From 20714aee0d2d2a989d93d6065e081aed8ac85fbf Mon Sep 17 00:00:00 2001
From: James Moger <james.moger@gitblit.com>
Date: Wed, 10 Oct 2012 00:05:34 -0400
Subject: [PATCH] Finer-grained repository access permissions (issue 36)

Implemented discrete repository access permissions to replace the
really primitive course-grained permissions used to this point.  This
implementation allows for finer-grained access control, but still
falls short of integrated, branch-based permissions sought by some.

Access permissions follow the conventions established by Gitosis and
Gitolite so they should feel immediately comfortable to experienced
users.  This permissions infrastructure is complete and works exactly as
expected.  Unfortunately, there is no ui in this commit to change
permissions, that will be forthcoming.  In the meantime, Gitblit
hot-reloads users.conf so the permissions can be manipulated at runtime
with a text editor.

The following per-repository permissions are now supported:
- V (view in web ui, RSS feeds, download zip)
- R (clone)
- RW (clone and push)
- RWC (clone and push with ref creation)
- RWD (clone and push with ref creation, deletion)
- RW+ (clone and push with ref creation, deletion, rewind)

And a users.conf entry looks something like this:

	[user "hannibal"]
		password = bossman
		repository = RWD:topsecret.git
---
 docs/01_features.mkd                          |   13 +-
 docs/01_setup.mkd                             |   68 +-
 docs/04_releases.mkd                          |   16 +-
 docs/permissions_matrix.ods                   |  Bin 0 -> 18502 bytes
 docs/permissions_matrix.png                   |  Bin 0 -> 42519 bytes
 src/com/gitblit/ConfigUserService.java        |  148 +-
 src/com/gitblit/Constants.java                |   72 +
 src/com/gitblit/DownloadZipFilter.java        |    2 +-
 src/com/gitblit/FederationPullExecutor.java   |   49 +-
 src/com/gitblit/FileUserService.java          |  142 +-
 src/com/gitblit/GitBlit.java                  |   71 +-
 src/com/gitblit/GitFilter.java                |   46 +-
 src/com/gitblit/GitServlet.java               |   35 +-
 src/com/gitblit/GitblitUserService.java       |   12 +
 src/com/gitblit/IUserService.java             |   22 +-
 src/com/gitblit/PagesFilter.java              |    2 +-
 src/com/gitblit/SyndicationFilter.java        |    2 +-
 src/com/gitblit/models/RepositoryModel.java   |    7 +-
 src/com/gitblit/models/TeamModel.java         |  135 +-
 src/com/gitblit/models/UserModel.java         |  177 +-
 src/com/gitblit/utils/JsonUtils.java          |   20 +
 src/com/gitblit/wicket/pages/BasePage.java    |    2 +-
 src/com/gitblit/wicket/pages/ForkPage.java    |    2 +-
 src/com/gitblit/wicket/pages/ForksPage.java   |    2 +-
 .../gitblit/wicket/pages/RepositoryPage.java  |    4 +-
 src/com/gitblit/wicket/pages/RootPage.java    |    2 +-
 tests/com/gitblit/tests/FederationTests.java  |    2 +-
 tests/com/gitblit/tests/GitBlitSuite.java     |    2 +-
 tests/com/gitblit/tests/GitBlitTest.java      |   23 +-
 tests/com/gitblit/tests/GitServletTest.java   |  217 ++
 tests/com/gitblit/tests/JGitUtilsTest.java    |    4 +-
 tests/com/gitblit/tests/PermissionsTest.java  | 2391 +++++++++++++++++
 tests/com/gitblit/tests/RpcTests.java         |    4 +-
 tests/com/gitblit/tests/UserServiceTest.java  |   84 +-
 34 files changed, 3551 insertions(+), 227 deletions(-)
 create mode 100644 docs/permissions_matrix.ods
 create mode 100644 docs/permissions_matrix.png
 create mode 100644 tests/com/gitblit/tests/PermissionsTest.java

diff --git a/docs/01_features.mkd b/docs/01_features.mkd
index 2baacf20..e1c0afa4 100644
--- a/docs/01_features.mkd
+++ b/docs/01_features.mkd
@@ -1,12 +1,21 @@
 ## Standard Features (GO/WAR)
 - JGit SmartHTTP servlet
 - Browser and git client authentication
-- Four *per-repository* access control configurations with a Read-Only control flag
+- Four *per-repository* access restriction configurations with a Read-Only control flag
     - ![anonymous](blank.png) *Anonymous View, Clone & Push*
     - ![push](lock_go_16x16.png) *Authenticated Push*
     - ![clone](lock_pull_16x16.png) *Authenticated Clone & Push*
     - ![view](shield_16x16.png) *Authenticated View, Clone & Push*
     - ![freeze](cold_16x16.png) Freeze repository (i.e. deny push, make read-only)
+- Six *per-user/team* repository access permissions
+    - **V** (view in web ui, RSS feeds, download zip)
+    - **R** (clone)
+    - **RW** (clone and push)
+    - **RWC** (clone and push with ref creation)
+    - **RWD** (clone and push with ref creation, deletion)
+    - **RW+** (clone and push with ref creation, deletion, rewind)
+- Optional feature to allow users to create personal repositories
+- Optional feature to fork a repository to a personal repository
 - Ability to federate with one or more other Gitblit instances
 - RSS/JSON RPC interface
 - Java/Swing Gitblit Manager tool 
@@ -38,7 +47,7 @@
 - Single text file for users configuration
 - Optional utility pages
     - ![docs](book_16x16.png) Docs page which enumerates all Markdown files within a repository
-    - ![tickets](bug_16x16.png) Ticgit ticket pages *(based on last MIT release bf57b032 2009-01-27)*
+    - ![tickets](bug_16x16.png) **readonly** Ticgit ticket pages *(based on last MIT release bf57b032 2009-01-27)*
 - Translations
     - English
     - Japanese
diff --git a/docs/01_setup.mkd b/docs/01_setup.mkd
index fa1bcd90..1cebb3b7 100644
--- a/docs/01_setup.mkd
+++ b/docs/01_setup.mkd
@@ -244,6 +244,25 @@ All repositories created with Gitblit are *bare* and will automatically have *.g
 #### Repository Owner
 The *Repository Owner* has the special permission of being able to edit a repository through the web UI.  The Repository Owner is not permitted to rename the repository, delete the repository, or reassign ownership to another user.
 
+### Access Restrictions and Access Permissions
+![permissions matrix](permissions_matrix.png "Permissions and Restrictions")
+
+#### Discrete Permissions (Gitblit v1.2.0+)
+
+Since v1.2.0, Gitblit supports more discrete permissions.  While Gitblit does not offer a built-in solution for branch-based permissions like Gitolite, it does allow for the following repository access permissions:
+
+- **V** (view in web ui, RSS feeds, download zip)
+- **R** (clone)
+- **RW** (clone and push)
+- **RWC** (clone and push with ref creation)
+- **RWD** (clone and push with ref creation, deletion)
+- **RW+** (clone and push with ref creation, deletion, rewind)
+
+#### No-So-Discrete Permissions (Gitblit <= v1.1.0)
+
+Prior to v1.2.0, Gitblit had two main access permission groupings:  
+What you were permitted to do as an anonymous user and then **RW+** for any permitted user.
+
 ### Teams
 
 Since v0.8.0, Gitblit supports *teams* for the original `users.properties` user service and the current default user service `users.conf`.  Teams have assigned users and assigned repositories.  A user can be a member of multiple teams and a repository may belong to multiple teams.  This allows the administrator to quickly add a user to a team without having to keep track of all the appropriate repositories. 
@@ -257,11 +276,12 @@ The `users.conf` file uses a Git-style configuration format:
 	    password = admin
 	    role = "#admin"
 	    role = "#notfederated"
-	    repository = repo1.git
-	    repository = repo2.git
+	    repository = RW+:repo1.git
+	    repository = RW+:repo2.git
 	    
 	[user "hannibal"]
 		password = bossman
+		repository = RWD:topsecret.git
 
 	[user "faceman"]
 		password = vanity
@@ -277,7 +297,7 @@ The `users.conf` file uses a Git-style configuration format:
 		user = faceman
 		user = murdock
 		user = babaracus
-		repository = topsecret.git
+		repository = RW:topsecret.git
 		mailingList = list@ateam.org
 		postReceiveScript = sendmail
 
@@ -291,15 +311,49 @@ The format of `users.properties` loosely follows Jetty's convention for HashReal
     username=password,role1,role2,role3...
     @teamname=&mailinglist,!username1,!username2,!username3,repository1,repository2,repository3...
 
-#### Usernames
+### Usernames
 Usernames must be unique and are case-insensitive.  
 Whitespace is illegal.
 
-#### Passwords
+### Passwords
 User passwords are CASE-SENSITIVE and may be *plain*, *md5*, or *combined-md5* formatted (see `gitblit.properties` -> *realm.passwordStorage*).
 
-#### User Roles
-There are two actual *roles* in Gitblit: *#admin*, which grants administrative powers to that user, and *#notfederated*, which prevents an account from being pulled by another Gitblit instance.  Administrators automatically have access to all repositories.  All other *roles* are repository names.  If a repository is access-restricted, the user must have the repository's name within his/her roles to bypass the access restriction.  This is how users are granted access to a restricted repository.
+### User Roles
+There are four actual *roles* in Gitblit:
+
+- *#admin*, which grants administrative powers to that user
+- *#notfederated*, which prevents an account from being pulled by another Gitblit instance
+- *#create*, which allows the user the power to create personal repositories
+- *#fork*, which allows the user to create a personal fork of an existing Gitblit-hosted repository
+
+Administrators automatically have access to all repositories.  All other *roles* are repository permissions.  If a repository is access-restricted, the user must have the repository's name within his/her roles to bypass the access restriction.  This is how users are granted access to a restricted repository.
+
+**NOTE:**  
+The following roles are equivalent:
+
+- myrepo.git
+- RW+:myrepo.git
+
+This is to preserve backwards-compatibility with Gitblit <= 1.1.0 which granted rewind power to all access-permitted users.
+
+### Personal Repositories & Forks
+
+Personal Repositories and Forks are related but are controlled individually.
+
+#### Creating a Personal Repository
+A user may be granted the power to create personal repositories by specifying the *#create* role through the web ui or through the RPC mechanism via the Gitblit Manager.  Personal repositories are exactly like common/shared repositories except that the owner has a few additional administrative powers for that repository, like rename and delete.
+
+#### Creating a Fork
+A user may also be granted the power to fork an existing repository hosted on your Gitblit server to their own personal clone by specifying the *#fork* role through the web ui or via the Gitblit Manager.
+
+Forks are mostly likely personal repositories or common/shared repositories except for two important differences:
+
+1. Forks inherit a view/clone access list from the origin repository.  
+i.e. if Team A has clone access to the origin repository, then by default Team A also has clone access to the fork.  This is to facilitate collaboration.
+2. Forks are always listed in the fork network, regardless of any access restriction set on the fork.  
+In other words, if you fork *RepoA.git* to *~me/RepoA.git* and then set the access restriction of *~me/RepoA.git* to *Authenticated View, Clone, & Push* your fork will still be listed in the fork network for *RepoA.git*.
+
+If you really must have an invisible fork, the clone it locally, create a new personal repository for your invisible fork, and push it back to that personal repository.
 
 ## Alternative Authentication and Authorization
 
diff --git a/docs/04_releases.mkd b/docs/04_releases.mkd
index 31c503c0..bb9b7340 100644
--- a/docs/04_releases.mkd
+++ b/docs/04_releases.mkd
@@ -17,18 +17,26 @@ If you are updating from an earlier release AND you have indexed branches with t
 - Fixed connection leak in LDAPUserService (issue 139)
 - Fixed bug in commit page where changes to a submodule threw a null pointer exception (issue 132)
 - Fixed bug in the diff view for filenames that have non-ASCII characters (issue 128)
-- Fix missing translations in Gitblit Manager (issue 145)
 
 #### additions
 
-- Added simple project pages.  A project is a subfolder off the *git.repositoriesFolder*.
+- Implemented discrete repository permissions (issue 36)  
+    - V (view in web ui, RSS feeds, download zip)
+    - R (clone)
+    - RW (clone and push)
+    - RWC (clone and push with ref creation)
+    - RWD (clone and push with ref creation, deletion)
+    - RW+ (clone and push with ref creation, deletion, rewind)  
+While not as sophisticated as Gitolite, this does give finer access controls.  These permissions fit in cleanly with the existing users.conf and users.properties files.  In Gitblit <= 1.1.0, all your existing user accounts have RW+ access.   If you are upgrading to 1.2.0, the RW+ access is *preserved* and you will have to lower/adjust accordingly.
+- Added DELETE, CREATE, and NON-FAST-FORWARD ref change logging
 - Added support for personal repositories.  
 Personal repositories can be created by accounts with the *create* permission and are stored in *git.repositoriesFolder/~username*.  Each user with personal repositories will have a user page, something like the GitHub profile page.  Personal repositories have all the same features as common repositories, except personal repositories can be renamed by their owner.
 - Added support for server-side forking of a repository to a personal repository (issue 137)  
-In order to fork a repository, the user account must have the *fork* permission **and** the repository must *allow forks*.  The clone inherits the access restrictions of its origin.  i.e. if Team A has access to the origin repository, then by default Team A also has access to the fork.  This is to facilitate collaboration.  The fork owner may change access to the fork and add/remove users/teams, etc as required __however__ it should be noted that all personal forks will be enumerated in the fork network regardless of access view restrictions.  If you really must have an invisible fork, the clone it locally, create a new repository for your invisible fork, and push it back.
+In order to fork a repository, the user account must have the *fork* permission **and** the repository must *allow forks*.  The clone inherits the access list of its origin.  i.e. if Team A has clone access to the origin repository, then by default Team A also has clone access to the fork.  This is to facilitate collaboration.  The fork owner may change access to the fork and add/remove users/teams, etc as required <u>however</u> it should be noted that all personal forks will be enumerated in the fork network regardless of access view restrictions.  If you really must have an invisible fork, the clone it locally, create a new repository for your invisible fork, and push it back to Gitblit.
+- Added simple project pages.  A project is a subfolder off the *git.repositoriesFolder*.
 - Added support for X-Forwarded-Context for Apache subdomain proxy configurations (issue 135)
 - Delete branch feature (issue 121, Github/ajermakovics)
-- Added line links to blob view at the expense of zebra striping (issue 130)
+- Added line links to blob view (issue 130)
 - Added RedmineUserService (github/mallowlabs)
 
