smeserver-mod_dav/contribs10/smeserver-mod_dav-1.1-bz10347-bz4564-bz5337.patch

diff -Nur smeserver-mod_dav-1.1.old/createlinks smeserver-mod_dav-1.1/createlinks
--- smeserver-mod_dav-1.1.old/createlinks       1969-12-31 19:00:00.000000000 -0500
+++ smeserver-mod_dav-1.1/createlinks   2021-02-28 23:12:35.438000000 -0500
@@ -0,0 +1,8 @@
+#!/usr/bin/perl -w
+
+use esmith::Build::CreateLinks qw(:all);
+
+my $event = "smeserver-mod_dav-update";
+templates2events("/etc/httpd/conf/httpd.conf", $event);
+safe_symlink("sigusr1", "root/etc/e-smith/events/$event/services2adjust/httpd-e-smith");
+
diff -Nur smeserver-mod_dav-1.1.old/root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/95Addmod_dav2ibays smeserver-mod_dav-1.1/root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/95Addmod_dav2ibays
--- smeserver-mod_dav-1.1.old/root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/95Addmod_dav2ibays   2021-02-28 22:41:40.846000000 -0500
+++ smeserver-mod_dav-1.1/root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/95Addmod_dav2ibays       2021-03-02 11:57:52.069000000 -0500
@@ -1,71 +1,92 @@
 {
     use esmith::AccountsDB;
+    use esmith::DAV;
     my $adb = esmith::AccountsDB->open_ro();
     $OUT = "";
     foreach my $ibay ($adb->ibays)
     {
         my %properties = $ibay->props;
         my $key = $ibay->key;
+       my $dynamicContent = $properties{'CgiBin'} || "disabled";
+        my $secureEXEC = $properties{'ModDAVsecureEXEC'} || 'enabled';
+        my $access = $properties{'PublicAccess'} || 'none';
+       $OUT .= "\n    # ibay $key disabled for httpd so no DAV access\n" if $access eq 'none';
+       next if $access eq 'none';
+       # true if have to be password accessible from somewhere.
+       my $satisfy = ($access eq 'global-pw-remote')? 'any': 'all';
         if ($properties{'ModDav'})
         {
             if ($properties{'ModDav'} eq 'enabled')
             {
+                my $ReadRequire = esmith::DAV::getRequireUser("read", $key );
+               my $WriteRequire = esmith::DAV::getRequireUser("write", $key);
+                my $ReadAllow = esmith::DAV::getAllow("read", $key, $localAccess );
+                my $WriteAllow = esmith::DAV::getAllow("write", $key, $localAccess );
+
                 $OUT .= "\n<Directory /home/e-smith/files/ibays/$key/html>\n\n";
                 $OUT .= "    # Enable DAV access for this directory tree\n";
                 $OUT .= "    DAV On\n\n";
+               #we will not seriously let you type your password over the network without encryption
+               $OUT .= "    SSLRequireSSL\n\n";
+
+               if ($dynamicContent eq 'enabled' && $secureEXEC eq 'enabled')
+               {
+                 # we do not want PHP or CGI to be runt there for security reason 
+                 $OUT .= "    <FilesMatch \\.php\$>\n";                
+                 $OUT .= "        #disabling php\n";
+                  $OUT .= "        SetHandler !\n"; # could use also SetHandler  none
+                 $OUT .= "        deny from all\n" if ( $properties{'ModDAVhidephp'} || 'enabled' ) eq 'enabled';
+                  $OUT .= "    </FilesMatch>\n";               
+                  $OUT .= "    Options -ExecCGI\n";
+                 $OUT .= "    RemoveHandler .cgi .php .php3 .php4 .php5 .phtml .pl .py .pyc .pyo\n";
+                  $OUT .= "    php_flag engine off\n" if ((exists $php{status} and $php{status} eq "enabled") and $phpModule eq "enabled") ;# can not use this one when php module not in use
+               }
+
+                $OUT .= "    FileETag ".$properties{'ModDav-FileETag'}."\n\n" if ($properties{'ModDav-FileETag'});
 
-                if ($properties{'ModDav-FileETag'})
-                {
-                    $OUT .= "    FileETag ".$properties{'ModDav-FileETag'}."\n\n";
-                }
                 $OUT .= "    AllowOverride None\n";
                 $OUT .= "    Options +Indexes \n\n";
                 $OUT .= "    # Allow fancy indexing by columns and download by clicking icon\n";
                 $OUT .= "    IndexOptions FancyIndexing IconsAreLinks\n\n";
-                if ($properties{'Group'})
-                {
-                    $OUT .= "    AuthName \"$key\"\n";
-                    $OUT .= "    AuthBasicProvider external\n";
-                    $OUT .= "    AuthType Basic\n";
-                    $OUT .= "    AuthExternal pwauth\n\n";
-                    # Save groupname and find it in the group list
-                    $iBayGroup = $properties{'Group'};
-                    foreach my $group ($adb->groups)
-                    {
-                        my %groupprops = $group->props;
-                        my $grpkey = $group->key;
-                        if ($grpkey eq $iBayGroup)
-                        {
-                            # we have the group that owns the DAV iBay
-                            # If there are members of the group validate on them,
-                            # otherwise on the ibayname
-                            if ($groupprops{'Members'})
-                            {
-                                # need to break user list on commas then output each one...
