{
    use esmith::AccountsDB;
    use esmith::DAV;
    my $adb = esmith::AccountsDB->open_ro();
    $OUT = "";
    foreach my $ibay ($adb->ibays)
    {
        my %properties = $ibay->props;
        my $key = $ibay->key;
	my $dynamicContent = $properties{'CgiBin'} || "disabled";
        my $secureEXEC = $properties{'ModDavSecureEXEC'} || 'enabled';
        my $access = $properties{'PublicAccess'} || 'none';
	$OUT .= "\n    # ibay $key disabled for httpd so no DAV access\n" if $access eq 'none';
	next if $access eq 'none';
	# true if have to be password accessible from somewhere.
	my $satisfy = ($access eq 'global-pw-remote')? 'any': 'all';
        if ($properties{'ModDav'})
        {
            if ($properties{'ModDav'} eq 'enabled')
            {
                my $ReadRequire = esmith::DAV::getRequireUser("read", $key );
		my $WriteRequire = esmith::DAV::getRequireUser("write", $key);
                my $ReadAllow = esmith::DAV::getAllow("read", $key, $localAccess );
                my $WriteAllow = esmith::DAV::getAllow("write", $key, $localAccess );

                $OUT .= "\n<Directory /home/e-smith/files/ibays/$key/html>\n\n";
                $OUT .= "    # Enable DAV access for this directory tree\n";
                $OUT .= "    DAV On\n\n";
		#we will not seriously let you type your password over the network without encryption
		$OUT .= "    SSLRequireSSL\n\n";

		if ($dynamicContent eq 'enabled' && $secureEXEC eq 'enabled')
        	{
		  # we do not want PHP or CGI to be runt there for security reason 
		  $OUT .= "    <FilesMatch \\.php\$>\n";                
		  $OUT .= "        #disabling php\n";
                  $OUT .= "        SetHandler !\n"; # could use also SetHandler  none
		  $OUT .= "        deny from all\n" if ( $properties{'ModDavHidePHP'} || 'enabled' ) eq 'enabled';
                  $OUT .= "    </FilesMatch>\n";		
                  $OUT .= "    Options -ExecCGI\n";
		  $OUT .= "    RemoveHandler .cgi .php .php3 .php4 .php5 .phtml .pl .py .pyc .pyo\n";
                  $OUT .= "    php_flag engine off\n" if ((exists $php{status} and $php{status} eq "enabled") and $phpModule eq "enabled") ;# can not use this one when php module not in use
		}

                $OUT .= "    FileETag ".$properties{'ModDav-FileETag'}."\n\n" if ($properties{'ModDav-FileETag'});

                $OUT .= "    AllowOverride None\n";
                $OUT .= "    Options +Indexes \n\n";
                $OUT .= "    # Allow fancy indexing by columns and download by clicking icon\n";
                $OUT .= "    IndexOptions FancyIndexing IconsAreLinks\n\n";

                # bug with httpd-2.4 fixed in httpd-2.5 only see https://bz.apache.org/bugzilla/show_bug.cgi?id=54914 PROPFIND will fail
                $OUT .= "    #because of bug https://bz.apache.org/bugzilla/show_bug.cgi?id=54914 in httpd 2.4 DirectoryIndex disabled is needed for webdav to work\n";
                $OUT .= "    DirectoryIndex disabled\n\n" unless ( ($properties{'ModDavNoDirectoryIndex'}||"enabled" ) eq "disabled");
                $OUT .= "    #DirectoryIndex disabled : DavNoDirectoryIndex has been defined to force DirectoryIndex \n\n" if ( ($properties{'ModDavNoDirectoryIndex'}||"enabled" ) eq "disabled");

                $OUT .= "    order deny,allow\n";
                $OUT .= "    deny from all\n";
                $OUT .= "    " . $ReadAllow . "\n";
                $OUT .= "    AuthName \"$properties{'Name'}\"\n";
                $OUT .= "    AuthBasicProvider external\n";
                $OUT .= "    AuthType Basic\n";
                $OUT .= "    AuthExternal pwauth\n";
                $OUT .= "    " . $ReadRequire . "\n";
                $OUT .= "    Satisfy $satisfy\n\n";

                # Ensure only valid users get to do stuff... update 2021/02:
		# GET, POST, PUT, DELETE, CONNECT, OPTIONS, PATCH, PROPFIND, PROPPATCH, MKCOL, COPY, MOVE, LOCK, UNLOCK
		# some suggest : AllowMethods HEAD GET POST CONNECT PUT DELETE OPTIONS PROPFIND PROPPATCH MKCOL MKCALENDAR COPY MOVE LOCK UNLOCK TRACE 
		# TRACE is not supposed to be limited by this directive, should use TraceEnable 
 		# LimitExcept is suggested over Limit in order to catch all non standard methods
		# however we put our limit to the whole folder with the Require user .... above, so the whole block under seems useless
		# unless we reduce it to one user, or are fool to enlarge to Require valid-user
#                $OUT .= "    <Limit GET PUT POST DELETE PROPFIND PROPPATCH MKCOL COPY MOVE LOCK UNLOCK>\n\n";
#                $OUT .= "        Allow from all\n";
#                $OUT .= "        Require user $userlist\n\n";
#                $OUT .= "    </Limit>\n\n";

                $OUT .= "    <LimitExcept GET POST PROPFIND OPTIONS CONNECT>\n";
                $OUT .= "      " . $WriteRequire . "\n";
		$OUT .= "      Satisfy All\n";
                $OUT .= "      ". $WriteAllow ."\n";
                $OUT .= "    </LimitExcept>\n\n";
                $OUT .= "</Directory>\n";
            }
        }
	else
	{
	     $OUT .= "\n   # DAV disabled for ibay $key\n";
	}
    }
}