 #### changes
diff --git a/docs/permissions_matrix.ods b/docs/permissions_matrix.ods
new file mode 100644
index 0000000000000000000000000000000000000000..6df0b4db9cfd0535f044259f8c9b42f34e3623dd
GIT binary patch
literal 18502
zcmeIaby!`=(k~1o1b27W;O_1k+#xs{cXto&1PBl;1lQnBaCdiicl$OolQVP9J9EGD
zKKI|-JbSZNcU5(Dt?sH{uf1x0kbd(P6$Atl1Ox$HN-)ThGmH)d1myJttOBtDSQ$II
z*&6HH+FAk(^&J5=*7VNSMszm%4gd!_8(U**BO5~}D`RU%ItN>OV|^nBGh<`N5C109
zeO+Ai_6-Qg>*qI_#*X@Qu2z;j{J<|lXJdN@pj2LBMmh#!LSt(~8zX?VDKD{#vKTD~
zF+U$PkBx~5z|ffMS4Xr!jr0kDtkw=(zc=v`JK0-v{iYI^wZ4_H1DB&A*I#wx`YScp
zZyo(!<7x@8w%{c;b9A)jqNjIpaiMczrn9j(rDx>i<fQ+tmH3aYj12!pXX|8d`5Tpy
zA-%Ds@$2Xv=o#r4>3`9_YWUwO^-B9!m27Nm{?*az7=9n(Z{0C5FtE`7e*UW`Q+p#L
z%YV`TWdJ~0W_nY4BYj7GT4#W<3kfmdA9nnU!I_Bpep&Zb4L+XVlmS=+90B^4w1&Xz
z>1bomC-rJlLRlMAV|yO@zoqz{?>BnjrKAORYRt#Pz{o_)$Uw`$sm#dE#l*qI%Jc{K
zztiy;8FKw60}~S$3kMeyClCFv##gGp)#oquziVM^1k~Qzl-9_}{<rDM_d%Ief{|I4
znN8`B{{IKXzcU)T8Cn`U@G-Le2l*fMzZ07pTN?xA1Fa(iFt9h4|80uWGt;q>$^fjL
zT=mpB*!0*~2>;TkXKQa`ZfxjC&&<kT#YigT1h6!s{biCr#r-bc)*fK(Xlz7l;PyAx
z|4ZXvsQ=FD%&c5241WycH?H4_e&_nvdU9|C8p^>DU`Y7e#dXv-ur#JMv~jX_<RxY%
z{=L%B*b+D)ey?NsRcT}JI-p<G48-(&Jbz42uHUEAud{!3^;`At-T@L4@;8qIbTa=c
zu)re+W5?I)=kV$wjx-kR*EtZqR>~yqoWk2N<FJ(csDwMnK#?sCaa;Rpz@&`&-uGdi
zU%huok;43J3}Rzdn1msqnrZz*Grw``;N${QZ;)^!G%i)~KARdN<}Hhek)o2AbJ3~n
zo$kv<Dj$Cih^jC)DH3URTNa`{bZg9dpqg5=g;a+`B3P7bqA%omA!H#-un~!>7k^`e
zat(Hhp@^<UzjA1uCe1g%JsGV}mZc)iUW2YS-;xX*rJGp1uu6$ZtC}d)Qx+wPI#!kP
zw*vFLy8ANi;z-XOY}o>v$8rttC-;(%S1JNvVktIs)14^*R?))ZVMG}pSJ^qT8-;E`
z+&fHcSg^G2{_QOFpXWrxLIp)LU73R3Fm(`_qI|uEs9}3_W+mDRWpcqM0xT)VEKgeX
z%ABYzh<<gx5|BF#i>lxgOKH^!v1?uEA(*fe)^)~Y7&2nMiX-b;ms&|CU$va)1-Ldd
zVV@`sWQkDo-hh>-Fv!i3Y)SOqy0~yQIvRcT4D_DIqR@*DIQ|g4Oo;@d#VD37FI?9Q
zs?;wRYS;S~`dnzG(t9JzA!F?3ddJu1E!fa1^3q$Q${yZ%yHy;IkwGmSbq9iiFQFc~
z&&yxgz9X`5k(7%AjHDB)#2nx4gM6{fDZSfJC-8+DoV`lkRTKBuQcA7CnkTo;RD=ap
z*dGCLsKasZS$znsI5~@(L*Uht9$tx8R^9Ywx_KL6aQLQ%KiubuzgsS<LPk&+ow+O;
z)?}&;>C8D48-b~zI`c${P~9Hv**C1|tB(_OwD|CcG*qP;@JN7jpwzsI#spn-u>$|0
z1-$Ma2%W4vvB7xt8$rsnc<lt5Pa;gR@Vh$CF_3ekf)+@3s17jJJBwA66_BA;=3sQI
z*J7C)MkT(Do=XXv-`WGUk8hr#AI->@gI6?yGNEnAyhBYwPgq}MRvRPv*&J0*yK(I-
z1pTRU-Zr<Bgzom5e_V<^&S=ZxcpTPejbVtfIz7?m+e~M7M-BXzOD}aw9FoHvCQSG-
zyifCu7-Lc^zZyCtLlQtF$#FgEURD4sl%H1ATMU{3SuhO*LXt15YEc8ggWBh8xcdga
zj2cb^M2pgi@9<GW`2^j2E;nNVZQ6?Zo?fipM+?bso2G5njrmzPQ@;-@YI)rRagW-J
zJABz}{$y^+@pRgCxBd;T2qwgy{r)V&y%?7^j9f(N*tyvGOc8xgv4pruV;-MIcatQx
zeR^`Cb}JvLOI0~<7bvyU(YJ=(mA3_vQZ^YL7#`Ly%k%>_oHu=}hI&Q2IW;Yi+%8J1
z@F$rpyhD#yW-H4N8`B*Vw(CE%e1eVzu6pE<m%jr}x>uh}QrU9a2a_vx7bH8cMNV2_
zPXdO0JxW8oIOXRr_eII!Ngmhd_8*r#;UXYz$Jma=OS+FfOvINTDJNNAb$905g^FXh
zoFCSm)SJ|hcVg>(%d(hP)b$G0%qxGAZSccR;%4Y%^aeHO@koV*tB;B^b&kv`L=dYj
zi7iSU-gREauD$dtNi9i}+?ck*_L@lH<IWk#cq(kX&Q*OFLA%!Ru4>7y{pNc#QbfTZ
z-vWMke+$2v$!p~rpuiYZJi3R*a#h3?Q;<y58$Fm9+Ej`>|9sGWUZG`&fW^oGw#i83
zC(#zQ&{lPs_3>T$RCof!_|JqLHHICHI2^kO43hd3b^+fDi0Pfu+n2-^x|3(FR;`e4
zq}+(TaAxC_CNZX_YlrOmI|n-OUuP%iiLco>x-xaE&~KW3OJCqVNJBvG!5NBDgM)x{
z;DdntvyX)V`dC97U~~aOwpSOcqvfzrhvt1!wo1wTup0c$wSpF4b&}g>Qo}6S_@hd4
zfju;kl!denR6u&ajJ_>RA|-(cD?3+tSfs}H&6kA`2YABKmM3GRpl+00SR~JxD*6ZB
zHwKw+A>~ipeLU~X;N4pnU-pt@$a_O_d~YS+GO~O5*WX%)j(v`-TyE4AItv8}o`np6
ztVFsICk?K{WGz&TR@Bvi*%<iX<|?I)H?-zo1fNv>qvB)nFeh1Q6g=hU*Yl3=Q)?*M
zT(0dx4nl!bIheN9<Xyxfw+}it-EKUU#dn_GoG$cG>6+KJ9M$8?iXU5Z!%?umDf`*9
zBTAVJR?=G)eT^i9C_I;(FO=Z;)Ez^e_RjWnu!u28CI-@pjA4qrFsfkf08kiFnhyw1
zdBXbI&msNk;Dg;8r|)%wPL^+Pi@RFi98~Sf=<)ezu7!yeHj!ElDf5X|RHkA%Iq?wX
zqN>36qI*!6PMmnCUbhJGu1N6ZhYD*F-LS_!5MD}$$A9lL^B=Bx8w8a}x;Y?93fHdr
zjze`?2f6C2)4q@Q^X2Zy$G56Kca05D^t(ZIHG-ums?FVv6);iyr8{LN1IkX5l=|5=
z6lU>($XJjoPjFO%`llT&lGsmTwoJq?tp#1vL#~*bR0>eqZ#xYV6RPXEY>|Y+a>)r3
z1Q<xjBgoqX*A<K%d0WQKve?q!zJ($`U@oPF&tyzypIaRWAbXHW(G>w1;#3(goM@!C
zH>)xEtimQELdQzc7GeVO6tlEqQc-TnR(Yd%+_+3Z3TA=58X@irPAu9+EkS}xcjC_P
z_qjZCX1B6CLm^FbJWVMyi0Egffx}PrNMf-?48I+y4+-vl^EC4iw*;rGb2O?!VxqZZ
z8w~D|GMT-wb{p)0Zzin^(PSx@yaH|spxR!9x=lBg3?APt7+ZXuBF~u$Zf(LN{SrDE
z;K`hx|JLMQbE22RxsL{eUuT9mK3Fo)qpR0E2P@p^9hG<t777!#5@bu7A!X8+&mSu3
zOa}XQC}T9recU2#sl7x$%f@l)NSf%mUnkb4+giJr;J^ki^olKLOZ9omGK?uEQXj-c
zGKYR+rb}6vd81{!LSxtQRnj1e7%_Ef?F+drPP-OQOZ;jS`>8X!Czw!8;wG)_tgOAu
zsv|{xJ_-$cKva2$Aaiecw}hoMA*&%nkV)(YIU&?tsv=rYC9i?6I<CJlojhM!v2hpt
zXoLiz33NeUkJeA<S#$$^Omtqxul5cZEpwFRxYhWQkZ^&eh8^`ZUmlX54nE^V1X40A
zUrv+_QnbDB<&n1gMM#KPo-emq+?A=NkOiW&0HPwoO!zwAcA7I&*bU4wRrGUN$Ud`#
z4>@2)NMcTo>rLy2onx+ETi2h#tPxYpcCcGXiiOxvV+SD0R`f{-Z2<<}(uVbQS%dhW
zD}PgOeV^81Bu|9<SrKt$I-+5n`p3^bRT&m>UpXYYrZ0Jk8;&ws{!>59GU$W7eOAG1
z;*L}j&7evbsK?f^gP-4j4`D3B(yc+)1suNDA@->Ku)V+8G3)L*Pi9%5xpQw;!i?K+
zeC1c-aFL_FlQ;OiOEX~DaK#9@PEOC_5XX7{Jh2fqVWG5t@8_2Di@-LQvPijn88x4g
zMEQ-zcYK>`-r@PlWf!|b<$Hp36&967oNGnV_aQAG7+ye=%zvV;_3IWk1YzXvr8GdD
zDtlWuEv+BaTrMRHgmtO<wGDd=G}~OOu;oX*xdY5f9?2egVLXgH@!5JYq*&T9*gCQ;
z?4W<VnfiJ`C_0C_G;`y9pGRToXiJ)B+2>`$gf0JR|LpAQN4mrJ`4<j(#V=kbu&L=>
zqlc4T7>9722E0xdquCFJ>IFg8dWTg^Rue)#pJ!dr=Bw#0AF?0j_sBtJmLqj(uf4v`
zm3Do~J>4i4O7}|EZ6wIqr5R&6JRI*9o^%{O!^I`o5d7MBVsKWE)s%Mjk!KW>zm=!#
z^lg;xbCc5b@)aV6?}ddv(F6+ucFB|RWG_`lpT&>m%mMChQuWf(fNoTO-yy=yo7%af
z*h|({$+&`h%Eq7u4Xr7Xb7*NRZEyKvKbGda<dM|nkrBz16mT%i#j7TN;$EKgyBa94
zBqlXe1c#R5K3lcYgh3qj{s&u&@lSWDM)4R<VK8lkGGF_W851a!QP&E-2=n<Pue72J
z_+Z5bVx4#rFgaUn;nhxaVTiV<(a-;MGg(u`vvg7vmt2V!3J&a;DWZy2P&rIH)i51=
zChvV?6_vn!hr#1ka)=)bS;DIDwu4o;1q&=b21NIy{$TEX(Hyo+-tepjqcfNBVJT)~
zI@7gkL~{w|dwMT5fD@1BLsf9%_wEA=(=Yf98<!=*swdo=S6RZkOM<5-4zK{z#bt1$
z4xIWU&g;hh0tsFKTq-52c%F@|<>Q$eoVTLd0DfV<)fL#F0{sE5lPPBg*Ipu5K|{r&
zH$>1tf&b0g+1M?lzHRUcR!i#I!miQK=@WZcB!W?t=#+c#DOQJh0{g!1v5W884N*H+
z6f^dd-MhU$-|DLfv8B+k&<9?9uBd9ZIn~awH7wKosHz*~VavxLutNe^TP=Z&h-^cV
zF$m0#fE+UzpUkW=EEfD#+_lxV(b<kq`I|Oy(t=~*t?xo{5E#f|?SzsWZ!1*PuQXQ_
zD0tn%`2{#vAuahnAm6O7uU~~fY^Epew9jx_MP87r0d5Cp`5s&j%r%O9(2mNS?hZnF
zuyAh(pq{)D&2YKd;9=p#e|)@7n5>|WoboCygB)JL-aA{>+Mqz};>T&sSTv*Tn?kK)
z@D52pf)xrtH%m+=Cn;y?9zC7F#K7Fh11-PJJjMEndj~M=AY|PR9f2J)H)5{D{7CXp
zKs<y|L0(m0ZzxgeK@!X&B=cM-Q^K~tz8;_Iga;a(+80HDfDsI<^8nH&GWhVa<?XWc
z1hC{t86_-_(FOFifpnFglt3ce$JK(t`XL#CTQ8ytcz=j?KfpgC-d;GixGWo?+ub)M
z;tt(7qKjH!Y=zs?6{oHH<j8Nfyer#y0$19k-@~??w`{$kW>qkxDf9VUCNs=d_enXh
z=s^;+tR1;bW#XxQG9msgxppuA9HCO{qt|X%0P_!VgRt(ytd#YodjjJ67lK!`Rni6J
z%nAhp(r5GwZT-53wr-*Fy@nhF<n@CIL|e*cPF4oi`T$D@ddFXfbhg%}pFYTm!$D(1
z14-Z{B}5c~|GPmzKtUkEfJdhM85kfS<X(~@g37L6j?&!(U{45oOrz(I<fzf=<4EF|
z!xCanYUzpU%TViug^;Pn{3uO1<L%=~Zq%YEKgEy)en3?m(`kHINSQONsVOs?PFUHw
z>N!3f<jLGgaa%q*JHFsSKmi3gUp;e`d7cPCAP7T7PmPQ?LW-^Sh~YY_tqqu;_hEK-
zci;KqXq7{K#j*wH-#(BJQZJO^ETJ4T+>h*wm5xwvZ4PRMeHp)vma%;B=x@(OH<TIA
zMm~RcJ#ty$EO%mZdA7}6bp#PiL8I+>jFY2i__M)H552CX<ND^ZTy{<q(bf&n?s-u1
zH0?ZFbC@W3kPJoU1!2M85TpO&Btk8@-=lqE@zmds&IbK$S_YR<)5Nsw)W}{}>eC#w
zcJ4yhQpUFVW#JD56Y>%VP5XM^tnm?-8J>EbiNFO1tVVQ8Pi+m|;&IKjp$kPa7NO6E
zH8+<_D%q@%>Q<)WI+}~R_)FX9q{R+s+Np|SnvCH&MvdP36(?B>ddu|`-<t8f@Ee`5
zJw~{^E~=b8zb+(ne)wS2mz?~=1wn6Ft+_>qm6~d~cJqzo5bh0kmt0s=qQz94T)Yjp
zVU^mz8nZls6nBq?>s7>Fy?%|BlBLMQM5I_@h_=^RF=2CJr+vxJ!W^E74bU~Tfrg)6
zLFXis8mU!#R}cxQ+YU4@XYW(D@<~7C8nAka=t+~1J?ctKFH2i1p)NgXT8>;U%-x;&
ztskX5Hy$TyelFP5<4Yi1vAOqT0por#pE83Bti;gYxKIDc%<?klX=Hs({x}XzKza@v
z>9`Ac$&gW9d6ZvJ0=G7_-+A{*dTbXq(3odtFK?h9`T0&SzO0G*XhA2oVIT&Yy1<`1
zc7~6~i)E>ngS+u`J9!IIr=kKmzJzq-q4&jX)6NYtc_3%(R*iH~Z+z0^b4PX#V`$P7
z4Q;nWgAfT>l0T1@q((*_VNcO&cC08k7A&Wxs6JrpW|26mAxnC;h62F`PxJVZ^s&$e
zgRP@T@c|Y8-fggmW^h2w1hEz=Da&v*sf9pkS>^P69Ay-edw2+L;W`GhB&*Gw+c5f6