-                                my @values = split(',',$groupprops{'Members'});
-                                $OUT .= "    # Replace ibay name with any valid group member to validate\n";
-                                $OUT .= "    Require user ";
-                                foreach my $val (@values) {
-                                    $OUT .= $val . " ";
-                                }
-                                $OUT .= "\n\n";
-                            }
-                            else
-                            {
-                                # No group members so use ibay name for validation
-                                $OUT .= "    # use ibay name to validate\n";
-                                $OUT .= "    Require user " . $key . "\n\n";
-                            }
-                        }
-                    } 
-                }
-                # Ensure only valid users get to do stuff...
-                $OUT .= "    <Limit GET PUT POST DELETE PROPFIND PROPPATCH MKCOL COPY MOVE LOCK UNLOCK>\n\n";
-                $OUT .= "        Allow from all\n";
-                $OUT .= "        Require valid-user\n\n";
-                $OUT .= "    </Limit>\n\n";
+
+                # bug with httpd-2.4 fixed in httpd-2.5 only see https://bz.apache.org/bugzilla/show_bug.cgi?id=54914 PROPFIND will fail
+                $OUT .= "    #because of bug https://bz.apache.org/bugzilla/show_bug.cgi?id=54914 in httpd 2.4 DirectoryIndex disabled is needed for webdav to work\n";
+                $OUT .= "    DirectoryIndex disabled\n\n" unless ( ($properties{'DavNoDirectoryIndex'}||"enabled" ) eq "disabled");
+                $OUT .= "    #DirectoryIndex disabled : DavNoDirectoryIndex has been defined to force DirectoryIndex \n\n" if ( ($properties{'DavNoDirectoryIndex'}||"enabled" ) eq "disabled");
+
+                $OUT .= "    order deny,allow\n";
+                $OUT .= "    deny from all\n";
+                $OUT .= "    " . $ReadAllow . "\n";
+                $OUT .= "    AuthName \"$properties{'Name'}\"\n";
+                $OUT .= "    AuthBasicProvider external\n";
+                $OUT .= "    AuthType Basic\n";
+                $OUT .= "    AuthExternal pwauth\n";
+                $OUT .= "    " . $ReadRequire . "\n";
+                $OUT .= "    Satisfy $satisfy\n\n";
+
+                # Ensure only valid users get to do stuff... update 2021/02:
+               # GET, POST, PUT, DELETE, CONNECT, OPTIONS, PATCH, PROPFIND, PROPPATCH, MKCOL, COPY, MOVE, LOCK, UNLOCK
+               # some suggest : AllowMethods HEAD GET POST CONNECT PUT DELETE OPTIONS PROPFIND PROPPATCH MKCOL MKCALENDAR COPY MOVE LOCK UNLOCK TRACE 
+               # TRACE is not supposed to be limited by this directive, should use TraceEnable 
+               # LimitExcept is suggested over Limit in order to catch all non standard methods
+               # however we put our limit to the whole folder with the Require user .... above, so the whole block under seems useless
+               # unless we reduce it to one user, or are fool to enlarge to Require valid-user
+#                $OUT .= "    <Limit GET PUT POST DELETE PROPFIND PROPPATCH MKCOL COPY MOVE LOCK UNLOCK>\n\n";
+#                $OUT .= "        Allow from all\n";
