diff --git a/customer_extras.php b/customer_extras.php
index 0bc41701..104d4b2c 100644
--- a/customer_extras.php
+++ b/customer_extras.php
@@ -111,74 +111,15 @@ if ($page == 'overview') {
 		}
 	} elseif ($action == 'add') {
 		if (isset($_POST['send']) && $_POST['send'] == 'send') {
-			$path = makeCorrectDir(validate($_POST['path'], 'path'));
-			$userpath = $path;
-			$path = makeCorrectDir($userinfo['documentroot'] . '/' . $path);
-			$username = validate($_POST['username'], 'username', '/^[a-zA-Z0-9][a-zA-Z0-9\-_]+\$?$/');
-			$authname = validate($_POST['directory_authname'], 'directory_authname', '/^[a-zA-Z0-9][a-zA-Z0-9\-_ ]+\$?$/');
-			validate($_POST['directory_password'], 'password');
-
-			$username_path_check_stmt = Database::prepare("SELECT `id`, `username`, `path` FROM `" . TABLE_PANEL_HTPASSWDS . "`
-				WHERE `username`= :username
-				AND `path`= :path
-				AND `customerid`= :customerid");
-			$params = array(
-				"username" => $username,
-				"path" => $path,
-				"customerid" => $userinfo['customerid']
-			);
-			Database::pexecute($username_path_check_stmt, $params);
-			$username_path_check = $username_path_check_stmt->fetch(PDO::FETCH_ASSOC);
-
-			if (CRYPT_STD_DES == 1) {
-				$saltfordescrypt = substr(md5(uniqid(microtime(), 1)), 4, 2);
-				$password = crypt($_POST['directory_password'], $saltfordescrypt);
-			} else {
-				$password = crypt($_POST['directory_password']);
-			}
-
-			if (! $_POST['path']) {
-				standard_error('invalidpath');
-			}
-
-			if ($username == '') {
-				standard_error(array(
-					'stringisempty',
-					'myloginname'
-				));
-			} elseif ($username_path_check['username'] == $username && $username_path_check['path'] == $path) {
-				standard_error('userpathcombinationdupe');
-			} elseif ($_POST['directory_password'] == '') {
-				standard_error(array(
-					'stringisempty',
-					'mypassword'
-				));
-			} elseif ($path == '') {
-				standard_error('patherror');
-			} elseif ($_POST['directory_password'] == $username) {
-				standard_error('passwordshouldnotbeusername');
-			} else {
-				$stmt = Database::prepare("INSERT INTO `" . TABLE_PANEL_HTPASSWDS . "` SET
-					`customerid` = :customerid,
-					`username` = :username,
-					`password` = :password,
-					`path` = :path,
-					`authname` = :authname");
-				$params = array(
-					"customerid" => $userinfo['customerid'],
-					"username" => $username,
-					"password" => $password,
-					"path" => $path,
-					"authname" => $authname
-				);
-				Database::pexecute($stmt, $params);
-				$log->logAction(USR_ACTION, LOG_INFO, "added htpasswd for '" . $username . " (" . $path . ")'");
-				inserttask('1');
-				redirectTo($filename, array(
-					'page' => $page,
-					's' => $s
-				));
+			try {
+				DirProtections::getLocal($userinfo, $_POST)->add();
+			} catch (Exception $e) {
+				dynamic_error($e->getMessage());
 			}
+			redirectTo($filename, array(
+				'page' => $page,
+				's' => $s
+			));
 		} else {
 			$pathSelect = makePathfield($userinfo['documentroot'], $userinfo['guid'], $userinfo['guid']);
 
@@ -191,65 +132,26 @@ if ($page == 'overview') {
 			eval("echo \"" . getTemplate("extras/htpasswds_add") . "\";");
 		}
 	} elseif ($action == 'edit' && $id != 0) {
-		$result_stmt = Database::prepare("SELECT * FROM `" . TABLE_PANEL_HTPASSWDS . "`
-			WHERE `customerid`= :customerid
-			AND `id`= :id");
-		Database::pexecute($result_stmt, array(
-			"customerid" => $userinfo['customerid'],
-			"id" => $id
-		));
-		$result = $result_stmt->fetch(PDO::FETCH_ASSOC);
+		try {
+			$json_result = DirProtections::getLocal($userinfo, array(
+				'id' => $id
+			))->get();
+		} catch (Exception $e) {
+			dynamic_error($e->getMessage());
+		}
+		$result = json_decode($json_result, true)['data'];
 
 		if (isset($result['username']) && $result['username'] != '') {