zhx!HA8(<=7{j{_<tR;Tff)={W{Y)!jwyu@$hi3GBw~$G1y_R@KL$b)-weNebHGu>p
zbc3T~v0OW6kDy1H&pstr;k4=4Bx!Vo@MoSS4IFo)#tc+63lqbh3e5pcX0^1~_hiM?
zt*aS9uI)oPnkQV9y<Jl>DFG~AUW@#fiWN-ajWY~*hj>i#mDdSuFg>a?SXMoXY+Cgm
z&;Au2i{J~TrH0OK5jZs}f@NsT%pnE-VxzrWYt2kah$VvA=Eqzn5bl8U!r=ZrzKlWm
zAqT_ZO*spV^7pq%(zX6Ww<Q)sXkW@q$m`G|i{H4URe!BM8W-U1U?c8A_sG)6u|rr&
z<$&~JJ?L<{>^lrjJKao6?s{nTvMO1cTdaf%$g4$O@geOBelc@G^YC+Y;U=c5JG&OP
zOMDq5nUtUSuF8#!aze#(C^@TZcfTEGeiU8Dae+~qYS3`I)I#nps&+zhH6DY?eQDQ6
z(?Qo>lH~2pyEgM&BYpfJYb#$1cQ#`fvxxt-{lX$nad+E^{L^L<h!5oVTw89?TdT)8
zcHD=s!HubP8Ee6F^yIVS<VHPDm-1HoqwEQ@YR$Jho*aB$qhBuS9iRF_=pi(}PmLcH
z>zwuvcG3waYd@<OoOoXPXVy~}wBMaVqa-`BMpw67aSax$^6yyS)vvX;vTU02-PVz9
z9huf$N!7`@OH+rt@p^3pz&WQxww^lw5H(eNS`Ra*aT+~}G#BJG)qbh#*H(!dT!mCj
zz}<Yx*76{;&tWq&r>FWBbw{|}_=CypO;Kd0;}#6QvpDQhsUzXT3j(xN$efSPti@`(
z>hl?`<TQ$+r%!;(bOgx4Xl$)y)S_<zf;Bw*%{f?_Xb`?yRD_MJbG`!%J}$3D9mk&j
zKnpq_lu~xF`CY8ed#UlLOb<H>lku&|OX8DsYtx<DcnU^$;k@fOYFRkP&vl&7Pipyo
z%$>tFwE&T6epgNcIl7h9d$EC~4%_C=wKSq_Bk!<Ljq^G2d>0MP-U;lQs&ueVu}GI8
zC#gR#S)1e)o*ouYQ{de@3Yv3gyQN3?w5bEg8B%4X*Ja}cKf>0GJ<hUU7^C3@edAr5
zAAqVX&eB&P;JfwZhgMd+wc*DCZTB(Vya&0a+qyXw&wrxUCD&ilF+%m|Zno7mm&O9m
z$1?5h<ptA&Cd}k~*Ue>m+>krV;-t!Ry(YrELMIn#7^jA*zj7jd(&%D0&6QqVO}jQ@
zGZsmOx9Gko@nwdGeLVZ3qHBzHQD@5V_`$g_gfo+n3L4WOu9fe~aHU93lYLFs`+k}9
zlSNI7+n7^XY>^W60CayipK)a}Y-B_H9R0c2u0Z6wM6FQYT*|Bgh5(m}WcqKlj&{$^
zhvQR+BY63al+ieNaq3K?idPR;w>(#(@1uvL4{d4=1lt5Gn9{3PKqbP!uy62-*YUiy
zO%LtT4!t&NS1j1*MbIRLX7Nl;I2cx)ejdgij8?gZ-b(Z6RKzYOQ=CY<rrIdlZ~jO)
zaHyTysd=jCJ<v)^bi+TWtd|V|>-+*2O_2g%oGjtNV;{s`WS0;O*Li-59|?u&OEk=G
zgtF8N8op?{pXJ2dJ>S)2d#3Q93|902e*u>WgGTkRdg@&Wv&x`Be!Mrl(sOxV(hZEG
zN;w%aXsz(FKEwm>rom%S1(-hPHpv*NwMTfYRl>+I569@(&Vj0$;+gfT=0^};NT$vV
zI+_Nxpf}gm#V$pK`=x3f=J$9Ss-b@85cyfU_c%Hr_c*>%iG(L8b=*)R8g5o)My<+i
zBRczi3bX05ef)Sh(hxZrGcJAVOt@`77cpsU{o=-J!Pxo`fE~+{H5FUzw}8Tyvb7|&
zJw7llkEo|gHU25c_M+4SP86@WQjRZ#2Qv*9d;ww!n)ltXkGYw4oDye7hs7I71);eK
zfuf{^7SoI389i*Hti~z8rx)LAn-uclG-r+Lvlv$ZDK#=roiJ+JT<#0x{F;c-*S!7Y
zz$%yFymf1IAMU;L&WU-y5qOrXU6zpkSCL=?W_x$JdoCeqqLdb=x=Ru^Rga4s&MVmv
zSRQ&QO?X62k1pFk7*koALUEo6K9^CvOP8`;wENf=GP&MuW4daM-jKfLKZ=MS-MRMs
z-8}^?E*tjS^Q=?UK?qGF^1&(1Z1-q@<PIBtMOImjCi0qb=DyNgC@xK8Yb}A^>Rz2f
z9k0uC%oekyn2TxB*}Q$hLk|mZX1PP_<k5M{GmV)(kcL>TcMjE%&Dq4$WQ_tbz!)nj
zF3tM&GKR46#Cj$uDR>O*ts*K&i!vUFo)mVBKSa#n2FL-@f?guJvB^2Pu1~F!=}Wbf
zxkXL%O!6UYR&xPW*{Jj2y~InF`;SAK0!hy)xwsS(=(ucOIeay}hGuwz=NT*r0%kJn
z{i0l>k}?+zO}N&XMt*vtl7rGZL<>t9921*+7J1#prS>Iq!17VSaL)x+Vrr*}`IiVB
zAG_x<YvC$3eqB6%$4HgKLak|%3HKBu9XBhi3M>_<GQxIK8t>=Z=JtCnJmHlAhlC>%
z1bK-}Q(9?pR8mp!rtAmM4fZ|jrsG*fc&aXEAg~Z4x#()#A=kKpme;VL9d61gNPS#N
z+_t;f?6*pMuZVJ=u{&`QD%f-K(yi0SND%huLBc0H)Lnwa>(|X>9}dg3%e`$7%-X8%
z{U!R;bHaD?>PT~6Er~BGGRkB5FwhcDAqEwEQ`b4ubKc$NOG%OlGDEad`<hCUL*bX9
zp+=8&x{?joNXs?t#7nWIcPf^PE_oNQHcKUf3PIZ*j(1NIYU7F~l`85@WkO0)u6z_1
z-%ofWPZyMg%iOb+bo!@}z$F#hmPNTUn#O8u2>d9oHGOz1(?7D)zifxCVc^^UOmQ)m
zpMhhUm5pcqjOc9?D%!p1r37(ha-K>Xg{@z|;<Cj$(9G*d66btC!)`=EU!<CC-E3}+
z>HS<;?v}!wPnSBtV10Er3VswM%%o$y8|t4+*~Xi=Bj?%7M+^QWH)P3XKjC)fVjh%{
zb>jB(P&PeLEu#cA(M>Cgw+DU8aAawe(ClzCe>a}_UV!Ii%tI&_13p(r+DSkWq|bLs
z5|mXd{b-Zd+d|q%@J%fj&NtIpfwZUB<sH!<ZHmr480D!UW>}lq@ZNkfPmqq^o*V}e
z=#lHH?63QVA0{?RFcF+>ygw@iACqv!$M*0<WYF(h(wEaAWc+w>$sovRa3dXUXhGnA
zC#fLNJ+XeBu{3!{fTEM{=DhVXEnLVE|H*-bb(i?y{B#*Y;S(;8(}mlo9~!)wn7|1G
z`i`6$kbkoM#Os@ayzf+yliuclTGAlg(-I$AJRn0SpU?o1I2Z9|0s+$UsvY6-JG*P8
z3zd3$>@1NekBRa?4sWhgG8+dnNTJGZG&LZ~FY(Ofuo@4Qk^zVC(F{S;<0{hCe!IO+
zTGElcNHh7(^K-Lo@f$)aUnA_AsW}0^;$f~;<MaG^cPBxHdG&a;!Q%~=<53ymf(fk|
z>iAM!P*sYc)p{pcxrJ&yjGKANQRfu5$2@DIZ^PzkJG?p#ywb7Zm%13d&}*JtwY}~h
zo~1f6LZQZ1Gt*hvF{or8g+oYEBDR&-=JyzX9*nAZyE*b}S)KZyy|LsfQvM=3tE2h_
zo_ET0u`9w}I^LawKA%NEF@X@9YcQWfFiQ2gxq5wJM@TN`8YWtVzYeF?rSvJF*Gne2
zFr%SKkwla<q$4YXA4Vd~el}Q`<|18OwnBN0@SYxlM$4l?A}Gg@QB}TFzcd>P=pQnW
z9cIT^U*;~Dv>x3znbxMwpezcrK;pn8#I{>dKj59_?Sq7>VEYuRLA0P6OMF|!yQv*B
znDn$?i`3|(8;Q`d>PVW6j1oO=)+<fNFZo*c<DfuETGsqWB~!4atTJ#F0(p!VHO=^r
zOTBmayt%DLhL8v2FnM=!9(H4H&PB^Io4jshnLP|)Iu}ARBuv&S<{P^gZ>FMg=JZtz
zzD>3G9F7sTw5NCG2d=&eC!uw@Lfty+;(9#bxUl3Cc3S-wU}yx$2Cj~;?$G!}T5X@&
z*mfY`(1+u07rUeoa0om@a<cR}hJSSFH?GD}Yq%N%vYd6I6Ivf;#~te5U6A4DYAx?o
zb@+90q6hM{cty*Ndu5QO=IcDPZ4ooEC<rQ|exL=9&YD)nJAl$JTw?D|u^WSKugwqE
zjcDxbYVlAR>F8X^i#SJ6ceV{bTE>G>ygLp>&_%>im+9Tuutmb>R|IZr%JTL@VShJ=
zbh|LAsZ7M<fRq;r7hfG5#rwUk(yu!$8yrPNMr(<@3zyMn`gh|tusA+SS3R?Q-)agH
z@87kztqYGde%e>AJ+}`_WB-aEJ!SutRa4o-1vK$wjDLv4;Ab;BOoArUvX3DnmIknn
zG)!s+WLScT7jQrQy7=Np#r-tQpBDAX7sP_esU@HZvC6rqK!6h+#2_)40le(~(peFg
zq|%EDD^>BMlOm*@d!yhdX6r$;S%rt5ui|55ykE|E2bvPpj+(Cvl3Ef<-No3lXR48$
zzM%pmB=Xp$Gau0>W3Z7vcr<D6FPXMj(eE#ZNFt*)XQq?6nl~>iLtRi)6(J?Uq~1;}
zL{9V~yUE?NwBz1q^U|V4Wxt>nC(=)CE<hE^QoSV=MM9ofNa1yWMVVEA2+0vw2%uK3
ziwLps2zZ<m97&$(NbZm+_#pKgDb&=rT9SE%Iztid?hUhPhRXuy7Syg+rNAU0UL&b`
zIw}Yd41rWg3ENw346MPk(rzg{8#GS-5cmN3-gz?Fkq2mrz`7c{u-a)hzo~j7@8wF~
zPWn*Qb4-@=L$#xn@VKSo9!Qyi&RU`Sqzt=)8iO96{0&A;v*ytJ8x*nf)vhvJMq$-q
z3W+e}PzxLvscX#l3~XiNCN+Ht>U}vlH$*SdnR4obIg1>;x%XjsFX>S(kE=?#Q@D14
z?B3kQJD$Ml>sMZ5X9%7;+if{@i_7g>9@n!tj8Q>PMm&McOp#YSd$zLYx-)E)K#5Fz
z>dNHEC#aY}q`ok_ajk+NK8))Zxd&K2XiPIBixv$&44>*R&>AGDEZ)cN=9lOZ?kC`(
zM-eYSw};N4d%uGM^qN!CZ1{2vY(>SJjBl&R$cFl|RHhl8?YJ@+qUABOGGAm<UIDnT
z(XVLXQ#W;&5C5%n1hQDp3O#bp@iEKi$s>D@`m<93GRu}|1o^&IQdm4^P&n?(EOug8
z8@<kq<&gx{T$T~otFKh0;4{Xe*r~1>ZK$UAOia*L?0D~0J?3@tLq79bmXBisv7jA$
zi2mvNvLf{eq}{&vY41}DNl-YJ&EyJ?Ta~T9n72$KcYE3`sDltJw>CUSKsw5CEVGkP
zrMIaPMHNm_tEKeWK$-!rS+c8fob{3_Dku;MvQ-$MrhT()*;|p_nktcY4q+sTgx@N2
z6fq5^1@=eVgrB+MT42VxS-SF5I`}pn?<|Z%kOcqKwZ$TQm$AbEEdG!|oTbh}^)zX0
zCzG#V+Jc!=q;dHDByf-6$5F99v%yNsM)NF3JcaFr$GE^JVZdoL7DsdlZ!Mmk`H9?&
z^c^YPd;e(rBnwW<;`P8M2&8nVW7%iJj%ZEbnt97oG{N96Dx5ILrn^L1Lzf0qA|3oL
zb#M=hZEN!p-k)izSfPttDiJ&-dn;yYuV~vEi3Y1u>tV7|qbC%FWgRp?_g*&n0_BTg
z5-TTm^kRoKOa2DawF$yf!+U5T>{6-XLdtg9V}|z_$0e887BR0DJ0k__u<vdDBpv*v
zzE+}+>ho6xMBA=O){Zw|;;8y;$D^wGjfs)?P+?$_pb}^4WInR;RnfDB^1;~xipm0o
z^rF-Dy`NMg{UxE^0%M0}{^}Fz<bv9&w1Na2l`9`o&WI)_WaUvde5x2nNZ3vl&RKED
zT9pOao8Z00a5q*C^6Beh+kT$2+l|zYD6R>c-R9*d1qch%!P#5Dgvk5l)J;+D`4AH-
zd+9B=GJd!porgv859H#}56Fa$_1?qnV89Inup?8wS)|G%Cfdu;i#aMs-6k8UZ<4od
zB;05a!=aqErWOXGQ)fM_!Nv^ODI4&rA5Nbjexljnz$9Vr<+ybk#<#U-?wP53>Mz&m
zIg|tA>IWt03_hzghK17gvn&-Cw3<&L@bAqjtI#wo(a_Mf6r$9Kt(@jxAO|)=@o2JH
z$)f2P?J=Cn7v;CBVFXS$B&H_3J6=@_u14kYtY-Aal>G`5!{mqwfftL*t=GR_%^JA1
zwel0MnDRz}{mU2NIFnkTwQ4{d%4IIYISlv@e=7SATq(h$19u6}@4-j3iHYRCXwzYG
zd2R*Zz1Z1OJ0la>A+#f(nL}&2zr3xQlZXv47S%qhnIQHL2qHf345gcq=TIl4`g%Rt
z4^-rdzYU$PMMoUf1Dwq0ahDVrARgDKT$R~ZUyv%vRf}!h++H0#C(8TjktUuPRHsQd
zgRc9OWQe%zC@%S8b^eQUpj8C=e}++BG0-Cby#=XkvAX<gt*^2-?{77gH+kO&2Y|b+
zwoEQu3{R?lLJO;n2CekC&eT3oAcs+jmG%tou!3%f{*X~aIuLgKMzC#5oc)&yLwkD;
zq_`zHpoTHkHH=bAz*CL7->3mrhKlwaT|ja6+=7Y%vX9vduW)50&R;y`^$6sQ#`TX)
zstSLe6rJvqQ&uPt*Ao5IICTYwYEkLAy4Kk1<5x^^GRhXNzN<i~x;iL<QNaVkFG!Pi
zLpCfdH{&_+O!E!*H{ARVWrMT4eI>GO0V!4*ta5?k&A(G3nzj#w$F4(VQ99wyA4`fH
zK2%I-5?)OQ6~Y72)nrLt<iVCpr0NQ1mg+<>9XJ1Dn?QT%{f>|d1keV=(og~4=C%6k
zbk}+tf6mNG58dy-wt%n3uwmd!6lPs$i6hUv0}j5;%+Ocnc``u`>0drK7bFf;5|p$v
z8TI5LfcHJmNXjuMmu|>yS^BuR#SupGea7Wc7UcxFauakK%7n{Bc2sXX+{Jo`m6O3r
zOXO!Qw)h9Z`t=^}W|GPuES#Kf!Bt)%#&kE^C5s>P6c60PPi!uui#Ge`T<cRm!mRUN
zRv>I^x@<N-ecY|FRxC2V!szn2w@m`qm~IKfmf&pQ+N@Z6yvu1YXE0Z=p`~hSxurPq
z{Tw!U@aSQkb-8Kc4KbivydUDdh(~-ImraEe?NHg0N$%#WX1hab`b<1su;6yI*_^M<
zP?0E2ht=2zKG(=nnM?MBXW`kFOCL^=^MIlV;~HEgWMxC!YFT03A@0&Mfal@U6gS}&