+#                $OUT .= "        Require user $userlist\n\n";
+#                $OUT .= "    </Limit>\n\n";
+
+                $OUT .= "    <LimitExcept GET POST PROPFIND OPTIONS CONNECT>\n";
+                $OUT .= "      " . $WriteRequire . "\n";
+               $OUT .= "      Satisfy All\n";
+                $OUT .= "      ". $WriteAllow ."\n";
+                $OUT .= "    </LimitExcept>\n\n";
                 $OUT .= "</Directory>\n";
             }
         }
+       else
+       {
+            $OUT .= "\n   # DAV disabled for ibay $key\n";
+       }
     }
 }
diff -Nur smeserver-mod_dav-1.1.old/root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/VirtualHosts/21IbayWebDav smeserver-mod_dav-1.1/root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/VirtualHosts/21IbayWebDav
--- smeserver-mod_dav-1.1.old/root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/VirtualHosts/21IbayWebDav    1969-12-31 19:00:00.000000000 -0500
+++ smeserver-mod_dav-1.1/root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/VirtualHosts/21IbayWebDav        2021-03-02 11:57:55.866000000 -0500
@@ -0,0 +1,34 @@
+{
+# this fragment is to force SSL redirection for webdav activated account in case it is not already enabled
+# could be removed if core fragment 20IbaysContent introduce forced ssl for DAV
+   use esmith::AccountsDB;
+   my $adb = esmith::AccountsDB->open_ro();
+   $OUT = "";
+   foreach my $ibay ($adb->ibays)
+   {
+        my %properties = $ibay->props;
+        my $key = $ibay->key;
+        my $dynamicContent = $properties{'CgiBin'} || "disabled";
+        my $secureEXEC = $properties{'ModDAVsecureEXEC'} || 'enabled';
+        my $access = $properties{'PublicAccess'} || 'none';
+        $OUT .= "\n    # ibay $key disabled for httpd so no DAV access\n" if $access eq 'none';
+        next if $access eq 'none';
+        # true if have to be password accessible from somewhere.
+        my $ispassibay = $access =~ /-pw/;
+        my $satisfy = ($access eq 'global-pw-remote')? 'any': 'all';
+        if ($properties{'ModDav'})
+        {
+            if ($properties{'ModDav'} eq 'enabled')
+            {
+               # we force SSL redirection in case DAV is enabled
+                if (( $port ne $httpsPort ) && (($ibay->prop('SSL') || 'disabled') ne 'enabled'))
+               {
+                    my $portspec = ($httpsPort eq 443) ? "" : ":$httpsPort";
+                    $OUT .= "    RewriteEngine on\n";
+                    $OUT .= "    RewriteRule ^/$key(/.*|\$) https://%{HTTP_HOST}${portspec}/$key\$1 \[L,R\]\n";
+                }
+           }
+       }
+    }
+}
+
diff -Nur smeserver-mod_dav-1.1.old/root/usr/share/perl5/vendor_perl/esmith/DAV.pm smeserver-mod_dav-1.1/root/usr/share/perl5/vendor_perl/esmith/DAV.pm
--- smeserver-mod_dav-1.1.old/root/usr/share/perl5/vendor_perl/esmith/DAV.pm    1969-12-31 19:00:00.000000000 -0500
+++ smeserver-mod_dav-1.1/root/usr/share/perl5/vendor_perl/esmith/DAV.pm        2021-03-02 12:07:13.442000000 -0500
@@ -0,0 +1,118 @@
+
+package esmith::DAV;
+
+use strict;
+use warnings;
+use esmith::AccountsDB;
+my $adb = esmith::AccountsDB->open_ro();
+
+use vars qw( $AUTOLOAD @ISA );
+
+  sub getRequireUser {
+    my ($mode, $key) = @_;
+    my $ibay = $adb->get($key) or return "Require user admin"; 