 			if (isset($_POST['send']) && $_POST['send'] == 'send') {
-				validate($_POST['directory_password'], 'password');
-				$authname = validate($_POST['directory_authname'], 'directory_authname', '/^[a-zA-Z0-9][a-zA-Z0-9\-_ ]+\$?$/');
-
-				if (CRYPT_STD_DES == 1) {
-					$saltfordescrypt = substr(md5(uniqid(microtime(), 1)), 4, 2);
-					$password = crypt($_POST['directory_password'], $saltfordescrypt);
-				} else {
-					$password = crypt($_POST['directory_password']);
-				}
-
-				if ($_POST['directory_password'] == $result['username']) {
-					standard_error('passwordshouldnotbeusername');
-				}
-
-				$params = array(
-					"customerid" => $userinfo['customerid'],
-					"id" => $id
-				);
-
-				$pwd_sql = '';
-				if ($_POST['directory_password'] != '') {
-					$pwd_sql = "`password`= :password ";
-					$params["password"] = $password;
-				}
-
-				$auth_sql = '';
-				if ($authname != $result['authname']) {
-					$auth_sql = "`authname`= :authname ";
-					$params["authname"] = $authname;
-				}
-
-				if ($pwd_sql != '' || $auth_sql != '') {
-					if ($pwd_sql != '' && $auth_sql != '') {
-						$pwd_sql .= ', ';
-					}
-
-					$stmt = Database::prepare("UPDATE `" . TABLE_PANEL_HTPASSWDS . "`
-						SET " . $pwd_sql . $auth_sql . "
-						WHERE `customerid`= :customerid
-						AND `id`= :id");
-					Database::pexecute($stmt, $params);
-					$log->logAction(USR_ACTION, LOG_INFO, "edited htpasswd for '" . $result['username'] . " (" . $result['path'] . ")'");
-					inserttask('1');
-					redirectTo($filename, array(
-						'page' => $page,
-						's' => $s
-					));
+				try {
+					DirProtections::getLocal($userinfo, $_POST)->update();
+				} catch (Exception $e) {
+					dynamic_error($e->getMessage());
 				}
+				redirectTo($filename, array(
+					'page' => $page,
+					's' => $s
+				));
 			} else {
 				if (strpos($result['path'], $userinfo['documentroot']) === 0) {
 					$result['path'] = str_replace($userinfo['documentroot'], "/", $result['path']);
diff --git a/lib/classes/api/commands/class.DirProtections.php b/lib/classes/api/commands/class.DirProtections.php
index c8b296a5..e654cd4b 100644
--- a/lib/classes/api/commands/class.DirProtections.php
+++ b/lib/classes/api/commands/class.DirProtections.php
@@ -166,7 +166,70 @@ class DirProtections extends ApiCommand implements ResourceEntity
 	}
 
 	public function update()
-	{}
+	{
+		$id = $this->getParam('id', true, 0);
+		$un_optional = ($id <= 0 ? false : true);
+		$username = $this->getParam('username', $un_optional, '');
+		
+		// validation
+		$result = $this->apiCall('DirProtections.get', array(
+			'id' => $id,
+			'username' => $username
+		));
+		$id = $result['id'];
+		
+		// parameters
+		$password = $this->getParam('directory_password', true, '');
+		$authname = $this->getParam('directory_authname', true, $result['authname']);
+		
+		// get needed customer info
+		$customer = $this->getCustomerData();
+		
+		// validation
+		$authname = validate($authname, 'directory_authname', '/^[a-zA-Z0-9][a-zA-Z0-9\-_ ]+\$?$/', '', array(), true);
+		validate($password, 'password', '', '', array(), true);
+		
+		$upd_query = "";
+		$upd_params = array(
+			"id" => $result['id'],
+			"cid" => $customer['customerid']
+		);
+		if (! empty($password)) {
+			if ($password == $result['username']) {
+				standard_error('passwordshouldnotbeusername', '', true);
+			}
+			if (CRYPT_STD_DES == 1) {
+				$saltfordescrypt = substr(md5(uniqid(microtime(), 1)), 4, 2);
+				$password_enc = crypt($password, $saltfordescrypt);
+			} else {
+				$password_enc = crypt($password);
+			}
+			$upd_query .= "`password`= :password_enc";
+			$upd_params['password_enc'] = $password_enc;
+		}
+		if ($authname != $result['authname']) {
+			if (! empty($upd_query)) {
+				$upd_query .= ", ";
+			}
+			$upd_query .= "`authname` = :authname";