zvz{}K#JqWphxCP?vB!b6(-gdCVFN#0qi{w_(4u#d(MsLEB>3gZd7$}38W6(#Zp4~a
z4c+JYvZ!ZgMS1_Uax$Oh#BugyfV45(L2lLt&y!8lBT<~4=jMLl2oK@iy%k<@lx=@M
z;C$<IzV@{x#Bx)ZNf*?K%o*EA40pA?4<Gu_NJV7RDcC@3llPfik9#0``U?u|g9`o3
z;&h)?#JH2%O=AT@jm1~lE%w<oynQ#x#FhDHa?z2I6J4KkqzU5(FcS3hfnCZ0RyE7q
zBJxYrt}8zGpK#n{W`&&)H&7H@4VNSJ35D%tUZcKE>EeZpZkPKe1z+^49ul>WAIO`{
zB$NbycHopgRyv3=mFd!LiW}DSHlHp!e(wmdxo$5lhEzb1qg(XVOI6uPfU!ggi1;xe
zf0kOy#-4~V*@3{cbht&^d~A|8mhHi@f8gGPI_>q?upRE<IqgVr84%t5QTd^Vnf+n?
zd8Z3c#jH$;-h`VPYc>ME$FpMHuy3c>XlP8!WQ?tWZ!rBk{p<@zm4n#i8A@Uj3htH}
zXIRO*2<*gI_py$wC!Ea5g`n(<o`Y4dzC@d`h10E0dE?aE6M%cXAH4R-XH3m4i4$_i
zT*x)g7N^1wrs~qHVyfsf?V3ycY`UGQ?-{QfG=1px>G*|mh_vC+eU-F7wEw(z;G=*^
z-NDV6Hcu!YI+1T)g>TD7JDcw{++XvquX}cOvB-<22I%L*szywU+lX{MgmVk?_a>$c
zr)4*=V_8u1^A(AnIA3a+Ss-=Q2&bDeKB*cdlQ_jD9IxQF_@L;9@2B$;Pf-ZXDhFm6
zaacZn%xSdAJhia7+$&AsZe2IzRQohnSAqScrERYYBbt?K=IA}gh^NPW)Rx^mRA_0<
zJgjiD(9xr34}9L{OG!|2@Ur-~;4D9M?j^HF8U@<Ncj}DOiyiJFjtE-|DAH#K#FrfY
z&C)6+deO5!SIZ%low5zew(c_J)*Y)pm|fZ@dsTpML`PSpK@_?bfOnrU5rb8uk27;R
zI(IW0BQ0b`&|IBatSlZj3&vh>w|#8UVIp`Qk$Cy<KCgPRmAQF4ULtKCsYT9o70&nD
zWVTRkVprbTtFq!1ZEa{`dFsN2_lzD|6{U3vs}FhnP*PB37`WhLA@=+!m<*#tL2bvs
z66(EZt^GnyZNe;*<W}Z7tIXFrI@$%JMIAQUM3*|pBA9kJ2FomUX4W*qo;|ugFGJ?s
z{-9V=OJShi8QG$`Z*g%F_~rQ{#SG(azR#ReQ^AQ8#90`#Xvx+X_8Mbf(1#NTt<GBi
zZ{y<t$A<6MJ3;6=`~*erJ8qC=47A4zehTzxK?ntNv@)WMcg9c{r7y-icTf8E^jgs~
zmc;b?f{}`6d3H$PfmzvtFS@s@A6+q}Kfvgm>Iyf7^pmBiG(^vCe9ryMl|(0)L>Gqv
z;IJqns+n@1H*sknZj0RAC`RNT16Tx%iodAb+<>2U(;fyu3l-4UOfWfey)c@+d0C@B
za~ehvA86oEYb>xd9P!zByU_mx=Kp|%plQ=+G~|Qr2=y@V&4Nv}a~XgdX&Q{U&CjS_
zn`M3>VwHiuOS`BLh>>5Q<!V(ekhV!>9`I=geyw4RhD1=QLTzHP5#~A?v4<4ylluZv
zYGJ^NuHBI^tw_+Ru&Xp%;KC_E`X?8aQJ4;x9iO2F0DG6pDQmcE_|NvEv5>AFd0O(o
z_JFsyC_?&hD9J*FmmEUF^n4AP>=ZABO3eeXWI3$|ifVY_>@o?oXRWm>V4op@w|o8-
zOqB16o(4KAu~kd}L$Ddks=AI6g;RY)9=2<in?JUTo)^wGGM%r^DC$+8@-&SebEarn
zvz2Zhw8f<m)zcjy2xpujc}Jix<J_jn3u&7Dq71o;B)+vyc6F1!??CW?TiW&kY)DJB
zY?<-<+=o2DL?s}qCQ_)UTVZ*7!!F)vt=&79oE+z~pm;5wrP0zmBjNGY!93Mok;Ki=
ztz3PZDCDS$>)rC;XE&j~##uN#ADgkSKY>end-+N0;K4xbXW$_1n3;z24Y_=r#!(o7
z4*_xEvrBzc0%189D~qeaNR^On-{-_r%N{WQ%!vEQ=J)l7+*+zlOcjszGzzi}L$}{2
z+jU-k`l-#zUZ3DM?)p!0E&62WQ-+*EXW}Dh`Ou|v0wyejIz>)uAGh$EqGe?D0=4(5
zZ40X06i~hW&wcSVW>#iuW^PpoZy^YpiLF)|n5nJ9AveH3sqXYZL3Xrx@qY`}*CK%#
z>V9L}Bi|t^f=T=m8J;m+TLBEnWOq^BpFbd=sNOYJ-GE2ox=_A+cUGHEFHzUf+`r?N
zH5He;`%<I*n19#!YH_V}k&&v$qZC>}Eb2p5=a&S@y43G05)OI?&3;ENW?~B-1(K|@
z5jKx}2{p*`8BGc#&;7H+r<oPEG;g?*-MF~XdG6wr#4f#4viYdP^n$1JqzA$fznngM
zrI;A9idlI?2F)jXN_w^KaqdK%m$zUHFIwtojx{$-xiyrFdNUnA5W%ATSgiZZBwcNU
zh7p@YcfN8uA!qw;6vyQ#6|aJGmoncf|4<w}-Bvux;#(39iXIyh{lYoDN93&Vf-`z6
z6-Jquc;bNs(K&7Kur{%4a@=V=W2?f{poQ?v1gLn4=CmcV)NIBV-RbKt__~(}h3jjB
zO}T529J|zc8KE+wY`%5uwDaBFUQ>nIeV0u#J*r*p1Ksx?;UD7^_i8y?^b!Z+%egR4
zGe-^TPHJzJd5(is9FUwspBL6AYR@K2f^T7>3{^Iw7T3)zl{G$6v}a`n+#$e-PAP41
zDTe+ebNPNuVc0!R_(GjW8fol!>>s;p{VcnUzPREdw#$E^P&4n{Eu|baYVo)~AN~O8
zGeXK$ngb3ROK^>?2@ckJ`>gI=_9FB4^(MpX{gjqm>SYm+BiE7-aWi&ytCU_9-ISMk
z`!TxWItDsN1^d#Hn97$OA!~dPm8?H@>oe12G+CF__imy`J06I?4n5uSh&I^oQ1f2B
zDMxLho8aj&Te3s&R3lG9&1+G<y5yQHtp8b@;j7Bp9M$o&VP0t}Iga7`d8v)Z`Aowo
zXkl-y&klW~r^<;cIMJK2CC?Su!+98Y$0yHP5%bCn<pJ}<Z*IYvhUG@hGdw?_e|*9b
zO;T}l58TC%qJ`7)3=O^!ojYLmfaiG{H5wB<0iFL$S7>xC>CBY`J8N0Tp1PPlrOR#H
z`XZ<qJ++P_RYI>q+YCQc!kmGjKnq$T<&MXk{Hhg6S28k=@}tF$t!syD5d8GM78F)!
z7~1U*eusItY9XJxY9rpgB(#@x*gDtB<ps5GC>PlxNob7C#~#+xhRq6D9W4TlTFnj!
zR%;J3iGzH7ay@aNNQXLw98Ndg7owUCD<?~QTDbtW3jABesqusIMJ_5Rvp6^bvn#5K
zV+@4@_M(ljDT@pi!)@<<7KeIk2Tp@`#OEJk7G~>eOZq7?s*RelnKmFxRh*+@rO)DW
zzy`ux5vEus7h1?J!CMLVdvttkioKsWQ?J!otK_pMDsG2DzQ!rCWVH0x^*bpXN~_41
zEf`2z;#Uwuh37q!PCqd{o)A^BI};to3<{ubPJ>$?NOR<AR^k)WVjx$v$6tNpT3o?6
zm9f;2+<v0%u*O)%=+N%X&Uc+R1ddN=s>4X&t@qgz|M^AIl>8R0{~yl!4e<WeyJY3L
zgWi<kPjaTUnv|aq6il6@BKV^Y_~z>(jd^iBBUmnF1hCqZQQ7(RXYB4;WmrkOLlgn8
zL>Y@u{m1OhK{+}T6U=+Up19u5r;KBSWT}Baa6P}M@<?7hXYUK=Ik}0B$g|JBN)e&v
z*KUp>$&Wo_*c!^=VXhLZEC2q3i>!xWg>2TYzwn6K`tfnq&|i>RA9>pT^h{etB<57p
z_&ZApkttX|BzcFW$;n1IYPZi_ht>INn@Y}otiL#>&zC^NBaVaicNE)r2QO6t(OvHf
z0wvW4+Iu|vQzfvdOF}~Fu@DI#-Afl|Y*=3kGCvlu7naDa-)?xTh&RGF1!6n%^WUnc
zN~$-u_dvFjCt^}BCA;>4hy}cKK?Fn};K1oB3V6NwwFX~*4gJqO)Nhvje*~oe_jb78
zj~17p_fY_^13r%iA}J~-QY!S(|KD>vUt4|^0^otLjkO8D^pDg#2PS%emA<L51HBNy
z(MsRef&QPFvHynI*2dP!7MNY>^uOeDw6U?Y)wedb{9p3DCc-&67yzN?KkJG6cY4~}
znA#gV{Qq#iJ_`7s=6Tih|J>i-alM-4f6rxNX#>p5{57_}OTVM|8x8dhfvJDLr#jLb
zI@#O*kv8%Mm|+6(n#>FG`mo|_`R9z2*9ROO9NmCPm9GgWQyMxp3v8&soIb>a5;MQC
zxGzTGOS5k3j79=Vj(|q}=xUKZZ7KyqD(>U56*98^d&kM>5(@)TB)8+OwYBEWJbSN;
z7$#Hkz+4`!`u0H=ytp8qY>i6$mF6cjoqG0zlTtU_i5MCZd~~Wl)VTe&P{%fo_<>4?
zEp%cndzu1m6Am)_f)26~Nt4JV*~@WQl^RS_r6IUFKuK>vs(En*tyWVCUnMAe35nm0
zQY0%ni&bimXW?0Z5#=`JCLjv!sND4<i$|+{t<;wE$im4@)ze)>_)i%0@E}uniw^zB
z0ho4JYG~e$P<$EpcA8TfHZo}Wt^5jEDUDd`(9bk*s&%!6^@PZT3_5tp6S%BanrA<x
z$;D^ruwpqE4H!9xVe9aycg8M1a7L%rP^m7&UNxT|f1P-&^KgrJA1j9^ZK$Of<i8!C
zuaTX0{pBLHkc~2aX*B)eIY^C<ee@yzwE1gT=sO-BC<I0ri!L`VQtVYQ1jNuo$6l@K
z(RlnT&poI(hb(jAv&$j)$&{Ib1{EqCd6gxLtWTlYf|R42H-uJ1fYGS9Ck+dF?vj@d
z=C542c|2;uhE2^kjs)WiWR{RqQA-?T+sE_xP>dlPgxy4fNKh%-ddUUa?A%*b=zy)3
z+;aNQkB-Z$u#+L4Rig=&o&8?^4s@9=w#GRJ)!G(3QW9csgTBXjP#eR<DxnE2AC`YL
z8D9pN)Az32Mz6D!yfcB$3s5F~!j+@HOQPOMGC{&i-VeQ#=XjE=T!H!WB%02R4Sl>A
zXJ`FpmcDxoC%m<=x%k7OHZk&szlu}%m9`x#r=L*AXNxsXbPgnrm27PRY$(yJS*k`5
zI9=B$VrsNu$EA%CI)L+}tf}nE@F{Me|7Uuv;W#jgQE8?L#B*XLu-#^l4QCy~Sr^;s
zNR5CBZ<@`{>1$<ps~-BYd+V#dp59JC538AUW9dQZif#%S_Ncd)4myNN<fvwhV!B$(
z0x0K{k`%KDvnX<TxS3F5U~?}l%WBm%61tFpqz5K8^(npXgEKn!@J9tl-tQuUi=Yr8
zj-4sS6S|DyR>kx852@-sUA>QlzJM^Seyl*|L9648jQS(lxAgW(<v8nbg7XfU)StM~
z`^agqLi&$sqP%X$4ORG9og?>Shc?)YKT-*VU2y%>51<Vn!!rSQyFZl7&M4boZFd`{
z=2duKCs!;6n9~cuFz%>}K2eIcWM!KPxjC%Zw8`M=q45s9;Em0v;=UTzTp>{KXrRa*
zE-x<qq^vI{d@$l0PD2bv$Mw^I)RYC=?+}oC0MMr7^Z#zJ2y6cAYys~f6i+)TgXllj
z6UO{P>NMYxT3Lo;+~azL;3Zw&GT@UER1o<tN|cs}MkbD^4<;+R>ocGF&Idk};;um0
zL4g)b<~fO~_6>AWelDGQBFqkzkCzE0If3536#<#{TT!CJJG3TwW~Y*I^IM;Z3s$#O
z(A(Jx_UIq^B+HbJl%u)o*5)OIC+Pz0y?mKHSA)!l_UPo_xPVL|&0Z?sp}ei8QI^@L
zi97F45Sn(0CH89n*?;&W(FJsYVcj3!=EfFYgy|<|1*R*A3aYj-*vd<L&HezPS%@M&
zs4;oWJZ`5xOb34Sv#Qo0r-+;>^*v8{?$ey7otv&KMHjIjpP0eYgf%K!%TmLd)ZV~1
z{tFB>3}dq0$g09!Pq=R%YT(B$mCoJu8HhZ$qk~4+Yl0hWIz@B!42MiH!f{QC5zux9
z+4WR*#kay087_QkpeoweJaj%7#qvrH3+egHAhRNVC?(CsU})a+#zDFQKEQu=do9L3
zTu9PY=}Z*8l?9m0kVCT_iol$;k-k5$xUlCc^B$ljB6Ih0aBw(s!YN8>A`vpZyONsk
z_mlb_hR|G9JNXU&=|_h2)mK1r-T_zn2J5^#YH?B0E(Mh<FCIbsb&ETai_n~#yoOdF
z={?I-AfKY;4&alLas_#=r}s2UHmhP$pOJ#8<M+K@GdBoPLpY)BZP0=(2nW>LUcEYt
zm7BqyoA>D0b<blJfqu;=^h5dNyr_Iu-g>m(aLb@rT-vV;#@;4by(k{Kb<Q2by*yYv
zA-u*GA5CcBFKQqld^rE7*n$R(EwZA@g0zxyV)Rz})&LV@hu`uVOO)EpI~ib`Z{GW#
zRMch!1LiwF>WzB&?obxACq<GaU!NqS&O1g#1YePBjC;rfe|6*r*TW-<51$QHyCbF+
zz|jivBH_CsxJsL~QcL?d>LgHHCdfKSv@|Z35W$6QpF8%Ja7eZ1?W~v<7~w(Y(|w2I
z!13GSE@u^4&-9BA2p4xePA**!Tv&W8LPLHsBcPh5=6n=pfs%dP7OrMW;+9*Y<xMkG
zRK^Uncp&QE$rQoLV>^?WCt)d64c(9^K`%an^Wx2lZQ3oFZX6?!d1l#Vpy~;ylxGsz
zwO@Yiz9&w)2~9tcZsCx$FfIm15XP>mB-?3ae;}9%$QK0{hpOZNoFJj!kC-AvH?%6W
zw(MQwyjs=l9k>PXp?{Dy;JY|JNP~i*g8cKlKVGBypXJw^K>m~KKi}^0Cx<fd@HOH8
zHR}K3`UN}wnydPn_5WwFfBWz60QgVNzvf-M=Cb}-rh(ZQf5~k9#rRKY8Gka0p!{=^
z#(zrrlM4jo74ZI97`Xl?zWX2W_uno4Co>4hD**npSpAK#zrx}FR!-jE$oVTg{%_?h
z{f(Tz!sUOK^9q>%ENI;S(@4M<WBdg^|Ffi5DEw!U{~Jkv!s-83O3>d(`4e9Mw^ADa
zM#`UX`*$h7X8!94eqrWU!2M@A`x`0$0Kb3D%3nhN>MUR3_Mb(9=da-VKl%RZ4qjd9
epCwo59~|okX>g!d1_40?{;>hq>b>ym+5ZP=#VmaQ