+    my %properties = $ibay->props or return "Require user admin";
+    my $iBayGroup = $properties{'Group'} || 'admin';
+    my $accessMode = $properties{'UserAccess'} || 'wr-admin-rd-group';
+    my $access = $properties{'PublicAccess'} || 'none';
+    my $ispassibay = $access =~ /-pw/;
+    my $Anonymous  =  $properties{'ModDavAnonymousRead'} || "enabled";
+    my $MEMBERS = getMembers( $key, $iBayGroup);
+    my $REQUIRE = "";
+    if ($mode eq "read") 
+    {
+        if ($accessMode eq "wr-group-rd-everyone")
+        {
+           if ( $Anonymous eq "enabled" )
+            {
+                $REQUIRE = "# Allowing unauthenticated read access";
+            }
+            else
+           {
+               my $EVERYONE = join(' ' , ( (map { $_->key } $adb->users) , qw (admin) )); #shared user members
+               #$REQUIRE = "#wr-group-rd-everyone : members of shared\n";
+                $REQUIRE .= "Require user " . $EVERYONE;
+           }
+        }
+        else
+        {
+            $REQUIRE = "Require user " . $MEMBERS;
+            if ($accessMode eq "wr-admin-rd-group")
+            {
+                # add "admin" to the read group to avoid read/write auth conflicts
+                $REQUIRE .= " admin";
+            }
+        }
+       if ($ispassibay)
+       {
+           #we have local-pw or global-pw or global-pw-remote
+           $REQUIRE = ( $REQUIRE =~ /Require user / ) ? "$REQUIRE $key" : "Require user $key";
+           $REQUIRE .= " $MEMBERS" if ( $access =~ /remote/ );
+       }
+    }
+    else
+    {
+        if ($accessMode eq "wr-admin-rd-group")
+        {
+            $REQUIRE = "Require user admin";
+        }
+        else
+        {
+            $REQUIRE = "Require user " . $MEMBERS;
+        }
+     }
+    return $REQUIRE;
+  }
+  
+  sub getAllow {
+    my ($mode, $key, $localAccess ) = @_;
+    $localAccess = (defined $localAccess ) ? $localAccess : "127.0.0.1";
+    my $ibay = $adb->get($key) or return "allow from 127.0.0.1";
+    my %properties = $ibay->props or return "allow from 127.0.0.1";
+    my $Public = $properties{'PublicAccess'} || 'none'; 
+
+    my $allow = "allow from 127.0.0.1";
+    if ($Public eq 'none')
+    {
+        $allow = "# allow from set to NONE";
+    }
+    elsif ($Public =~ /(local|remote)/  )
+    {
+        $allow   = "allow from " . $localAccess;
+    }
+    elsif ($Public =~ /global/)
+    {
+        $allow   = "allow from all";
+    }
+    return $allow;
+  }
+
+  sub getMembers {
+    my ($key, $iBayGroup) = @_;
+    my $MEMBERS = $key; 
+   foreach my $group ( ($adb->groups, $adb->get('admin'), $adb->get('shared') ) )
+    {
+        my %groupprops = $group->props;
+        my $grpkey = $group->key;
+        if ($grpkey eq $iBayGroup)
+        {
+            # we have the group that owns the DAV iBay
+            # If there are members of the group validate on them,
+            # otherwise on the ibayname
+            my $GroupMembers = $groupprops{'Members'} || undef;
+            $GroupMembers = "admin" if ( $grpkey eq "admin"  );
+            $GroupMembers = join(' ' , ( (map { $_->key } $adb->users) , qw (admin) )) if ( $grpkey eq "shared"  ) ;
+
+            if ($GroupMembers)
+            {
+                # need to break user list on commas then output each one...
