-menu or submenu, sequence of menu, the web page a menu link to, and etc.  MSP_WEB_SECURITY_PAGES saves the information of each page, such as URL of page and etc.  Among them, there is a property, WSEC_PAGE_ACT_ID, which is the feature action ID of the menu, defined in MSP_WEB_SECURITY_FEATURES_ACTIONS. 

When a developer added a custom menu to PWA, the project server will add a record in MSP_WEB_SECURITY_MENUS table and a record in MSP_WEB_SECURITY_PAGES table.  By default, the WSEC_PAGE_ACT_ID is set to 0 of custom page.  To make the page secure, developer can modify the value with any valid feature action ID.  For example, a developer adds a function page in admin menu.  It can be set as the same permission as “Manage Views” menu in admin menu.  To set so, developer can simply set the WSEC_PAGE_ACT_ID to 730.  Then the new page will have the permission setting as manage views page, and only those user who can manage views, have permission to view the new custom page.