literal 0
HcmV?d00001

diff --git a/docs/permissions_matrix.png b/docs/permissions_matrix.png
new file mode 100644
index 0000000000000000000000000000000000000000..d463ae110c8983678d2865cb018f7e132baa9580
GIT binary patch
literal 42519
zcmbrm1z22Lwl%te;2MHE!993z2*KSQg1fsrBoN#kg1fr~f)m``-QD3Ya!%jdx4Z9q
z|NCC$W7lRwQM=ZfYs@jmoGagCr9}|oaNqy{Kok@GEDrz>G5`R^4Fe9klHiCB4|)Q#
zmlyd2lnvwUfxdy#lMwj~yuAL)Y|W1WU4gX`RkH^G_;;^gU_f#z7U&|hgP4>M^dcM_
z1UQ_gPxB?{61Ibos)L}lrKO>j10ZN;sOw;8K;&%dU_vA!CMB!li-ZXPM1a_50Y#Vj
z!zEXK$pu2-^u!`AFPZ8nSN^?(kQ%iWDiv(hdv$}AdT#fCzVj{;4TEBfxvLu0=pSEC
zLqa}17|q`#HC{ZBxW@PYD&Gma_j)!vUgWsp+DUbP7;YQ{<A)&*K>1{e2??BETvWb~
z+?7>Q>gN51=-UcO9H4&iQLJ12&###M`miAQ`nzT#bJ~_6FNzeP$BgASCBM4orG=@4
zr>oO*20GjO#UB^0Ehm)zB|{Ci#P4fEy7nLY9|l)gM;O}Le)spAE<JfWQkWmpDLC<#
zn3!2=UnfCIOWXS`+q|@vo=d!s=i=Zf4J$@leG5f=IcVVSH-A~sWd_$w(z>Q*U}w1S
zj5$}<cE}((@ACa()5uESy}C{RV{(ZLn%$+vXX?7+k!79d>f~}yn?pU}wAGnn#sHLi
z_Ax$QPNn?MWK&|78LU$0yVr?*`RL^ShJ`<A8k#)hKIFgPIbVlG7JR3+b-XYgG}fS;
z@GbFl=ephPo~?04B%)ujT%9$w609W^%Q{F2?Y2y8=2PnLx88Aa<g{6N!=P?kJK*vy
zL3?)|MS2DM9a&jM$RJ7F5O@6i+3*Rhn<}L&TS}$dGm0T+O$G7t!8>@BXEp1(<JEO-
z)W_(rN*Cd6M@^@Fc>?ma4CREpc3T|_aJ*lsE-M_;k2pn>&hD~QcM~9qiYH#UQC-N^
zEXn#KPk1L?>jsI?8GT0s<3`E}INm;QTB`ZyH1*#$R$DfUehQ0}nlNi4CYbaK5Bept
zKsm}QMiwy19jAfiZl}{%dMQsJYL*zD!8#aXYukTbd;+ZgjuyM2pgVfIhIwXa%~;q7
z8W@<~*{Qti&RjkC6~09@ZBMn2Z2qTDxpKR_E??#~%FzkUmK~Q?^Mobf&f%V!TR$EC
z0?WA)D{!*-jm&4Ke;Yq$Mo9Pk!+Lf<1YJw3jq;W-g1ggAU4QxLSF?1F!Hl>WDv7&Y
zdwI_(j6ce~j4a<XM>^hJiCj^;qqS$TubshuSZ^*VAZy}4&A*gwk8EJEGh97o^1Bt+
z<-8mROf9`(g=^I)FZF5>on{+J-*B1t5dSnM1g*^rf1z(W5)2Yn?8F6VS*M6t_RWcM
zWWex;lTC0q${h|cou*#wd;nW^Pj_}qXRUfye){~a+SC!Cvn<Fh?;31u+Sz;>Cs3Ha
zwNO9KO!eI8>hEGY53PjG(ut=Hy}5yH(kWrq?GI^GmS-TjzE2-9L#eBHUP@a^ks*t{
zNv^Z4-a!%l*m!jts$Nzh#qJ@&T|l;2<V+@Xf}Rk|4tLvWmac+TYi@1Olo+>@7Z*<5
zct-Iwyfd&s>oAoI^r_L$R*Xu9lh?Swg$Y0wxZ7PZ<jPG@r1ZzZQsK#T*4DJwoW7I4
z+DIm(lz;&GTI{l$MjFl_HgW7uprD?V9?Ao#=FB^>5M6NH-alub23&^KFWv+fmJ_(D
z@0zk-<9+YX!)kuq=8&ekl3u=<!XnT``Sfx&OQ815a?T-R$FDOtZ<ee}ICrWc_l-<Y
zn6lMd!?fU_L13TdsR?)HriHeTddIZAEnO8pMBiAlW;92TVNc~|df5dlO4+=C%E7ZL
z;`ysrw9N5}yE@xATr}aPe{7?YikLVr;4>ggVg9b$Iklqi-5irYo~6_jjak_X_9<t3
zX8hq;B&~;FD`(wlO7h4S#N@W2!Dc^hqALLb&E3|^9Y$NpCnfRC7${jhF4x#XsMd^l
z`H=)AeA0oKK>C)rPKesK8&G?NV~Ti9Ixia?Ly`$&pV)>xpGM9yF}4EBbg<?h{frvU
z`xeECS@{f=UtAa5e7+aCi6rM0s+$-|8&&cz%W5S<5oHyW7IzFk?<;T88IL%O=EN8}
zOM9p_h%h`M9dXY++;^;9AgD`fZ=56>$K?S)A7V1Eekw+3$*&3M2c0eBxU=u18r}{v
z{7SfMy6CNIJ^j@qSC%Q>V^wXtxI$M%kS{Kqg)(<l`K>rJ6wio0<2J?%UO1P_<4KHz
z<?$ZwVQa6@M`-NsF`QkXh)T3<E%x{zWXS$5q_l^Ut@TS`l?i|rL>hzia|iyGwHqBA
zz(&WW1^_8_F}TbYKLv_Wv?g9z(yJ0FgX5KO3Hl?Mh!ODVNZqDrSug+?hm&W?6#dW*
z#xE|H45w&IWecF3ih-%EbO!ZdRPhAGKXK>#{Zi2zCiuz$&#!{d;(3QBF%=<WQFCc1
z65SmKdN)H;YG9Ph>BJcB=U_9DgDxwunWoLO=U`uWcZZ16$@V(n@%?I&_6H<_rs5=6
z__cer^#PL}N)THejX%E{yDAN_+eU)lhBI=gNvYugk+pclfhsZg`14o&ix|jA`0cIV
z!_&CN!6?_6<WG=cUXVfzZqAN{onO8pAskF4oO`)66m++pU6DjY4o9lw$Uy*-kW`?1
zGKkFu6K`w%3r?)7d9?d~;bIe&@tKB);XnWl-Odm)+zsd|AM8>aMv=!8LzvL|%KJ)J
z{b|u}<L=@B2erF$%?;8leWAW3qzEw&(s+RZB>Z``M~(M6bv4ACal()$C6+{BJ|)y;
z_ouK)+DPq3PDI7<Oc{I)I4+#@A50?q;Yj+Ch3ak%ErT6n!F~3lsZk9ITYiYtqe_ro
zT?R75LQ%>RG+Q+aiOfGJ29QZ4D5BKud4GlW4E$a<224bhEszWbOtyUPj#J8t7;J8^
zSTLU{JRGo=koNZS3mccWc70)!1%QI+Pbsx&I`uQ>9UadHwf7mB14uUZlj3k~PWOeR
zK5tms8aH3A+Q#GsIywDW=(Y#|#RSC|B9X0xoj7lmzXJ>(XN52=<ap&bc%^ooa^BPZ
z)xk`8#@y&zVR>1X9V;t%6=DU0OUnoGPyJWFjP;`lR*+!77rsdns9S1x3V1t#r&lPM
zm(F|jy_jFsEW}$QfX?!3&$QwXaE7h%sQ_c!9l>K;0O043Us_@G^y>|Rmx05<VmhzF
z2S{_cJUq;@w-{0=Og~6wfCbLT1oC*`I6IZ=toECiXJuCe+O^WUk7b=MFD0B%hsH1*
zoh`ZUmk-zxr(hI6=DUnKU#Vgfv+4|$Zh%KF1`RxJ7TDK|1DV_xj$$Nn0uYp5I2p0Z
zv}MF4^&SdqM=d?=b~Z$TC;kB1d~h<u?VfYrxKgkT;h5YheKQom|MT56`|=dLS3&;N
zfCFwOm@FQ)!;!%FQg!c1EZm-`OMn2(H>0}V!HBS72z8Yo642ro{HgJ3$hMT<!iKFZ
z)?yByFQ#ScC$}|M>Kzw4cIS`T;MpXZzsR?FVX@VZ`vj@W5?GWymr~%U&!famt>_N`
zhAysS)-o>mYojr6{B~j?7JMqs=B3dzT+?N$d#x|N0ZD^QGggF#@j4Gx9P-<t%2K-&
zDNg%0bned{Gu>_->c(kEcAqfB2Q+Bak0uk&PFKmxhk9Rr94v4kDMn*f?GX&TpdjD#
zvJkVDFApup$-WzbTRMCfJ7?b^kBe?LR_keOKUETJ_QAz;=NgKSJS^}Eqk|o-jNf|Z
z>S^jJSI~Q{mb&aIYnw3c+}rIps#cE__UUtQenVYFn=N_uTCiKPUqjVZXCXu^ZbsVj
z-ivW<|1SNhkVq#9!Y9$q$4yte{_}@6duKic$2<K46Ld~xK2#`U-tM5E%YG=IN?lSP
zU9mCC4~5oacARB+HXL_%KB~eh@PMc&OjgF~4w+V%b=f_k<huA?xF$<BA$*2PDCkG8
zR26g>eF+8!z<mp3F!-}%KZqir>I!~|#3F_ICZHF|heDbzC-jG?4*tzpJ1tHYB3aAJ
z?wSyZVLI=2am!4+R)SI~+Z#7%Vf~0o(s+=&&@VnS2n#%=9JG(v<4L2u(PcKhTYH0~
zWAK37{?Q`|T>vG1@ST~BwOLBToB(|n1+8#nIl@<(66po5a3Uy%7A0~35OBSG5AR1r
zo6xNc2l(i?*is9i(09zeJo5@;=%iRmqg*#@PqH(ZN!~aU!RSrLy_df<j}9Grn(*I@
zBTu_Z;~O*jAb=7On08Rbvxd!@0|V*GeSF(XSdYW*xV2m{DPD!o#tr~#aTs;(Ne?Cx
zenek8NK!E^cy4kO-@JGVN=1)|`Vqkt$5o<tN}sfqH*v5JwC`;)v=ceN37}k9sXVUi
zglHV4YgVy1#q{o{<b;s=P_hXqjCkR<*iGbGDC<B+94j&AXG^<UP9rTD(lN-Bq&iYP
z@OYNTQX(hsW~F0#kza4(=p2n632uG1!HVBpoV)7vca!`&4-wzrb#_0lNOTYyLsGT~
zudYPu>5>O_u~_;WdJa+0kPN44o%t5{>4}}O#D5uG;2o2QNVGE3uxBc<cv#`tF&Cs@
zj3j6E1Pvy;HPmyJ$K#FaesHu%;I<BoCVEojVHLFYA}MA*gR^3zu9kF|NDR@f3s5Wf
zzVLe9Wsni&TW^^Zya|-CUPM?r|5&@<MUX#j^_38DT=bjMJ3!SahGJKOExyeQ#r0sZ
z&b@NaD>$L%S&;6t>j@Mfa5dpsjgdMCmUJACR993Jy_q8CeXNyuYBxAG6(IU#j;2VV
z6H=PfM>Q@%sO_f6YqR^pbwaM>wAwjz&RU`!jTY5^{l-Ins^g{v-}2^m>+JpgOGrtv
z0oMHYy2=!uIoYOVA_}Mev=Yp2O><W{w`1=1JoRuaW;x@>?_=tEQ(DYN%49~Zo2Nko
z-@a)&f&lXXlY(_p`dJx^cd2ejfyL1VKVK38C^%X9U?tF%B9bayw^UFcEuW5Ii>L&j
zk)!BW<@;$($D4<0`$~RT!fgt`mmFeAzNROjpnCs^t^asQJn-_#MzQf3>8UH7v}<uV
zJvW~QYH=}f_tTe4LN5L{-ej<a{fokKgV)a^+ZabgO7IL1k80p{B+luY%NatDz_?@L
zO7iM?$Ro9Uc3kuC2&h7;bR;12<4>>gkA^rt!Nqaq3j<#Vxkkcaljj1*!mq7Xx3nHM
zG?DrcmhftZHN)Y6O|%8A<4^{XW4Ow9<?096WeqHseX8B(1%cNo>98!ufq2eiCZei_
zFB%@m<*iTt+XS?1I*t6t1092f=&0(`67^+RSv^42V}D_q`v^tL`XqBLEw^&H!y$b-
z<~rlvm&!Tr;N%Sf$hu$|y2*#OXW9bECN!Oe4v#z3!lmL)1|CX$JrWs6pP-V8m6-<-
zgK1Gm?BmINS1%^*VX6o*=n!bSlriGV(J)&1CA+bnZ;Kna*DFILQ$h3(o<pLJP-;%r
zBgs5TP`I6sbV-f*+~oKu*II2ylymAw0t#5%zbqq*K0<!RRLZMgIA?8d#1U8MAMah0
z+4srP&!km{R?F;9kyfj+NKex<Ts{z)DbG6>=;)G+BeshZQzj*t^^)*7G^@8lO@yn3
z2-^~ZyaPQN%QJ+v#Y(_s*=1u+1WX_{$@5gsipL4J{q9jx+Uz1Ph+3mnqMl1&3YLC1
zf1QetN5jO#Oqh=PS-ke=EOx5?dQS;%&?MCqnzHF#+Aqk}?cU{Kh;Lx}VRMr@KggB3
z=f&-vZz26AO(nxdpk%SktY^7Jh2!uWEMCAeu*pkb4l--aqNx|W*D29`THM9R9-V5P
zW8$csnE_69soT?yFlx&W%i0i`q-$!>?|7g#NsXoiw1h2!G9gmZ2{Y8i*tW@9i=Ztp
z2&(j0eC8Xn87+FJ%<*b*mxb@|_=-?ZL(9r<xE+G^TMSl+GooyIz3&KR%zWsDAqu2E
z#ue-zax9!T_ZIe7i6o%n8vO1}y2NLe^!0GM^MZv1S{7+=>xB&Dhqf)|HuLT;-IOon
zLWeWKCYSjxG_CK)E7Nf7txr@d&cw>q2Gck%&aI9RCCi=;DQ9Y)F;}*XBaWWL8zAeQ
z=+DB7z9iFX=+RR|vlm64{7{x$yhF{*-qT#+c=_;j>dh~EaoAU96Oy)q0I_HCJ7C_w
zME@c!g0=mN6L#BgbHBVdaa{b^OiY9Zan9ep=^}AV#;s+^NgnT>>J1Nrt-)%buD)Ps
zC$sH+xmY`zx7#rXGV9mZiJPZ+y2Yc|up~r#KMSq&pN$%HE&Ybt9<B6Ljn&B^$F|IA
z^ggz~@ctlLc+XV}5S7wOVXh_Tctnkl87Qg(khO-jq(JG@;gW%rDJxK+Xuxa6z^M@i
z2~6RMV}61rXmL}QC5t(2kv3kR49}0~F`B%ja#Md(^viv4A{qcDg@^2`$A8?EHlj8$
zl2K&G7C$_yqhhl3HmhNqjB_>O23dV=Om6zZ1^|?ErME**&_Oa{!~POtnuQ(yoXRTW
z_bCqC-bZ#8Ykg+}aa3arV2Ve^oT!}N!Afer7Usk8-K$bG7jDohhK7u2&OapcSnS^t
zs~ak1?KtHa?<mFyf9k>Dd!gr6*s~6)T{3j{OP-8W3Pt8ARKl&izA>EMM;Jqh>10Ye
zsor)pbFk@q<`~?ic(yqt{S*bapH8@B*BF1AyohclesBkXYg;;6>O+e$w)8ib%2#M{
zjsy&iATD5^M&`47<)ziVf#hH6lI0|2x*B5+tidTNQ`-q|%1b`|z)CE}R*DpRe<O#Y
zP@!6<lpSKx$K6VHD%IZDK3B+WQeyS;N%`j?N6#m={rRKWLtT8U7RdNgPljy<#Td)%
zM$`6BkqCKyEP&#s(kcIuU>9jZ4pYH<#hAd1gf5yPYDmD8%v8O3zPV7+6&s)&q1t#}
z(r&3rwF4sM^r&`I3VxmCo0jJi+M-DfNh)n1r;55HX+J`#3QA34MZN)u7R2I__}|7v
z|A08X1NV{=LkA2X8&siKtSKn+tEhg(&qTdM{r;-saWc+~N;E&1>k1QK&&s*t<+rMZ
z4v5kWj`HRd60*}vs0BgAB8{U0MA`2JA&LUNzX4!wb4GQWN7@J3XY{#nrv@7vjMlO!
zV%zMIq04HNG2eBg*jp2<)ZgrSjuKjIe9+ITX0wSQi5?J@3yD%mjg^IAtxQQhvN&42
zHUdsjXCiJsp2fo#l<GM%*J3dlG+b28-PiQ=K0h2ML;*x&NxQ>7sfoC@u9>>yO3B1C
z#S!3}-9jM!I`LCc>-+nxX?G$46bQt)ZhrY+E+_&hMo=LyJ!KSQmNjwU1}otq-+u>$
z3yK_wJ&Uu>u_Zqwz(i9|=vUAKJKK%HxhKWxw4oQaHR%=idTc6+=FzlaeE8Z3nLNJ>
zu4F{NT`o(-?U|0DXI>hKT3m2gRGpjd#^C|1_V2ckik{r7SBFZ!YBWmvgC!5#KcP!(
zl#8?#U>=A$Jbz%ho<pWij(ragOlmnpr@5Wfl*f4}(2Hd~_Kh%TcP!Bq5{)^>-^9~t
z)LG0`>2`d<Xn}2x5)>a`1k0?dh<<S%e(qnD4rNfsLb&g6v#9NuF8Y1Dz;3-PM!gQM
zXxO#V=6dj4EI!5=at2@iaO|pyY!@_Nd$uEu$K`aWYO{&^wmCOeyx7a;c+u8+1o0sP
ze|gXSk<~}j*%CWSd~i>E+Wcj9%3#M$L<tC4{%(12q`0sZ2zCUo)$LSS&8aBzfbXeH
z0)*5MWFbbPCqUY@BBJdQl`WU2eB9)w1>BtN(=y!9F~1(n&KLYVQ0QO~Fl|UH>taxf
znO)>#5N(?86OvBLJfAkJcg4NNgPUzOZF?xf#iK7aKJh-{JSHsdU%!PHpooAzROjop
zJSr6*wYkQ-I7!=iJGPxyJWp@Chrnu!t7Tle;7R%ABrmW`qPz_P-CZVs7y)GlXI8Le
zTW(fjS9n+SgW?1B2m5S2asHVW^UxW7xmjV7Fsw*-X6oF6mQ~x+o-OTQ)Z*uI+vJu7
z6=wcLmq)C@Jdruoa2#uDh{m-jwdi{cP5=_~Cga<;2<|G1mNx+4b<ewECiaH?<v#oh
zm(7Cb2?wCoL%y{*U3Q|Ym#YaH`iSjH3dAn+IX{}j2qx%EeVg`;&tn=e?wu6C*<#F(
zNN<U!9@Fm{KeBfVndYMp36OWrZacv?6N4BvY{t2kjY8RScaSyTQfwLy4X$2Y+QKI;
z-}j|9{!)Yl{M=>ZR{#e{n-fhT0Dj|7GW#b;V_73jUuWSjnx2cZ`4A8f<dOk!+4|Zs
z)Q4`fDk;|buh3#qOsUQvzRb;f9j5M%u4dY^FN<E;t2(+QRM#aIOc@AuCjI>7D}b3@
zog3EU0)?0QbfVo&m+a0SIA`ADn_Y|tO^MN?4THq#d=VB~*}CI<Gx8(rLvzvr0GJ?-
z$Ncbd+40pf1u{8gUuYuuvZ&_VP7>KfX^j@58`IrUv3sNyf}i*zBG!yVo{}JI(v^95
zYh;4y1>Gh1btkWA11q&dp^I605mXQC%LY0dxqwsLJ3g+9pRRU{uQJTKgXs0y-(pZ;
zUFhnMT(iVBa{q^J1Bth%WJ&<w9r?`jyEZ8JyK#ui_i6%YnCRNit*uup>xL-13%Gg{
zf^ya{<<DrR7<WaNP@p4aYpZuy2-@BC^)q_W_(F3brx1^1xx(~&g7rMHsOh(F-xC<*
zgdwK)|Eump&dMkuwmkXhht+bboCE-Gw#GtfVf-pIF*K+^;jz|T_(q`Njqyd>BjtaI
zq#6&@Dqh206VPjJwWThi=et;y-{@|nDJJ1>enRP*3=Q<KfCA~z#3SNMhPN{xSigWL
z-4Qi|0so|M0N~0RwHj>m0f%Po5dZb#8@cZ$ObP_=3I`6v<_l@AV(^L;zA=P=q<lCK
zV?@Teh}LH157suqSvR<g`BGkZt^7t{w!tk;s`T!I8X-G_-9k;&>lJHQ%t|$_R}uXC
zTDDmvYVZG*6QXPBoVe~H^}6)83G$Mxg}<EhrL)LzB)hHoF5YexQ(UdLA+0pA7A1CZ
zzK-4;!Ke2D(_=P1Ofauxru`d;%<Sue$P6Y_lI@G-+`?aECbG=MgYFxA^2SmLf?Hy9
z1Frmlep%i$tEaa9;-`qW{vs~FtK%WhT`vc5O5{O<b@WdAI^c6$V$-)Q2T_ClY-2c6