+                my @values = split(',',$GroupMembers);
+                $MEMBERS = "" unless (!@values) ;
+                foreach my $val (@values) {
+                    $MEMBERS .= $val . " ";
+                    }
+            }
+        }
+    }
+    return $MEMBERS;
+  }
1	jpp	1.1	diff -Nur smeserver-mod_dav-1.1.old/createlinks smeserver-mod_dav-1.1/createlinks
2			--- smeserver-mod_dav-1.1.old/createlinks 1969-12-31 19:00:00.000000000 -0500
3			+++ smeserver-mod_dav-1.1/createlinks 2021-02-28 23:12:35.438000000 -0500
4			@@ -0,0 +1,8 @@
5			+#!/usr/bin/perl -w
6			+
7			+use esmith::Build::CreateLinks qw(:all);
8			+
9			+my $event = "smeserver-mod_dav-update";
10			+templates2events("/etc/httpd/conf/httpd.conf", $event);
11			+safe_symlink("sigusr1", "root/etc/e-smith/events/$event/services2adjust/httpd-e-smith");
12			+
13			diff -Nur smeserver-mod_dav-1.1.old/root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/95Addmod_dav2ibays smeserver-mod_dav-1.1/root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/95Addmod_dav2ibays
14			--- smeserver-mod_dav-1.1.old/root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/95Addmod_dav2ibays 2021-02-28 22:41:40.846000000 -0500
15			+++ smeserver-mod_dav-1.1/root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/95Addmod_dav2ibays 2021-03-02 11:57:52.069000000 -0500
16			@@ -1,71 +1,92 @@
17			{
18			use esmith::AccountsDB;
19			+ use esmith::DAV;
20			my $adb = esmith::AccountsDB->open_ro();
21			$OUT = "";
22			foreach my $ibay ($adb->ibays)
23			{
24			my %properties = $ibay->props;
25			my $key = $ibay->key;
26			+ my $dynamicContent = $properties{'CgiBin'} \|\| "disabled";
27			+ my $secureEXEC = $properties{'ModDAVsecureEXEC'} \|\| 'enabled';
28			+ my $access = $properties{'PublicAccess'} \|\| 'none';
29			+ $OUT .= "\n # ibay $key disabled for httpd so no DAV access\n" if $access eq 'none';
30			+ next if $access eq 'none';
31			+ # true if have to be password accessible from somewhere.
32			+ my $satisfy = ($access eq 'global-pw-remote')? 'any': 'all';
33			if ($properties{'ModDav'})
34			{
35			if ($properties{'ModDav'} eq 'enabled')
36			{
37			+ my $ReadRequire = esmith::DAV::getRequireUser("read", $key );
38			+ my $WriteRequire = esmith::DAV::getRequireUser("write", $key);
39			+ my $ReadAllow = esmith::DAV::getAllow("read", $key, $localAccess );
40			+ my $WriteAllow = esmith::DAV::getAllow("write", $key, $localAccess );
41			+
42			$OUT .= "\n<Directory /home/e-smith/files/ibays/$key/html>\n\n";
43			$OUT .= " # Enable DAV access for this directory tree\n";
44			$OUT .= " DAV On\n\n";
45			+ #we will not seriously let you type your password over the network without encryption
46			+ $OUT .= " SSLRequireSSL\n\n";
47			+
48			+ if ($dynamicContent eq 'enabled' && $secureEXEC eq 'enabled')
49			+ {
50			+ # we do not want PHP or CGI to be runt there for security reason
51			+ $OUT .= " <FilesMatch \\.php\$>\n";
52			+ $OUT .= " #disabling php\n";
53			+ $OUT .= " SetHandler !\n"; # could use also SetHandler none
54			+ $OUT .= " deny from all\n" if ( $properties{'ModDAVhidephp'} \|\| 'enabled' ) eq 'enabled';
55			+ $OUT .= " </FilesMatch>\n";
56			+ $OUT .= " Options -ExecCGI\n";
57			+ $OUT .= " RemoveHandler .cgi .php .php3 .php4 .php5 .phtml .pl .py .pyc .pyo\n";
58			+ $OUT .= " php_flag engine off\n" if ((exists $php{status} and $php{status} eq "enabled") and $phpModule eq "enabled") ;# can not use this one when php module not in use
59			+ }
60			+
61			+ $OUT .= " FileETag ".$properties{'ModDav-FileETag'}."\n\n" if ($properties{'ModDav-FileETag'});
62
63			- if ($properties{'ModDav-FileETag'})
64			- {
65			- $OUT .= " FileETag ".$properties{'ModDav-FileETag'}."\n\n";
66			- }
67			$OUT .= " AllowOverride None\n";
68			$OUT .= " Options +Indexes \n\n";
69			$OUT .= " # Allow fancy indexing by columns and download by clicking icon\n";
70			$OUT .= " IndexOptions FancyIndexing IconsAreLinks\n\n";
71			- if ($properties{'Group'})
72			- {
73			- $OUT .= " AuthName \"$key\"\n";
74			- $OUT .= " AuthBasicProvider external\n";
75			- $OUT .= " AuthType Basic\n";
76			- $OUT .= " AuthExternal pwauth\n\n";
77			- # Save groupname and find it in the group list
78			- $iBayGroup = $properties{'Group'};
79			- foreach my $group ($adb->groups)
80			- {
81			- my %groupprops = $group->props;
82			- my $grpkey = $group->key;
83			- if ($grpkey eq $iBayGroup)
84			- {
85			- # we have the group that owns the DAV iBay
86			- # If there are members of the group validate on them,
87			- # otherwise on the ibayname
88			- if ($groupprops{'Members'})
89			- {
90			- # need to break user list on commas then output each one...