+			$upd_params['authname'] = $authname;
+		}
+		
+		// build update query
+		if (! empty($upd_query)) {
+			$upd_stmt = Database::prepare("
+				UPDATE `" . TABLE_PANEL_HTPASSWDS . "` SET " . $upd_query . " WHERE `id` = :id AND `customerid`= :cid
+			");
+			Database::pexecute($upd_stmt, $upd_params, true, true);
+			inserttask('1');
+		}
+		
+		$this->logger()->logAction($this->isAdmin() ? ADM_ACTION : USR_ACTION, LOG_INFO, "[API] updated directory-protection '" . $result['username'] . " (" . $result['path'] . ")'");
+		$result = $this->apiCall('DirProtections.get', array(
+			'id' => $result['id']
+		));
+		return $this->response(200, "successfull", $result);
+	}
 
 	/**
 	 * list all directory-protections, if called from an admin, list all directory-protections of all customers you are allowed to view, or specify id or loginname for one specific customer
@@ -192,7 +255,7 @@ class DirProtections extends ApiCommand implements ResourceEntity
 			WHERE `customerid` IN (:customerids)
 		");
 		Database::pexecute($result_stmt, array(
-			"customerids" => $customer_ids
+			"customerids" => implode(', ', $customer_ids)
 		), true, true);
 		while ($row = $result_stmt->fetch(PDO::FETCH_ASSOC)) {
 			$result[] = $row;
diff --git a/tests/Extras/ExtrasTest.php b/tests/Extras/ExtrasTest.php
index 704f2281..5e4f36cf 100644
--- a/tests/Extras/ExtrasTest.php
+++ b/tests/Extras/ExtrasTest.php
@@ -117,4 +117,73 @@ class ExtrasTest extends TestCase
 		$this->assertEquals($customer_userdata['documentroot'] . 'test/', $result['path']);
 		$this->assertEquals('test1', $result['authname']);
 	}
+	
+	/**
+	 * @depends testCustomerDirProtectionsAdd
+	 */
+	public function testCustomerDirProtectionsUpdate()
+	{
+		global $admin_userdata;
+		
+		// get customer
+		$json_result = Customers::getLocal($admin_userdata, array(
+			'loginname' => 'test1'
+		))->get();
+		$customer_userdata = json_decode($json_result, true)['data'];
+		
+		$json_result = DirProtections::getLocal($customer_userdata, array('id' => 1))->get();
+		$data_old = json_decode($json_result, true)['data'];
+
+		$data = [
+			'id' => 1,
+			'directory_password' => generatePassword(),
+			'directory_authname' => 'test1337'
+		];
+		$json_result = DirProtections::getLocal($customer_userdata, $data)->update();
+		$result = json_decode($json_result, true)['data'];
+		$this->assertTrue($data_old['password'] != $result['password']);
+		$this->assertTrue($data_old['authname'] != $result['authname']);
+		$this->assertEquals('test1337', $result['authname']);
+	}
+	
+	/**
+	 * @depends testCustomerDirProtectionsAdd
+	 */
+	public function testCustomerDirProtectionsList()
+	{
+		global $admin_userdata;
+		
+		// get customer
+		$json_result = Customers::getLocal($admin_userdata, array(
+			'loginname' => 'test1'
+		))->get();
+		$customer_userdata = json_decode($json_result, true)['data'];
+
+		$json_result = DirProtections::getLocal($customer_userdata)->listing();
+		$result = json_decode($json_result, true)['data'];
+		$this->assertEquals(2, $result['count']);
+		$this->assertEquals('test1', $result['list'][0]['username']);
+		$this->assertEquals('testing', $result['list'][1]['username']);
+	}
+	
+	/**
+	 * @depends testCustomerDirProtectionsList
+	 */
+	public function testCustomerDirProtectionsDelete()
+	{
+		global $admin_userdata;
+		
+		// get customer
+		$json_result = Customers::getLocal($admin_userdata, array(
+			'loginname' => 'test1'
+		))->get();
+		$customer_userdata = json_decode($json_result, true)['data'];
+		
+		DirProtections::getLocal($customer_userdata, array('username' => 'testing'))->delete();
+
+		$json_result = DirProtections::getLocal($customer_userdata)->listing();
+		$result = json_decode($json_result, true)['data'];
+		$this->assertEquals(1, $result['count']);
+		$this->assertEquals('test1', $result['list'][0]['username']);
+	}
 }