zRz<DqVSGm^)-_$TPtg|Y_>@;C*#Ik<5)g^Ls)s%LSeTkRkk?FOz*UJ2@W&{}Ls1q}
zms1GbpAfR6QA6_cpYwgcg%u?r^byFHuh@S32}ZXrcvOb?HPL+az_KTyM`jUrjx*}J
z+Rp~EY~^eNf7UQ5VP;QJRRMM&Fn<V_&0#gP)vG!;_z3X3T5({iB6un3k^x#lOKTgp
z7EsOaa5GuB&ZJ5keMy1I)^Fb3kg^lUeLq7){u(DfNFnuz(V*ZxTQwqM>r8%V+bgf7
zF2M}~44}2VQ5rfk1UHODFNbvLyEtQ&!f!+_4>m2=suOh*kY^0Hg!#j)Jk^W)2i~r*
zV6&K)CX3YE;@ItIU2g)<j>_zn%C;dNOaz@TQXai>Q4ME_>)#QlAiISiIYrEaiM0e}
zA`bW%U@}{Nm4Mup+!d1pOvLM!xt1+g96`(Z;HT_peHyQ0B2#Hj6f*zG(c;6=*p=_x
z)wq_3dl_Ed=^j}Ti=jq_XA8u0zO`@$GFWCcSBkVl3cF<icvwOhdITuSs(Avukb<sj
zCMqX*#b3~bA-lrwNr_`w)7Npiw_;=*lkw2FumK>I!nHnCTzqftW!w5?0drx}1~J^R
zy9qQ-lSZpNjenLuXt}(aH(5IGc&&acy@h%6W0{I-mJT#+S;~UYz^N<wzHS*Sw*j|8
zmwxKiNB+nXvi)zd&l-|qWA*t<DFh*If-YD2KJ|Snx$K~$$llSDxnfRVef>?jY~1p)
z)D+deu3K6a#u*B`R7g$uSClg%5=)CyN%~jANLC{V6xe^A$b1oaACiK<$;d%;kWI!?
zSJz*F9m)em#oRX#8~T70)bkjpLjpv~j^ci_8vY?BT&3t!-f~sj36?ogv-(bf#oK@$
z5riDr;mz7t>duz!=(r4=pZ|)8m2g8Q+m<#K^uGJ`&95{!e#+=#!FV`lJ<k1vwk`A|
zc?<{H{M+3@sSS=MuC)V=M}l*4m2|CSH(UH{gBIs+{I}=q_w0nLSW0aEG2K+joDJa$
zd0@cgjWt$1(fUyKqS;2Q$`wCzI@5^bhfwej7CzdW3h8E;wt%*6s5LB&htE^aO&~kT
zU`FbE<BdlrjWmzKV5k0-c<-@f(P$u|nr?gfO+;Tw)IQT<p$rKd`X4Ysxd;2BIZ0pd
zy;lXb7+^tE%#EXJ%^6;FYtdcaANvJ$$;QHh_hCF<01QB(#I3!YR)K>CGG)m&V^z0i
zX50zHqY2u~G9Z|HoJ(KMk+g<sRU)44)~v<7trjt&s4UrxL$e14GcDz26+y!V^5%A-
z4e(P=JWB2$s|QaFwcoK|qbAcJyU`HB!L~aSe>esQd^AtK4YnA)4ROGZ!C1Ku?lgU>
z*U?aN`Umu|?4>Ot3bJ=;dLA?J_kCiY*i8V6u9@*+@p}Me^{z>Uz*+Ub-^-n9mOjn6
zb9*P~2*IUq0+(+>TEh<<Kus1jw#Md6DcNc9jB>cq<Nxv-`vjkd!J_($Li>6AY3EAB
z5hGd?qgj~}7{9Vls3HFaCx<nBO`B$7T)6_s7a3q;0WzznRDnMM-f4lHb<%TeWXAY8
zsb`}2oAb5%Vf#s2Qa$!bM^a=;xnU3O)rT)mlWbM{C1frr)l_7B%|9whuRg(BpREmA
zoOrGgYRBLSVep4H9aycr4Ur0^(xVlYzZ4kWQ~5_PKmz<;gf%$7p)MIAT0zTriM$2%
z-_hdjpoqTEJ-m|#38H=Y3&!y-%V`Ca(!UQ5ZR6d}CyRc&C&&Y6_c&DFB<$4P4m8qB
zJ{kT;jGFiQgi*#=GwO?(1R_*>Y}#k8HZHILu!=zRkE#21z{x=1WvMo~g`Y2suT?W5
z;`Gvg>Yfi_1?CgbLciAJQRXfK3zsV+VeL5~{2!62sv#gU5OrO@6@yQwnt}X_rMgNp
z)$q~_oah$&IpoJ1mcJvD9074=Rdpr;L)HMwC9vDA)tl9&XS;(rz~lS-vgvUR9hygo
zqLMSTl~t+?bZU#NfN=j2>|kUDe67kM5afI#P31uR13n-)drh5}=AGu>=ka~{C#}gc
zWh*q^gRYhaApxrwl9RtQ&0YFj^1k+dJh1g4Qj?f`NA*;n82!UqrkR}w?JDSWUk1!N
zs$AR}u#SotUwD`)5RJ07KGDgdZf#8|QkeX8$!SQpPHdHoW{UrocwInves(oU^Yv}B
z>Ja{Vf6z(BPruJ->|A~NcKp*6gC<Y)FO6CU_bmB;n@ei3C-fqp1ZG_NJ~}%u95a<Z
zDg^7G+-v#P%8LIF<SEzr3wg|%O)NIV?2TGBzyO$ire}n3dVtQ8jIrqOXJE>fxoRtE
zI}N5@l2m#o!<_2<y})Lv{lal~-UGh&ctoK70%%U>c^|EVKi8TMTvnuQZofX5#1k$`
zfUYnePjYkSzAAV3=@Je6NKG0*Tly=!fa-4^FN>qiwZBNoh$WhO>N@ZsMsGEN;YNtC
zZ1yY24`c?mZG)>_?C*!WZj{1+jP{<9C8sSVM70--P<#Q&Rz*>8H5}HJR3ey!RSN=s
zsZMH|PCYqAyRS3?s^xdg7CVw$pciR+c3w1OSj(vP13*}#oR@vC8tNN??>0Kl*FvnY
z00_@g@@G-rFm`5lGx&hU8N>qS$*r_!^RCu%?btv@Td_CW99>{fCd6q>`F3&{uZIn`
zfG2+26njzPqgg`25ua@=9RG4_&X4F>I(R2dDFv)%w*`<7U^vm~rPILErX4z}&o8Z~
zj6Z4EWdy@nv3GY?7-yibJznfK%639b19GauxNv?sX}0#rHLqFbWV~b-$sB8uNd(4e
z3Y^<9l&?5Ysabp<c|Ic8x6XcQ4R1Hw+|r(FpnD%<#%4T7&OVhtQ(ZCk7lE0F7tosT
zpW;G2;A+07$EJKRw6=6(%BYJ8c9a=PXDj=~1%CJb-f(CJKDWQ10?3SydHKLn2c<~v
zGK{5bWW=Q(Rf?y$(wa!SE56JBRGbf~GzU9!;6UDlGsdLPY&I~Ff#F*uX6=dtsv?FZ
z?-&^x9qo_5%j5-_KR32jD$k;-{oYCnTfbGHq0(oWLq|{87v<k&exz%!V<NjJ^C^0g
z6!~$2GIOUNTe$?f<680-E97tVRouEaMH}VaVLbINm$w6kZsX$P4nXFs3jV0Hbww)b
zz2%Hh&Qgp9<ZNX%NCH2VjVAzLmsSbeXS{0NO_}hW<Hu)~quNW7@E?Uqg=UYw?_e1w
zLRSFuf^RqwAg9WJs~=Pk){~ca0C-<wvUt3dd`F|r@4{T2A)K{De;1kXUP(kh7C9@u
zdSrqSz^e%+`!x*2VG5>JX9-Z179aW8OPimihkM+YF!OEry8Ed&z=3w|a&RB|U&p7l
zR#Ndj8AuFJqXg4B3Sm-Ul!MfuwRAdQKLCb>AD4*w|Kt*2Skv#)uzwrPQ3{Bc96^}(
zxbzC&|NiqdaiN2mHRW1BjDs9d#85tekrw(xcl`C;ML*lOme^}^5ls8bdtVRIP-wTx
zROB>A;N{+RH#P3u1UcZ8C)=JIL5_w6ImMvKYui2sW||q1><n#a)axkv1y%20AqGPA
z3jA)@6ZGaAcMTyv5%}W5Q6cgXN8Gnz`X_;&?wKwFwx^aODc1TELLvo;9^fW@Fp$H4
z#rN`6?*?6)=|-Cb=r5%iado)6to;P6=Cl?OT9rXCFfknSO<1<9U#y;@0>IDy&wno}
zr#hABWIDj-N3(JG(o;pOp)q&oQK(}x2UZJj6a9x~?WO~hk+@%I0f<LRq^Yoy01y(}
zG?utmZ5(zyoC8dF3=zn@Xi<z<YkT34Dt^ani61_ukOKSS#607Bt2m02Lm>oa_Nq?b
zM%*StTp6}ovZPW|)EK}nZ#MplaTdbA(EP#UQ8z=bwi1UqV!><W_S@WcKiQKJ%zUD0
zUds0PS%sgvJ&NI{X~}D3!odN<F$<htajtek-f-%0f#+cYb;A&0a)XGz7n^lR)~OWr
zSJbFG{g!FdP@r?ARqnr->TY}Rf00Gw_Ib=uFVr#QgU_uB^8b}8d}fYn!_^`nKEFga
z=s-^Ae9c*E?{ai+@5(K3S<*h}`U?8Fx;cb){S5VK)89#F<(CEWKeEvCyO!~s>b47t
zc?5Eh9Idd|s-xh}4tnDyu#4tLw7pdJ^P&|5%A<T8`7|VQLh=7=nTsCW92)dTLA2v(
zy<sll>4g@oF^Wru{$%6_IIze0+gi%TRmcndC8nfeTWR)ri6Z-%x(FJU>`AvwVmo5o
zFq-4Fj6wN-S!WsUVzdIKGE2<o1i>HQN<{xI81%WVNEB8<fRJ>R`Pb+0>oK?7N)3#|
zhUB~tPFHo7#lnMmflqBV?jDe0S<EItt*wauY<Tg^M>F=8u*(Z?MY2`Q{~%H)S7CKQ
zZ}uv)tE*d^#?^sH<@o3QTV}Oq%Kw0Pw<=c;Z=@|Jx!Gx$%~cZ8fh!K|+{LQindpX0
zj^&|&%;3h*X5w7#Z8J0cY4+E23_r5@{_PWfr(z_OPe=<KL4haMAW0)>+}W87nwOG5
z65vxh3?km6YDG*yu3>kr0jL`@@`zLdI`gZT*cjNY2UvSv4jfPgu1O1#JlNM?NcteY
zj!gLXJu_GHBoX*K65mY?*&{E_ytPvVhz8d^xY@W*7>y4~kc-E1lxETT=s`H++k*99
zKr;lpZaiT(nuDeWaO{^gdx}u9l?uL%iR)E-4IYq{@^n~M$YvKc5qGy^Rq8~8!`4y{
zmwUSxR<OyWev{rB*G=Fp3ODD856$=zg81|#x<eJz0`0rD^^;)Dgc5S<lSFPsm@p2b
ze6*EtF4i2?b`U;qN*VW@b88x!^2fgkS0kl-&;=5d2_6TY8y6=_ATnB^^b?-ZNRn<g
zo$@8|0z^^jT{2JlbF*~%O3NdQXaN?73tifhO!6nVk!znkgM-$MrE4wYI=V(A1W3<?
zJ%wPZ4XfAO3?e|!@QO*t`tkQ+YWH_`=)D`2;e^V1PPIC=KfSt*)s`p@K1ex#?qzF_
z{39|U%`rjh&Hc_fMCtYQfBXs15#^ptt^!V7LdA6Ia)7%eSa~-V?J$0q3#2NaT`WS%
z=nV|MNDv1+PgsoXBozcVPRm{*?-rm}^H^BDHT^1uEYwQea<6Y~TDyIXaYxh&*3zM|
z>3<12FS@+8Dw38%o;ZlD{Tke0Dxc%{Ip8ZawyD0qu^k9iKtze@_w}DUnP>6<hewrL
zJS2+f2UGKA*v&LEV85tWi{D>gaa1D&`ANwW>5~44y3g^nEkr1P&E7YRzv|>@R(FF7
zn8!hG47r8rsWV#O2cT|SlzU|ta?EdRLJH6-?CdwD@a)Hl<q)zqJJQnng7?d|e_SYN
z;IT7Q0oE_kK3fwon7XK5RuIuZc_V;euUYXRY^86{VW9Td)|fp6+c_{r!5tBb{@OSJ
z8u-s8#o`s50FW_geFi0Yd@zCgXdQQ{U32l%OUL<YCgJ8dbSqNoBsaZD({O#8Q8nw?
zGH0btWJ)#b^;5%h$Ao^?(07#+;1yeo=i~F{hU71*7o%Y8LvJhdS?Pl=7<P+F&YiX1
z%_}aGX92uGy=IiEu5L|x;~c*O66qMKm_KSNP(e+<>T%Er-j^Hx(SD8fW)T<3D+ywE
zhunw3mAs5v39J)#-pJoRR<W+b0D`~F3Qq>!N{OZYD0>g#^S&cK3seTV^<n#Km64*N
zStJZI>rNCPhzX^oFDWJ}f&{6lqEFC1CogbH14o^#l2;YBSRc@EL1RCj-j#X{-%x4Z
zj$T=?$J2rjimlfr^^M4hT_Kcsphm{svX{O{ky0Fv(=#~h>in`)4**aiQ#G^|S_sXh
zG`I#Oqe>^`P<>*fy6D3}+#>B)Gs`H$thwP3CIemx)QF6mCASXOVk<H_Xh`xMNVn;+
ziZ!sR+=grR;On|Xk<yx7(|LJIL31t36%0Wr`k9eM(_ddJuw5i-)ajIC<8<u`=HbS>
z09j|B&tos2rW!Azmy@miOY-s8@a_SSKR1~UVl%H{_<G-<<EP!3%fZD0N|aS*=6R|7
zoYkjl7-S^A6#Bqu-&!A8jp1vL^lxs7=7?uL%Vkyn8vZ(-<G3wC+@jW}*BDn=9SgYp
zo93uL7yfT!Ul)|b;Df`pL&S!QiG6#<_qjaA4^5}F68WA<0!zeNot^{ZpHu~>`OrIu
zkj@kFBCp0|ND8HUNb=o>YZTv^A2AFtz@%;0P)vLgOl&8EFIWFt&0zMO->&2{yi~v0
zye!2-jLSUT3roq;Ajnrvo88Fixb0vXTt_<O>`XFayw9j^z1gJAYs9WBFc9pYpy_ZP
zF1wLG#97S==R*2B)?RF?86IB#V>?4tiK<M3f49*Eo>@3F`YZu2tIl2bzxEdl=df)H
z-&u2D#cOs#QXLU1DAN-D`nbn*<?t53bE<4<Jzdl-?yT1F*bn{4d0kmaSPbgcNEx<X
zPw3vtN4IzNt0suyMfy^w_&a~W?vOajc|d>MSMMSYezOd(B~_g`%dpkqAmptX0ufEj
z$lVd#H!mgW5Gw5O<VL;lI5T@DoObKuXZwD`bwXuf(5ye}xGWK%N*M^5d9e9(%03`x
z+bGWY4qg+UCh3mLNq&ctO|hYto0_w)%jMp=cN-CO{@5dNjem{}>-?DTa+VX6;_mvC
zC(*B`?{RH?BkPTObmI6}8vU!um4_05bJBi3puLUK@e=QAO<UY&LJIyxMI{>AdiDd1
z6am`oo5F6!o6*YCP|H@coKfumRML-3UEr0tS)v|IX|p}pXJn$nWP5Vr&aO1oD9oo<
zNosIKP%iMs-K#&5V|9W6#c(OmdmZ`J$lWpbPl<a;k5H*f<1ED;6YB2xewmcsB;2{0
zX*9>#jvZkM#h%r14DMpex0T8Qkxr;7Ja@aYhTRkrJoj0hmXjYk&WfjolD*FJuCTku
zlZ<a+VBr@tK9curPPer^)PQ`}=?36a68GYvapy<`0RU#%+l^|bV-M4suuF;2F>(V(
z@m^F}1d5u*GI&3JVdWIh@3=xLgjk3(qnB{=EII7q8GZU4k2!~pS5}A?ehgZHAnH{s
zrTAa<->_?9=*?(F;R~OdmT+!-;P$@_?G|lmX(661tJO02Z))g^+auAZW20%OGD^{)
z8^t|Q#%a|%<L4;y(NVcS-yYlGT7;(#e?Wft2>A50VAPZS&pNP@KqH8s^!xw=1jiy}
z-~5HQ`_xPTC8|YIUR)(E(O<W=WFeE+`$bFC%kg4S@WwF!4;|>M`bZdoIO6_$juRf>
z{oN=KBX0n<S<rlZjh{6eiz(klDj{fu*E+Jt%YOPhU^o>8IU&Nj%<@d3>Rd;Ao+x`_
zW>PW<3ivW#%fxy7<$kDZoj5iE+{6XDrg6(su5Gpq;g8x8NFNxAfDffJxF(oZ*d6!_
zvkDNMrD~%>Q_FtyIh)sNj8&|)Dp7XJSbru<7;CyYETz4^-DrulWEuY&745)G-Q6e6
z$bNV_=djg(&^yHjYW8e8PZdd!(V=+*NUOW)5*A@0X08f2cvy#8)#-Q)fLP4rj;&4l
zXU)8d0)9IhrtA>|u!<{(xtfUlL{ytVtK#a>ERGP1l`+q5d4e=P7v&j&y>7;p$Q?Ur
zFp|s44p54J^$&1EV%J*y!Ei*7f|tXQq}CvWiWK;Q=j@GUO+wK<Q;)!;`lsD{n~$1@
zEi~-#vEc6OCi0Oc<WG2<UCzr2^wTA3f=90BNe`OO*OP`sB*A;a$G;&z(b!CYosl%R
zI@|C*#a2Z=WnD_I9&??rljbh>dOdf}wI;=Z+P+cUVgfBC1_gF!eo(8HugJA5o&3&X
zJ^Ly90qdYvFE9PGDI6P!sAYK{@KJ*lPUz<ng>~-6_Y)`|W$00BdB1_QjdbL)59kRl
zmEtwSfr@T7|Jb`T=#}ISoEb=Q?Z=|Eu%fSZfWc--j1Bo9lt2e~Q7-&C04+pA_u0kw
z<0v4E`NUVTvFhkvicbDdN+yd9>A!uf`ryBOtn-y>c~Qz;9AxaBW2*%%;ad=e7TEo7
zL#vbFk;GiSJk2}HkZ(Ft=&7v~LN=EZJ0kU%V?ti4q_%yJ{WB<`{uzAg__<Bk`{=OT
za>CEcob^ZA7ELQ_WKXJmEaX!0-T1SP0nAf+HEZ=4M8=FmLtll+aK+QLVcYDTS`+kU
z01C%N^Vg3o4zm7HEkhs<DH<E3G<H2dxD+Ge!qJ~_KP1EdYmJSVZ{(0yC+m62i^4sF
z!lRG(P>+MG#^*tX4Aj8f%gc7H-y80j_|blA-FF?hGws#{Szxao)yH=qR)TD1W2Q$F
zakto=Q^^ESx?pY`jdc`behzYMiK9%LKO-z~OoS7`(5Pgba?^vFH<LVi-1iGQK!gpS
z&)Zp1+J9B>55AjRM5w%iJ7}hk3W^7=Gd_w#5}jzv>povyr3W9|d`~#!+GIvOzGZmX
z5F6^PH#`q*QzaI%TKu1=&9KH}<%k{pYb_Qnr+e9D3_uNnsO_S1V8r3K>@57OWIQq#
zj}QN!JgNWxV9v$?3d?EVot#kyfAZ{3aLR(MO`evxF36!XD`lwUOX=gFEL^>^Jo>~Z
zU7@POv)U1rhHIlUJ30*fOn>ou0`*wjg*IB<N?V=&5w^SQQ_0|8LkzLBUMbA7@o<4s
z<%i0T+slDq2BnYtKbO(!g5uw6^~ztU&ZpEoaz=vqX06=CVoA-er+Ha`m1KWE<(88~
zd#o%nby+n9(wHv7xYE%@iyxH`TW%7Za(cQ|lLHbnvC&}YAp+8jVu)|pYy4I7OopF|
zSBr!3tEa0gLjr1G^zmRrCtI6}=X@o7<y3F$zzff1XfER(Eh;ojFGIQ^whF+#wDty5
zL?TXX7z#cf^C1AhrsHPHb$U-rvu`s!sgV*(h6kCL3!fzA|2GK#2N<DOu{=AtF#23q
zJmXZ=gZ-m+3Hrc7lFI1_*4lC8xqYZr;H+C2%C~yiOq`xlL$Rg+kf%kHy@8asB1uc|
z3GDX6hRCnM%ps8z`=${@ZssgzimqQ<8@R4~8O1^5xs(t<Twt6>WWL?SMyDQpQfu%P
zS`*VN(VQbNLk`(sc%#IO%K_>JYI^#C%96^{YeK0Q@t=yD8^{@1Rbc@o70c1&!Vr`$
zDEKQ2KT=8~(GPQYS2%aXx(wk$;YjP>Gv7;M02(q0QV%Zc<Y4u6Z+$kW<94{4Jnq$r
z0h{r0crJMS<m|p{{3R9It+6|QV@Ld0ZM+LaSNa{a51$BAu>Vltf~6wSkM9xz0FBBq
zn{mQ;1ZOEt3@oqoCfs?!Ic=_Plk)@GrDeVhex4-5!-F6TnJ&#&#@>GgW1Y3Z(u8H$
zMb912B>8>M!ySgyr4+S0+d7IYcGu(6O)a@z?gSI$jH6nyY3HqO=9CB%4wxr4MaY9I