91			- my @values = split(',',$groupprops{'Members'});
92			- $OUT .= " # Replace ibay name with any valid group member to validate\n";
93			- $OUT .= " Require user ";
94			- foreach my $val (@values) {
95			- $OUT .= $val . " ";
96			- }
97			- $OUT .= "\n\n";
98			- }
99			- else
100			- {
101			- # No group members so use ibay name for validation
102			- $OUT .= " # use ibay name to validate\n";
103			- $OUT .= " Require user " . $key . "\n\n";
104			- }
105			- }
106			- }
107			- }
108			- # Ensure only valid users get to do stuff...
109			- $OUT .= " <Limit GET PUT POST DELETE PROPFIND PROPPATCH MKCOL COPY MOVE LOCK UNLOCK>\n\n";
110			- $OUT .= " Allow from all\n";
111			- $OUT .= " Require valid-user\n\n";
112			- $OUT .= " </Limit>\n\n";
113			+
114			+ # bug with httpd-2.4 fixed in httpd-2.5 only see https://bz.apache.org/bugzilla/show_bug.cgi?id=54914 PROPFIND will fail
115			+ $OUT .= " #because of bug https://bz.apache.org/bugzilla/show_bug.cgi?id=54914 in httpd 2.4 DirectoryIndex disabled is needed for webdav to work\n";
116			+ $OUT .= " DirectoryIndex disabled\n\n" unless ( ($properties{'DavNoDirectoryIndex'}\|\|"enabled" ) eq "disabled");
117			+ $OUT .= " #DirectoryIndex disabled : DavNoDirectoryIndex has been defined to force DirectoryIndex \n\n" if ( ($properties{'DavNoDirectoryIndex'}\|\|"enabled" ) eq "disabled");
118			+
119			+ $OUT .= " order deny,allow\n";
120			+ $OUT .= " deny from all\n";
121			+ $OUT .= " " . $ReadAllow . "\n";
122			+ $OUT .= " AuthName \"$properties{'Name'}\"\n";
123			+ $OUT .= " AuthBasicProvider external\n";
124			+ $OUT .= " AuthType Basic\n";
125			+ $OUT .= " AuthExternal pwauth\n";
126			+ $OUT .= " " . $ReadRequire . "\n";
127			+ $OUT .= " Satisfy $satisfy\n\n";
128			+
129			+ # Ensure only valid users get to do stuff... update 2021/02:
130			+ # GET, POST, PUT, DELETE, CONNECT, OPTIONS, PATCH, PROPFIND, PROPPATCH, MKCOL, COPY, MOVE, LOCK, UNLOCK
131			+ # some suggest : AllowMethods HEAD GET POST CONNECT PUT DELETE OPTIONS PROPFIND PROPPATCH MKCOL MKCALENDAR COPY MOVE LOCK UNLOCK TRACE
132			+ # TRACE is not supposed to be limited by this directive, should use TraceEnable
133			+ # LimitExcept is suggested over Limit in order to catch all non standard methods
134			+ # however we put our limit to the whole folder with the Require user .... above, so the whole block under seems useless
135			+ # unless we reduce it to one user, or are fool to enlarge to Require valid-user
136			+# $OUT .= " <Limit GET PUT POST DELETE PROPFIND PROPPATCH MKCOL COPY MOVE LOCK UNLOCK>\n\n";
137			+# $OUT .= " Allow from all\n";
138			+# $OUT .= " Require user $userlist\n\n";
139			+# $OUT .= " </Limit>\n\n";
140			+
141			+ $OUT .= " <LimitExcept GET POST PROPFIND OPTIONS CONNECT>\n";
142			+ $OUT .= " " . $WriteRequire . "\n";
143			+ $OUT .= " Satisfy All\n";
144			+ $OUT .= " ". $WriteAllow ."\n";
145			+ $OUT .= " </LimitExcept>\n\n";
146			$OUT .= "</Directory>\n";
147			}
148			}
149			+ else
150			+ {
151			+ $OUT .= "\n # DAV disabled for ibay $key\n";
152			+ }
153			}
154			}
155			diff -Nur smeserver-mod_dav-1.1.old/root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/VirtualHosts/21IbayWebDav smeserver-mod_dav-1.1/root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/VirtualHosts/21IbayWebDav
156			--- smeserver-mod_dav-1.1.old/root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/VirtualHosts/21IbayWebDav 1969-12-31 19:00:00.000000000 -0500
157			+++ smeserver-mod_dav-1.1/root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/VirtualHosts/21IbayWebDav 2021-03-02 11:57:55.866000000 -0500
158			@@ -0,0 +1,34 @@
159			+{
160			+# this fragment is to force SSL redirection for webdav activated account in case it is not already enabled
161			+# could be removed if core fragment 20IbaysContent introduce forced ssl for DAV
162			+ use esmith::AccountsDB;
163			+ my $adb = esmith::AccountsDB->open_ro();
164			+ $OUT = "";
165			+ foreach my $ibay ($adb->ibays)
166			+ {
167			+ my %properties = $ibay->props;
168			+ my $key = $ibay->key;
169			+ my $dynamicContent = $properties{'CgiBin'} \|\| "disabled";
170			+ my $secureEXEC = $properties{'ModDAVsecureEXEC'} \|\| 'enabled';
171			+ my $access = $properties{'PublicAccess'} \|\| 'none';
172			+ $OUT .= "\n # ibay $key disabled for httpd so no DAV access\n" if $access eq 'none';
173			+ next if $access eq 'none';
174			+ # true if have to be password accessible from somewhere.
175			+ my $ispassibay = $access =~ /-pw/;
176			+ my $satisfy = ($access eq 'global-pw-remote')? 'any': 'all';
177			+ if ($properties{'ModDav'})
178			+ {
179			+ if ($properties{'ModDav'} eq 'enabled')
180			+ {
181			+ # we force SSL redirection in case DAV is enabled
182			+ if (( $port ne $httpsPort ) && (($ibay->prop('SSL') \|\| 'disabled') ne 'enabled'))
183			+ {
184			+ my $portspec = ($httpsPort eq 443) ? "" : ":$httpsPort";
185			+ $OUT .= " RewriteEngine on\n";
186			+ $OUT .= " RewriteRule ^/$key(/.*\|\$) https://%{HTTP_HOST}${portspec}/$key\$1 \[L,R\]\n";
187			+ }
188			+ }
189			+ }
190			+ }
191			+}
192			+
193			diff -Nur smeserver-mod_dav-1.1.old/root/usr/share/perl5/vendor_perl/esmith/DAV.pm smeserver-mod_dav-1.1/root/usr/share/perl5/vendor_perl/esmith/DAV.pm
194			--- smeserver-mod_dav-1.1.old/root/usr/share/perl5/vendor_perl/esmith/DAV.pm 1969-12-31 19:00:00.000000000 -0500
195			+++ smeserver-mod_dav-1.1/root/usr/share/perl5/vendor_perl/esmith/DAV.pm 2021-03-02 12:07:13.442000000 -0500
196			@@ -0,0 +1,118 @@
197			+
198			+package esmith::DAV;
199			+
200			+use strict;
201			+use warnings;
202			+use esmith::AccountsDB;
203			+my $adb = esmith::AccountsDB->open_ro();
204			+
205			+use vars qw( $AUTOLOAD @ISA );
206			+
207			+ sub getRequireUser {
208			+ my ($mode, $key) = @_;
209			+ my $ibay = $adb->get($key) or return "Require user admin";
210			+ my %properties = $ibay->props or return "Require user admin";
211			+ my $iBayGroup = $properties{'Group'} \|\| 'admin';
212			+ my $accessMode = $properties{'UserAccess'} \|\| 'wr-admin-rd-group';
213			+ my $access = $properties{'PublicAccess'} \|\| 'none';
214			+ my $ispassibay = $access =~ /-pw/;
215			+ my $Anonymous = $properties{'ModDavAnonymousRead'} \|\| "enabled";