zu8{hNG>#f_0xUQv{Z{4QlQEQ19ZsNie0kF0Y8SQZD4t58Vt@m_(=W6O?Su!inQA+`
zT<tU<LBI_PH{!`2P`deZ692?h54PT)>@-P5<>E};=?`(Qw6`zM#8iP331j5`%J?cR
zkW(~1<A9eh2o@YY7l7pIhqI>EY2TT@N~^WDf7e)R4R2d`NPmDD)d^zwk`n!TrrEGr
z^(%XcwoWqm;&o6shfHPiI)XlUOH9{mV)QYzeEelQQ>=YZc2uvYpdKDVJ=O2B=`fNM
zZ>CqO1+jw9{8t>@UsXtwhtDMBfvf4H;@NI#j~2b(iv*0rPKIs@svt0};>&ffqAlWT
z#D?{fQ{IM(v&C|^qI&Ecx-oQ@fl2Q-u!H6dRp_52E_*!{bAqL|F$v=7wwx77<d%$I
zYu>!ZTaeJ*cVw&0yPm_~@=J6pjC@nYV%Em-r<<PJCpkb#IiULouJ!tLiCR4;QKK@@
zlB!VlMz?i)q#}*^2xO?)UBQlk>|GXvK+AMJK@ccM(5*Fw(TPk|Mua`hR_f!E4{J8M
zWParLQfEv^c()EhYMS9Uzw3$du5(yfKwN(a-&pLmrr^0WhdH&W!X~9mo^h7WX$I=g
z7wjEb!H=65_1FPZ!vGQUe*$hx;a7p|1$rDG<VU?0Q6~`<O@&@-qfNgUwX04dM?@Po
z+8-k@L;NqXB4ZMjpdGO*vHg%N+`K%@$mS9gE{h0ihTKJ8c=AO47pv^wDhHqm)6nW!
zv-wB{X<Esy&EgZV#!qJpr}a-Vz_7P-@PJ)Q90PZw+PgXUe!;}Me4`vkW1gkI@u=Ei
zr4+n%54XOIfF#CFcfz`tdD%GS-<bL}EQm?0K#%YckHtG$v|UtgWB#W9mEbBhTF`cs
z@~;@bCHdZAwd1w?!1Sm5AbsR=Z(<=VmGL8AD3i0Lo||s(B6{jy+fNthSpTjud<tgt
ziNj#LQq+Z)YvtjdShKl+CktKKMu^S*G%+CVMB`<D(g{>4dpUlwhSLy~h$_=BbfrC#
zQuo5|tEt$#lz_d;T<3ION5StQ(wgEOp-GfCnAlDCi_6bXp-=lI`E~C6J(vG4);PT{
z?XTOLK`2M_mz8i~|H}!Advh-=!!)0+V}!a8+@}P<9Q4_qvO6~^Bj2}qG@Uo!6TuTw
zU{;vAg`hyy&ckd6o0fgY3gr=X)bA9X3nAN;ld}tWwE2{Hsr++=n9k5$JX?j9fKmkg
z^gvu^ncK}H*j=F8_C*&|+ASwpsZn9wUP4@SBxWrBakoh$=Er}Vcc%oo1rF5VghBxb
zLV};(0=JL=kXcaN2V{y?7$z(C@cRChw&E+AlhhI9^3E>J*3+H{9!{FAw|Qj6qaY)*
zkDC^p1KuNo3>m$uffDvswcc!NA(m|>L?{#L>Ia(m<u-yjS%&GDU0S41(mq~J?NCbc
z;jn)af^6nFC>v^oiwozM7bY<w0zYfa4ILIcE>pgB3sM4vM&PC(-ha32DSgxEYfSF2
z9pKX7Vds8koRTL-HNax6{%;~+^rqwBdbIqk`tv_EDE2bpn0EOrrpQqVZ9zu(v(w*j
z#;QWDt3$Ydo#KXbhh2ifhYd30gD|pEl!V<)b~f~q==`jEps@>}X)bz`lk=YUrN0&{
zP&ngzTv2WB#&abS=u^3l>&YnLeM<8O^E_LEd^8qd`0Wk`><P4xT9jdc)SAmq&a7@Z
zgNN{A8YtHt<n-2uRpHehN3Un&aWSalw7<#N*M_o-^)*@-XIGIv^LS8dG4=1#tD{Rg
zXrzeJJ!Anj*ratH8kIo+nXIBRA>iw2&`!BvKHL1BbJhpj4p;x7V=geAldkn$!@|hO
zi1p3#&jV}2huQMk+6wlI7*^6t@)7(pswmsv_Wf-vB;`^YoN^bSVn?((g9o2tg?76>
zCl6wt{6BgD#u)ELlMQi4(47enw%8S9z;W?G-jX?}AMbzUo`TZjrH?XJ#h~kdOw3Vl
z<bQDZL(Imda(kVQgU=SF*W;kvgGqhAt?ysieIPQXiVWkqqpOTb1aXjsU;9z}-0$;;
zg<n?R5PeZP1yTMNO|Uc0|5ty_T?{O!*Uv!sR!7zH_AF-iHW1VJ<FVV6`BLpuyyH$j
z$5B7aEXuZZ|Bp!4!kOXr(JDgoz8_wtsyG@829w{r3H)PUYWIxqAhTYuu>PhZ39nmu
zuteF7g%tD3%mzK<skv;{jP7uh8N}cKH4Nu3GjE3#L&rL!ssDXH5<Y0-&>6#)`^wvY
z{52gk=vf(@e8~q3Q$gj~lY=J`Ci9#o1n2#UTQ91A+U>y^D4Fio1Op&7t1fH1(2vS(
zO}s~w!q;5E)L3cPUG)3P9$|-@Hf5gvZyh)5uEYxD_`jzzw&|TW93-9a72Lai3=Ikw
zgo3GEP+Pnl$H;l3Px%K#KYy4ZyAau9Dg;@&qiI}%$1T(w{tb54%}F%d>V-8}v$_lW
zrws7K_MbrY8d|oL9a(#B%JP+ufz6l-Q+beSi9fo1dJ-Neq`0&gZ3bO+`~uk-NI;Hq
zkN|WEIO#afU?|*q3VN)fE#$v%nwZAS&~va;WiN+@<nI_B^j?y6RhQ`AZu7!%C98zv
zU*eBbcJOT7$>PG>AbUW%`yRmcJow@w55WS3?~~!dI^%G)=06Cte{fpbCf7}>hSO}=
z5ngNxr>|nYP-j+Sp+0*8U*D?|xj2*0e!D`w*J`rk`_y*4U(Rr{ggHp80b>Dk)i(Nx
z@}D$HWBB#E`%nRC2amVNJ{plW<uHkP`VW0yia=axH|4dUYpK?|%|-ZdDsHQ{y637@
zr0_!rykLIBfz$yDLe=!Gf(*LXJyl3RbT~#R(x^bL2C^kb&rGP{U%NGguPj&o-B#+b
z0PWiQQ)qW|!<<>`)njP+>ZN9=jEkcIL0y*4EbO4`6ZJbZ#lCE@^;X4Er(2kp-*Gy0
zlD6ARkX_3$?g!W@d;nCQP}uc5^*$ev*2^@gUuVCeM?g`GAncNC@Vw~YqCj`Si$P?X
zzHZI=F!%c3X@C+B{9lQuozOpzsdjRgU%9;)956M+#sNm>%xHZ&38~{VaO;>?iDj%G
zCAlnNy_ElJ4?uZ*j6y#&@Vdi*6Obj_N(54i&gbEz|E+d)=}T{(xAjbbYHMKL^%e*U
znv!3MBMHz!?klH8(T16eJ?cN`n*akS<)Jo$Dy)N-Tom<&8`8k4NJMVF=*|3{BHzs}
zNzw&*xGfP-QT4v@8R!(}rIdBeRm<hmq?IWrU!FUud}(_yT87B|r}C9$<a=@&nIH(j
zrfQ(!r{3w{1vRkCWI-<RUCQ^cs)UK4FBGhtJ0H(yOzxXlwm5F1HLUH9%61OVH;yAr
z8~qtC8oj7dB9n1yI<)c2=arZchf!Q+P2xk3&xbr`it=8Q1!btS%%CLrYTN|9cB4-b
z9`{2gYZ7uT9D{noPv2jxKQk}&(C{K7F@OO+Bjlc$qg^HdB=V09cVyP%sc%%5s7g&C
zM|wN<6MorG;o+?62LHi;YBLW51Bh-Omm{S&l$fQLOMs@aQ7d_i<PD;2oyx3s!aeTp
z$Qz;$kKTuA&irU9?|$y!K;tQK`l0+pCVMMETZzZ^IhjaGNT>^=@=HfJ4jQ^USl6<D
z&n$YgpEw$;lcFNpXHIdB)zyZohbQ031^-{DZ+C8FG^<WplU$jrFP4vwF#Ll2Rou5)
zis6N!SJ?5JPj3jCaNN`ffPiEsg`h8<rQ8Laa=y_`epN$hso$TMn>}%1u7bIe^ecmj
zVEp=!pT!|e=TEI(YRyGhHINsFV?Kl}Vo04V$-6i|bQ*eN-ke#%1E^U!PL25{du)B0
z0+$9VeevGBq6XI^R!2Nb()hfon(yLDj<H&dEEob0ij5@U5FQe)4k8)r?g`;pC6Es`
zmqG=fJqDgL20LBrI33*JQ!*>~jR$W;5=N5h_btTSBZS^EHy1GdAJ*P7Dy}bE_bw#3
zyGw$*y9Rf63m!bUOCWe~3-0dj9^4DJf*`@&{jGGLK7G2+zwa1#+?P=w_6KT@U2Cts
zp85RdTyr<HBowtZPDbl)3cIb%VJ{{<Dd`HeX67OF+RJ#UxPH75Cn=v7(Q-yh42XLX
zQG0id2rY^x?sv}rLweSEwCLJ%VTD=pH6#%2LCew`W`pxqxW%T0^=c>`4qDW&#|FZW
z`Y!Uz42a}x=e@L=)blTuwUbcXrgdyu=OLbkpE(lXj2Xc@Lmsq(Qnf6XFUw^fxoPvU
zn>zXmK97*1XwX(f9>p+LUWzjPS|gm;EW+U7TMV=SoSu+to00vnMu)bFSZjB$4wqYM
zb>2JMY8C9D{|5daGB{vHuQe+81fpmKyg}|xaa0le>k!@Ot7<mS!MVn_t2r05FJ1@r
ze){k>-RL2k)LFcbYc4f<-mdyB<Zyv=lQTnHhA*CFMuZZ)D77nMu@2#n4*deFrNFOf
zJ5>5Su2((JMDrylph|7wvTrUESrB854~N|}vw*Nb|0dg|RPLe}L``q-m1w}JGG%!D
zT%d=VY3H{j#l?Ra_sJ@tIhtNuE=4YGEmp3$jV+3@cSj|?i#XdsXiIKa>Wp<_HrTiO
z>F@Ey;C^OR#uGByinROPRmVylJIW*SM!XHXgLR~uo)Xn1mICagKJQ{KCE~Y(l=qsp
zQHmbSkl6KI`FoQWb*dFSt&0^GvQkY3ij?0U74-Pz8{B1fqLA{;-*jw(GQMjA#B=9p
zu<&!yF(ji%x;Q)6wKs55P!0UG23ehdH2EY4#X+Jy7wiv5JuwT8pa<j`^6O>etHCt>
zo(|u#lv=2aY)e)rgJ|-D-Gg_gMrNUD!N<Y69rTj9_S!B%H$~Y6^hC$Km_WXQerY=y
zwqd?!9Cf%~SR+Xgy!S>mb8%d3brh)GU4nX&Os^BUr*pbr66?sKj}CE~zktPu3*;bN
zf-z{r1@Su5e9*{V9BFJ1hA=RoxT;A4qSojRB105deP9?L866)Vmsj$0xtQx707x!`
ze9v(9hqiA|zB~Fpv6{@=+Ze{1PICEm!~~G|TL07*vKUClTz}b&yC}6rPc?8r{RYPy
zm$TW%;MABsv$_-};hpfUAtJ%y<p$h3Db;?k@A?O)T8hx~?j5g~ABLqq@<x&}0$DCW
z@G}uSJ_A(%#V;4HyLbFelUu-qscNLoL^-qvNBW{F-j|O<cD-d9R|XtL;?>C7#8V%{
zM?#au^?f&tSK1ika=Ro)sQbBxcF{Gq>%I%(C^h9l?DH^3Xs@OCMb=>wsC|V{_Ildv
z4gq~l=zu{zDFay5UhtX#R2ELsd3z2{7gUht1ffOKFgYYR-9#hyn~ggUO5a5s674>s
zB>8`ng}Vb!EQP}?T97v#Di4lZJr1&+1_tJ%2sBkzK8$ucOO)>_sgBc&%hp^t05I(|
zy`usppPKnl9L?aHcFSk9rZ8mDTZO_ArCHP_f8|HzZCKDT%mBp+0I;}`Y=eeasPC#V
ze~l0{nSxO+4i@Qy_r#dH6{UD6@X4}3D)rUIa#txO7M!2p`suJaB`J?c+Aioglr_{v
zcdFt=5seBX^mUt<L3>)}<N^CljXPSH_Mn135s+9Qq$EFo0u<h9h(Ul7iPy-SxE@!S
zPX)-rBx@F3FWn?&y3~Vvb_wpa*84JQizIv8ZmmVPI_>qNLACh55SJhmJx3zofFC^$
zX6g9SDdLs<Ot-I>HhePi${XY&S4x4}C*%r*#6zhG{<E<KQq`+|T5E&Of%U0*6gR%C
zfC78cWe4wFD=RAru#uVOSTKW}#!^@R0l<KVCmRPRt@~^J)jacJ_AsD**7DRAwM+pD
zG8*WBIixu}5iNB!Xn^X+*m$;4m9R<Il&?`q${I>Z@Bo)x9HM}Ztv*#lLkRdB<APoQ
z;8Pi48N?3mPBNQ!G!j927uR9mWD>3$WQ{KJ4}89<uaBN0GLAT|)Z!A2#dcK_(14s$
z?e@F*u<$OQvrc6C-<+TMTD2Xg$H0rE#Wa>nMFj)^slvZ%c<zRT%fDttERBmGdHv~n
z-ZE_Ue7kdTBWB5`T<VJwwt;H^$A|2wT$Hx&F<&c76*8*tEl+Oyv|y9Zx{?;%fK}Zg
zuZg(3+;s~vpKUVr+bM&*upTYtex&G<LAoXvumr*OsLyVe(0`uZG!V7^ir0WGqW?n^
zt_KL*X4x;x^wAQ3kc|Ku3Uv5=ez_eZd=LAjSS2ky*P1LpA*M~ElSZdBsytKidIr&v
zdpZ2uZI0-hnmDx>_*eYiboL&;t7TyQl5uJWO<8;7F3hBMwlf$0?m&x4aDsNc?QIXp
z8`<=t$B<7>ONR}KmRHx;;7#qGIRX>Vfy-P!M)0f&Ymkqg&mq}&o&QTkYn%CG)hifQ
z{^&KCjv%ws%aQD9cqJ2e%R$m%{Yw`bhi&Hy{homV%kUuir;QViuYn<1$!r1fX-<_l
z_))n%fZ;Yw!ncN{(V#L+Y%9^_--?QoKeta-PZ4fTGRA9{z!&{TWYS=c7eKQobHDmW
zI8{atqkC-zZ&h2mtOpBvYW#J&QSeR6nN8Ev)-8Tg@M8`vdP7>;`psCWgtfB@URCe%
zW4=R18J<q?PaKr~d|;f};q5q_t+f2+tiv;<8LH@DjERM_Z~O4Nf605LnaOB%R!d`I
zfvXXM;|^4BURYK^d>)EUZ`*2fdXpKWZZ6lzpw(?dX466wT*j{3O)kLIpjJoC2hS-N
zPFPWRyk%4l4Uwsj;L*OFJ`XC8PH>jhy>c1*&l=v9@=p!VUKNWag}Vrqa%?6wTyoPY
z7$@GI#@HqmMca`A)C&eaizHGL>o?IEmRN97c;IMZlJ1D0K|hf9@N<HL1zCcwx60Ch
z2MAHL4jc}sFAk`^@1c6tBgv%IptDz>-s?9s59#s#(e6O93H*xNKiUl~3ZBTZZ$vZg
zP#;?7k-m_!GYjz5hQ+#eQ5+3_W=i4b4WYiGV(C>9XgpgoC7IcuY1OyS7VWxfdP`t@
zjG$Z8%tZ&j2cHn=`Mi`S$P9f+%;kRGDp+8Z4>J8Z?Kax?yu*)M{n~kGu{L(YZ{ecy
zR-l2Paz2%e%zrg_?P$g90DIVtd}UiK3;QuP{mZYp38*V)_53F9W)t7S#uSUGfZY|J
z8>2+4Yzjv3l|ur^q+7piq3cy6iJzTj`0ATovtN0}=T(R~TNZO={LZof#}a8=ZR;?o
z?u(Xy`v)XAV$QR^5!X-yRC$(dVSyH==lzoc0f?c7n2kVBLpvLPi0?EN&VlsK8^f%j
zPJmBC!+xv~{%3fxzAcKVSTj|t>-|Fp+2DY9U-wk#=HqCmOKx-A_5Shql9~SIqGrOQ
z)ve3iqq9*S3zXU9DJK?HKwvf&ajWB7AvG_g@|=z35xePV&H@pi%JcDXo2$xVJOV|}
z!r7*P@o51B%scM>z&?;RbGV@c5oca<Lp0@HAwM}V?>WR_;)HcMsQXSt64yPGa0pW`
zTCm2Uffn&w_508m!JkL1Tc2sPi2ZH9k`1H2Tg{QX>*KdXF)uj0;%jwlX2~g!G$UzJ
zeT2}QYq1LOVXi7$c3mQa3izImTE{;1g5GkX3#w-4a?tw?z4-pOt=Dk1=bL8y2iLw?
zoYP2Zy%~T@2Cf9d>4#Qre^gR*oZn{V78Vvo)WU5ZhZ`n<4>n?wC<FUFpI9L%;EQM5
znU`u^aZ<8;{LJ?Y^#g}v^jKXd4siMG5j88*&hj4Kd)f6IdXSLI3N=t{9X_GVF4%=5
z-EhhZ;dk*eRX=7ijxFVfH25Ag)9~lAV&ee{n^9kF_KA5$Y|f{v5Mpr%vp>L~nXh-H
zLS>xV6VKPoiGiPoprVpNCTa8+t_p6!MiG_FeEp5w%NS+&Um%jp^&Vw*W!Pc5iLn;%
zo3C*40#e8|T*d@XO~Q3Mj|V?XG0PPx5Kgm8z57xV51i%yp?wWw<pth9{^%;7SkY<f
zR%h{LfT=OJ&CIkWC2OvFKDd&5Jmenvc{$ALmuWNg>C)Ab)_|aF%+HJ79_lY0LGKXx
zN(H;O{0|2&s3|jDgE0c)=k~%&+YBB<Gj3Ik0n&A4>`7UkjSc@dBKzzSOQDv{-yp?*
z0=c{B5>JuaB^K~In+813y9j?ils*7*$`qJsU;^e&K0Mh~Kl_7qHNFg!^7&4k8Vv?H
zbGr2uLuttI_s#|f#lg%`(*}0)MaHIW5si#5v$u<eAh@5;bduf|z-0uYoTukIihz(f
z7$`tMseK7dtWm7q=rJ$bXWPe>5=4G2!zK70YtBy=`vS0sdk~ZZI&+z5*z;LUtz4LZ
zfFhF<kk$vP$IH$;u8JRvIR`r?1ES5~l?(P;QI4rOGT_sv7iS5s>bshUpm~zZOp%=-
zQod}&PZq0<Nft;VX>n77%CH85Lp=*~RFhg+qslWH#XMhM8*(uVVCHL%LB-WVVrwC!
zXPvKpKY!~9270SDSK<jWH;O<XGRPRipazr{^{Qx1=k&G*&Ox$%rVnUgsYDAXEF3bP
z*5H4r3cF0gD(v*|c$t1YN#Pbp*;LG*%lNxy>Qo+54$Io<pSa}37>2cvC{i@QB0pxo
ze?<PXR8E0|nT)l2Q`p<H^{!v2Zz_n@IHL4tB8!@QnHhYwWG|zI#k|2fcW?T9mNQNM
zkv3k9FuU*^A&^jHM~b%3vnFywUfw0`G;IG<bgM0|{~z_UQA@$<Z!S0vC(-V7$4p!R
z)OAv&yfHaK6bTMm(V)T0zt!O%3w*={m{$MJ*BYIE-!7+zg3JTfPoWCX`C=LVUO?gO
zq~jW%p09<d>xU4Md3Xe(X3^glQd!3c%YC3$Ru2Wkb<9Kbp!F5+w)Iq<6ve7=f(Gx5
z@fk+JiUfCN(2Ziwqi{;k9|O#{1ReZN(ss$;<sm~X=kxT4>CAYzfjU0NX+fzyy}LN$
z`Nq4RY1?&w;Pc1{mYk7BOvz^*u@wdN%;_);T3($>n6|XD^=Fvx0<dXxIZuB?3Lw&t
z8vkBllGbV?TTiww`a3bkAMfKL-tF+%hxz{P&~|FGeef059huwW)dTY@nY42o&ZfIl
zHyrNCiK7EJaDd-JjoGpn?x;Dbl1}9x%%vRU0^d_r2t#zVf>h;y^TQOl;9+}!1C@%V
zWvKzri5<f_8f+F%M-r$%!$SAkK&Ya&G>39Xd_f0_tDd-DOe0NV1#)Pew{|l3NqBpA
ztOxy@FNQ7`gnpn3yCNk*$z&Vv;!YXcy>+}z#ddq;%)ZYcf%n@g^&KL)+SwPsKJAgV
zXM9Au%xr$iww=+M(~fsF<476HB<lY_NPXfSu)ki*>1_x%U5O6ei*;=j^k-6H=dt*m
zwD4MPh()?Vb*vnT-sX>KMOU<BYj-f)O4Bb;-|GBRW~-U@WTjr3jk8YF4@BUcFqtyi
zJU{tGThF<jDPiaI?*5C=+F?q>I{o_jp~(<G47ASs)H3|XO2cZU!3BOo=(9$B_?2Qz