216			+ my $MEMBERS = getMembers( $key, $iBayGroup);
217			+ my $REQUIRE = "";
218			+ if ($mode eq "read")
219			+ {
220			+ if ($accessMode eq "wr-group-rd-everyone")
221			+ {
222			+ if ( $Anonymous eq "enabled" )
223			+ {
224			+ $REQUIRE = "# Allowing unauthenticated read access";
225			+ }
226			+ else
227			+ {
228			+ my $EVERYONE = join(' ' , ( (map { $_->key } $adb->users) , qw (admin) )); #shared user members
229			+ #$REQUIRE = "#wr-group-rd-everyone : members of shared\n";
230			+ $REQUIRE .= "Require user " . $EVERYONE;
231			+ }
232			+ }
233			+ else
234			+ {
235			+ $REQUIRE = "Require user " . $MEMBERS;
236			+ if ($accessMode eq "wr-admin-rd-group")
237			+ {
238			+ # add "admin" to the read group to avoid read/write auth conflicts
239			+ $REQUIRE .= " admin";
240			+ }
241			+ }
242			+ if ($ispassibay)
243			+ {
244			+ #we have local-pw or global-pw or global-pw-remote
245			+ $REQUIRE = ( $REQUIRE =~ /Require user / ) ? "$REQUIRE $key" : "Require user $key";
246			+ $REQUIRE .= " $MEMBERS" if ( $access =~ /remote/ );
247			+ }
248			+ }
249			+ else
250			+ {
251			+ if ($accessMode eq "wr-admin-rd-group")
252			+ {
253			+ $REQUIRE = "Require user admin";
254			+ }
255			+ else
256			+ {
257			+ $REQUIRE = "Require user " . $MEMBERS;
258			+ }
259			+ }
260			+ return $REQUIRE;
261			+ }
262			+
263			+ sub getAllow {
264			+ my ($mode, $key, $localAccess ) = @_;
265			+ $localAccess = (defined $localAccess ) ? $localAccess : "127.0.0.1";
266			+ my $ibay = $adb->get($key) or return "allow from 127.0.0.1";
267			+ my %properties = $ibay->props or return "allow from 127.0.0.1";
268			+ my $Public = $properties{'PublicAccess'} \|\| 'none';
269			+
270			+ my $allow = "allow from 127.0.0.1";
271			+ if ($Public eq 'none')
272			+ {
273			+ $allow = "# allow from set to NONE";
274			+ }
275			+ elsif ($Public =~ /(local\|remote)/ )
276			+ {
277			+ $allow = "allow from " . $localAccess;
278			+ }
279			+ elsif ($Public =~ /global/)
280			+ {
281			+ $allow = "allow from all";
282			+ }
283			+ return $allow;
284			+ }
285			+
286			+ sub getMembers {
287			+ my ($key, $iBayGroup) = @_;
288			+ my $MEMBERS = $key;
289			+ foreach my $group ( ($adb->groups, $adb->get('admin'), $adb->get('shared') ) )
290			+ {
291			+ my %groupprops = $group->props;
292			+ my $grpkey = $group->key;
293			+ if ($grpkey eq $iBayGroup)
294			+ {
295			+ # we have the group that owns the DAV iBay
296			+ # If there are members of the group validate on them,
297			+ # otherwise on the ibayname
298			+ my $GroupMembers = $groupprops{'Members'} \|\| undef;
299			+ $GroupMembers = "admin" if ( $grpkey eq "admin" );
300			+ $GroupMembers = join(' ' , ( (map { $_->key } $adb->users) , qw (admin) )) if ( $grpkey eq "shared" ) ;
301			+
302			+ if ($GroupMembers)
303			+ {
304			+ # need to break user list on commas then output each one...
305			+ my @values = split(',',$GroupMembers);
306			+ $MEMBERS = "" unless (!@values) ;
307			+ foreach my $val (@values) {
308			+ $MEMBERS .= $val . " ";
309			+ }
310			+ }
311			+ }
312			+ }
313			+ return $MEMBERS;
314			+ }