z{b8~z6i4yscIu!^5f;!l<mNk_9o#V<IM>n>r|0Y~f4g}m7`xlDy@~a*2fG+d+L@V1
zz4_zzLXTytoH3M1z8kC7#Kxu18@=Sm4Y8nmG`-E+zYDN-SyCcV+q$67+6{Q`ZD7^z
zsTy;^njEed;RWdeaa<-kr`P?$wVSE0p1zRFivj-7xbe!R4vHj#$azBE2kz7EYYHhq
zgx86!uZ2ART$&hlL^iQbGt;52>R0HcN8$|X@l1}MoJ|XD<t4%+%9*36e95`^h1#7C
z7iw|c#Eo-Vwg01q?mkgk{Wt&YO;5>i0}fiTu1N!BaIMnNI)2`}1NdHGwN7kiIK3w$
z*6M7Z9dr>8kOF|Kuy35#C>cvi{AX*VUstPkU-(R~n#>iyFq%vjh5D#GjtGBLq@ZbG
ziqt=`yyoIEnE^F>k^GA|)2v5qrS$amWmJG2`uO#Z6t2>X9?~Z>yW!znJaoMOKfJTX
zM!h-yVqz2X3ywK8hXt~l{3U@vLpfx@z~EjOgt$(#!*4)wyPi~|!z&I{S{^|=nZ)&K
z4d{9fQo_}Iod3^^d1UVG6f6kW^frGe1dCNQ-K^A2#@^&@<0o{|$zWl$ui<+o5DQfD
zrW?0X$@;>XJYX{xXh8g#pi<s7_4kYXZHKgHoW!9kr-mgY4ZgN+Dv+r<-k$SiadOmE
zQf8ffz*}h-VyMr4AuqR5*5qU1s$!-z6o7?ri~HR2Ls4+ddRB|+l&KN+9gQHy5G+)7
z&jkt&!+yc-bHrOI;ZSy>%L2A6Kvp%Iy6DjDfYfP4Dj0%nq-;{r>-RhmXu7E82As$%
zq77iUI38#vcHW%~C5QR)_Q<bH$a9aIM0Gw&7jJgx9D4h?*dXUQO)(yDPrwK*%JR;*
zG4y$VnwPH(&@;9fo=cfu27`s}qPbfpzp9@O55RbRG66`h3)OAhj$Q$Q9*`?h287Ws
z>7(V(D(^%^qAK|hH6_IN+9HMi(n%-PRf79|sNblk0z|azdm)DDnHY9=v10)Qk_6zw
zoT9c|0uet^d)oTF;hfq7n|!8YeNSU*K>2(?YVH+LNj7XEmZggON9{R|chl+>>rd7{
z#f`e|Kq1&y1RR<A6+8+i=9T}DZFWBHK(Zf!V5fiv$SK#ku}6lN(R%GVYX7kshyoDr
z6&`y|7O1~8dhnLG*X*#&%*`uDiM80NXPpyGxnQkHy2>B?SLf^GZGG}et7l~`cXno@
z?RGY+l}&EnA9H8uFKlvENzyA=x{9#}0k~8}6wjHA$FevF{IDh<a(#zP&_OTFh!)fY
z8HPBE0HLkxMFeBem~a+BV<e-p5*fOPTDjrpDYgSR<&d>uQAaj&f#g(x0Q{A<V+4ZZ
zW`6|<Ofm%*av;!Z1<jPEt?kp?4yEyGQ)sCCMW#QmQo*Y;xMQiVP{qthDJCMYTHh;8
z?T72zRG~AD-BYu)Ivq5bxOuSEo#H890y4mp+0Y_o7979oxSMQe<LL3pf;&q}5kU<d
zfFzYM+Wqdf*<2&g=~s(Lkz?8j{H-<?=mkFM-ZiVw>>tlZLM=-zoOYo3vwIzdTm|PC
zAI%%`o*f2?a-l#x*%!lOaa=bfLL|;5+Awy1{%-w$*8XzAg3^y_R>Gb~w>tI)96*zp
zXV1;EF<LqUf!}9Kn|4LYPvRk2rsrw3omf@XX{@v?$3_d)VuMR*uWTmqnc-VUf?wIW
zy7wDsey;z>dRV;7q@}VC8pjq_atpQ%w_K8G1Xep#r~ioxGWmRXTB+!C)>SO@{-3G1
zLFJbGOr7kCUc8}trm~<{pEc+7JP|bICo|z`b%+-@us-Mh0(Xv~+DmLW12R(TNDZRE
zdz*Gr@a1iA`~HHD^LK5sJU1|X3u+G`WEXaL-xV37Zh|2e``e4L=WNFhooQut+u0iq
z=!53(f#v@6E7;CmVswoag^{%b9UL_E7+Ha1h&+LV%{q;XkDTS?z4a|=_ZcvMjAsCt
zaTo0;a`@mA0^wM~$>9tUV;{i_8+7$X*tq(WfdEGkdobAqwvYYU-+BDa-@<`F4$D8!
z&7X+u56XCT7C%GzzO!I{4^ofwnE?L+N$1wJ5mo_J(CgEG>%V$glRC8U#ax$ZjHmcj
z_L!;7Z3o&gkNDq|C8>As5773CK^Lpk5U!H_!N_OD*7fD>Kf37oq<^~TKToS3*YP;v
z>`-B+SG|E7{9nOyZP(AI$8#Y;a*F?0$foz*2nE&*x;4Y4{#siLBp#4A(pF9DVExa&
zG7ME7A(c%|wRic9_sOw*I+)Dq;&UyNSU)8ZB7MSjVRX;-BHuM^n_dljJKt<O&u>n+
zgeIC5@<aUX*=TMl{uij6YuR<}AGH8~uz4Vo=f3zw{fDCk2?II0Sb$!4(ABrr1Q<N5
zH6%oYKXbyX({V2Be_Hx447?iws`v(LuJ%Mqw!F7JT{A@tXk8IRLbqtudlC7$`ZrWh
zW1LN*DW}2ilSHG^^LwsNC-%l7TDTgdO{#sW;B<$)s1fOSqx7t#_K$?5hq#L4XQ%l8
z<ab3)=~w`=4y4bE)BImdggavp@#~HUUU?&#FZf|>)95u0=l6vLA7%#B-f*DsbO_m;
zCjY{i!@@+ulgaR8f_!_UE9+aXcdqEgn0GPicF-wFbuk=od_%2{n#4mM2`ICXHi%NR
ze5aDlk83^Zu#rWEJXL;fbzSQr({ug@E1h;JhwwSV`Zy44#-ZP9Rt*tro_DknC5aUR
zoTH)L7Y6)K#Eoa5l?_iP^w%2tKZr5eh%7W<xU<bfbFCaFh@0Vx#hiOd_@4qz8rJjE
zc@AKMSyb!r^g*sFTQP$#?yoVnETfX8K`wL-#f_&)nSIJDd9klL9w5Hr5Uaq_zHAa&
znXRUQt#GI+MT)lWXFcwo+jtT`X$W4=%h8#L-R7o|dfF{v>AyqjBQ(H9aWENN5g9l$
zL`w8`c`ecQpV8(^uGnJ#Ulv$a9ZPcM_X=kwAO9&ipr=0NUHqiAOX`apFn`gmo8Eq#
zw|7}yCH}Ds51`r{bKKl{+0fAN9^6Et<gk<tBA{w55GqznUwd>cKN(zEZ#KPj-Kc`=
zR@G6188C0%Gd}H!GB*V!8&SWb8u3>q+Uk(r<{dG;4fypON7?iYhEL#@anNdLn%={x
z(IMt{LcTTv%~Csre?g0V1PUj|7AL4q(hP`>{Xgxc)xU6|aD5s*H2N1KUAA8aRe=9s
zi{v_O?lX>?w(`>x5YRCPiC$7q5sWVYC`yBoG7t?BaG6)^qR;c8l(1qZF%)j_d)h^g
zgKC+jNir)LEl*S>)Z)+F&&S=eufv2t5e<4R4rBV`pE&?RTtPmTB;_;9<+!kQF%|2c
z<gXUj3&?wjqWufyod`DvbY5PX{ZN^DVWd*_-(Sd{G^pkOr)b_NDrRcO`t1T|Gx{o?
z{FyTAKd*KVkSfUw6Og!az5=@{wLE$nP8~|$i;?_E8N)2|Kp(efQYlYQ&#J;GtEyFL
z*a7jtA$J9T?S)cgrNEAQ#9vxwuxu{3+Wv<`?x^2wU=h$!Uj%iaPLJ?|!{U`Sznjh3
zf!pEvubs3KGuNR_PE&7MeIrg&)lW;^6-J@oYv<pzOLV-nsm~0FF89=K-}G_7uXV^B
ziw(^k$mE!>bak79e5>6qs%oiP^9NpzoLFO9MkN2Y(6&+@P*$r}XhIoGh$=%$-a;v0
zPm_X`Bo^ksMX+c;Ilkh9Y3R4kT0;!tnX~k+^KZl5e5>sDRkd%u2K`Z~MxOsk1TWXg
zUe9SxZ~GBfPa_grO^I|(uK$qS%Ya2h=m&cmCB7D0jSl4rYw2@_Dk`Cnui%?G{0=lC
zkw%1qf`Xg&JjeqSzrR^DN`LJnffg0|nkDEBYI8+AIe%!VX&U@za+o{lZ}RttH2>cp
z{3FTyH}(A6*B|W51yycu6igqNzw@SwaZF1mw)s<}9HGDFJ-5&6W%w;Q^t71j#2*UF
z)G58%@455v8s{&@)-V^PQM~!h0pU+yTJ@P07uNj;W{M@C0g2s6q+A@wHu$j&-mafP
z!^R(cCGTN~JwKFO`A1eM{L-A=u+hE0v5i~vMNDY&@UHNqyJxltXXwD-5quQ9pxk{6
z^jVilBw?xrvcntpJuJDXn5Oxty_$;6fArInfq!5eu>WqIO&Fi_!m*+!)Zg@0`XuvC
z5enx?HRMHJ9G`nqn2xL~vvsq5ghkr4Oc0C+-myoARYom0gjC--Oc_D)d+++^8NqjH
zb*6^+t}y@=jm9vvaJ{(|i__X~Snc?Y_o5vumyHT^X+5z{g`a**yZw5-V%3^DO<O<d
z&pN0_DfT;ADcE_P+-`thMLCW<XB76@)G3{Vj}TVi!y?4R#dUw#I=xt7CGVZ#JOUK~
zbS^(HwyoEeng?DJdM}>&jZ+J&`NiKW38UX*hnO~3UCZ~D=X*03ArdBw=H8?@|EAg@
zjH<27XnG`hP%YEA?Y9T_qjz2%-Gh%p$*3;W$|p+M5eC)o%93Z^8p+MjaDU<+Lz<O0
z_IqYl7_t7?()p{rH3gFZDY#(&$aV-@=s4+Xan{A^%P0g|7t)=9E?0?nZzc6XD(^KD
zgw5~kMf2Fe9d?_PldeoDpcMhJ6vK~gs}XdWY%4XlFXIK&+bC71m5NX_;iv>S#!YU1
z2l3d?Ukwn>ggg@r?K!z>R@3|UvZ%VT8?u{>djW!c5>vZMi{JGp;n%rK8zJH7-t5Tz
zJUw)Vd#Qt=A*>fbh`7kjTk7Jd2E{4ftHZupKtZYWI)F$bI=B>Wus9`}hSqkC^g0#_
z!fvVWTF!XP9W+iyjR(W^8VO~q*P(w>FKc;Y-<|!VV+lVfh*Ffg-<Ff|AaqbkE|sJ)
zr_&^p(!_pz;WN<Ys*gN50sx>|mtxc@_pbb5aJBl=Nw>6{394X+)odh#G9*3%QYZeN
zLu*+(K|`sr+7{@Zc+_>V7%xkF*)(b@f(RgsBt8Ct<8<L!HQeI|YSZy`#WPxCwUWhw
zdMqN=%{>2pn{aiUYZ1{9vg6MFNp7|HS>k>l%`aQ?PHC@Is_Fo%yR3<wCS}aVC;n~g
zJi^>xh=xo$q$}zTxQrr+Wl_nymOMdntxfBh<#4W}YO-3p2`bM(4W{da(vm+YmB6P}
z)?K{(ebyB76hu-t^zzV0$(q{XZMyf}sD0_NcaRS`nA2>Dhtjf_4S&*h_`RID1T36U
z$P-g3HK4E}H^ozgE~5W7nzNiOp5iP!>eYYE=gJUhJ>8K6p??zc+$wN$+*Y{i(6Jrl
zhPyF<7@AgSSGCbZCMfmDI}}7`*T~dzRX^OO5Z2eOhsz-R5M5}qvRo95*KjoXnYh+}
zo3uhofsPt|H09#(Oq?up&8?L}z3lgqgFJRT*6%{JqULjTbK(5K1CsSBG$*ng<o2qI
zRk{>komGS#g~hzbAg?itGff6S@2nTwm3{LP-`5ZQCfJ0e2SbDoOKAg%n<vXr^llr{
zj5v;dBqT&zHVT6ic<496{PU|Z*G0h-EFI09E>{EGg@1rPt4C319Av<~?^<%9F)rww
zGH1qf97u+WxKgixX<;a@)kazqQE%*Gm8hN&Bl<B_sf41!szCvQ6lbKX!<xdbx&=~K
z_E1quZ-xG_z=bR)D)1SXZAY&%+FI4gd9a6-x{lIJ@cfLKl<&c;N&NElnPVzPPXbyd
zez*F)U~7=rHX<d3$``xj?O|Vs-~txUn3$KJ{j`vQSVh@LHKa|9GSZ$!`v!^CvlTYM
z;BP%Y$-%}fC8%D~0TYh8ZVltUZN9KiH7(XmC_O-{c=$HWmXvUyn@^d;mkWm2fw%R>
zo6UEJ2hu|*VosSw%BW^|`-&;=^kd}7qUW*LXU*2wRR>eZ#P@OYhw@KE(o;zHULj{0
zrenM-*k2bFZdc*YPL`Gy9sLzPnV@J99_cXQoaw`=^f6gb|A2keeJ298kRr~X^3!<+
z4+*(>S-f67te0d5Lvc;sro_@TIru!6df}=h_|6m~Lc3>M{L2o*KXxrQlIO9%<MJ;r
z?0rhx-_B+6Y`*JBbsTUaP(G&vjtx@o`-H@zS!SoQec5?!{&;C4a*p}_W$#p&#o@Ba
zvQWJLQf;O9S))LUv{|_7cZ3Xr!47v9&-U;S2tU}3<OB>*rm|LO4nHL)Rc!=8zsgh!
z8S8ju$}BKF7(=x$(&%uji7)p%5SFHZvHV(I<~F=Gx_(>Ej87>E>4wkQcSgm~0idcA
z^gbe(vtzw8WqZvT|KrC*U*o3!O-^`o<oo*b6TfazcEv(?c;mqXK&bJmVG4(t-Y9Qb
zT~futxl4vGtCoC(u)f|FaIA8{RyEupJ1r4%I2AnEztM4(YtR=X$mskcJ6Y9uQTL2&
zxESkdu-hHy>VpYvi+E(KciBu_O#dm=TQi?XWsA4P_NJc}fL27D$@Asf$f~fq8Tn)z
z--%L6Jl=eY8`T|w=Q%<N&0OZ`g{U~go0%LQG(ko^<$8xeDSmJ@Vd%#0fTaQVi(^j{
z-Zg;^w{Vmi*}M-XuN{b7P@K<W<fa-gobrAnV(?Wqh{4b2GCYn@D^zju@O0*JKK!X8
zVh;h2;N)bbeD-UR?WZ!`G&KhDOA^p9mow?7z9NXRnwWA=zvp~Zj57ArkWS(oLvSKk
zJdo_+5VH}&SFa9$$H=$*S|M9Zdq`ko^#YvLPnA>yvTM?gG2)CI>Uaf(6@mhj-A?){
z3j}JLCa%q2iFxMr#5r!FPYvX%GrZMM$b7snoMg1_q7Uca(rG-f670G9Dj7pjY%%q?
zw|B;rA`|tTqnu6)k|Wv9x@Yir3KA|^<S0D6>1U@0RVA#i!Wo$9;%Sab=9-h^He?eo
zmF-64F1MPY&pfH+$IiNZ#vrBgw+Q)Bg_x2ru3=RkPj%-~edzh+%pZ`Y)$GnJOo#JW
zIrQ|(QY>)gx`2G*BP;HYHMwe1+O_5&?~>$f##td-#P%vaBm{%R9WEgjr1j>Ewc~kN
zh<$6jc0xHPCs}hrr7K4s{3{8l5HG1vltULVxLf{_D4=jpR)7&yGUZC>lqHLQ=x$Ns
z54Q|KlUoPlilybySLXJmp4DvThgUc6k0c6#7qW`Q?C`+QMK)dDJNuEmTBJ<Pmrmzv
zrHT++y)z;eF7!QW0U9>v{h|p#h^E$FG=XX^9VORXeh~x2&bY^oJFrL7V?8!8m8rm2
zkFTU4s`?(=mR_n!h0d0&r2MnGMNz}j9>MLl7)MNARZS-q3X93CHlx8J$@12`>W|ls
zoWjVMD5eC4w(d8g3DY(`8*>7MnSv*W!{w>EU=g*W+UuX$vwWqqRuNt}x(qopfKhhL
z%Z8Ok^&ERuMp6kO+SvZjH{#952g)k3sjNHQvA<AOxw{kSsl|VFnl`hY{%pHNsk(<M
z-*M}T>LdU}6;>#-UUBdtO9N!AMDgVeI=6U52;?*}DQRdZ1GeNp?XU9SKjXi&l$0AD
zi(#)Si{W&<Bakb74+X??Nj3@2aDhRlsPj$^nYCIN40!Rrow(JdVLLhFrk?IZE^h1D
zZ6I8e>)5dcdZ-O9<Ed0jobYf)76AqPmS^WbWN-rk01C)(8Io+}x5D(pIH}aul^84H
zVs{Fr;O^(136IK^buG0v`=Z);PP~Cs0am=xahJa>bMT)RQbpgtt&GmYuQmEJwg`I<
zRuS6Et*$>l>7JTpuWZ4qzVCdJ)D(cUTyh--27}XeD$)8d98fv+8cWwPm>)x{Z+M6@
zO+od90FgUGpc1C^80tadEyO1pn^HDfSNsC9=Ey*rr{5q2m1f{O4w%G(WGm!YPsEq)
zFKoXN1F8xJO3z`7;t|xe^_lXnA*{yUD4MU-OZBVS<ql&|mLa6=kRxcSIMey8v3+ZJ
ztP%S1oE$q}8E6@?Sk!ss!7bVhRDz+%Y^R&(TI=@0>cUIDQ-3OR(#FoGv7(tN%&duC
zqUcv|N@L3qull~IOpOdJ2cA?1epp?MCt9k5uqwZCn=6Ty2PH~#bE?=xd{ZBS1aO`N
z`u(m~FB|x)mro@3*&qO)<)i5^zgbN=&GESbO(7C3LH;9ho!lcgaL9lFv<M_gI`*)5
z+!=niY|q$UT)Cg-XZ0GPgmt2qudWEjw$%z|Sp}a}<@(wl#P#VyXAUDzy{fX<5>!7h
z-3{NVoS=I)D^a+^3%2K_5P;9;&+Rb>N<TXxDyi}!Vl<zDGUSCH<sb`|5QtMnL?Mo#
zt&VLI%+xy-b{C#G&Qg7gO=c)@=cLcKgdm2K8K6R=Wx&SBh@lM1d}HJHXFYp}%UK?a
zaRC`z{4jhMVW<DdzL)K5(tjU1<KRg+u%cyWhpjkt;cs_XZs=^M{aW7mc{M+jP9V}a
zMDiQ{*?m7ODFt!Sz6!qTNQMo#6V6)Xh24t3K2+RuF>I62A&YT~d445@SXLVx`&qH|
zO}cTJ$!7uY^Ld?K;}e8nx3ME3iSql|0>SpqC~J7eyb<%BO2PDiRn=i7<rS$P&?5OW
zWrst$Z7v8&i}&J&^801!-4&p^KHVro57*0Bv72LMbtEZ4qh02&G-G>m0Dv@lw{%5L
zZi&bV6fpUW$~{b@bS>bD<tP$mxxH#`AvR)57l(nK=B31y)@Xb|*<}7`3TYQd)`X-w
z0~!UHVj%Uv2e}i*R&K|j!ZMmBU7BqUOMJiw9bN>=@dCC>y!rI!B6d2H-ozk}j46Na
z_X)3rg7Gh(@vOGX>4jf`O-b~tF1qWVl(qVRHsThqNQYDX;ySsp>vefV3Fq-@!IDK4
z?o*y^Ofa_KR#tMG#TWeUQEa8?MCLJKd-e~T;EhDP)Re=#ypC&j^ny5vmXteII?ZMY
zXS8W^_;rdx#<XL04I#K|st=-)s@CJXBoC5v?VIsC!d*TOj(!@g%p+0!7Yl1$nbw6<
zG|j|IRNHfn@~j$DjC{9tsZP(T5dqM~UgP0rzUhj(b+;}1eCx3I)TgVSN%P&!#$vy~
zDK9k*tyT)o^6$`rDPJBO$squJJ1?_Eryly^0JX-#QWCwxMQH?!=-V>zm4kMWTsYK9
z1S2d$Uk7Q2m^!gzMX&^;5Omym^^khF4vgb`xAtvbsw$Uk6PQ-2qqDu<x=E;P0kJ#6
ztv(0FhBt>{RqK{{>A=*S0a*KPdW>*c;MN_}4{sVVg<`Kv`tBsNVKsN<WVa)n<=VxB
zG3j?|do#ovS>L~stnZF`WSjL+?TpObmd2eHxa5x5`FvE?hEAhm)W8!TxneJlACq`?
z+QQr=_dv~mn@9-Q>0iI1EhApFsxSE&E3MbHa_vH8(8r7e6q@oB@^qqPt03o(kcmA%
z&3-MpX<aNMUa_h@%w%q}cmlyVDCsMr$L3YYk#|oCXVO}U5aT<mThW(MAu-b1BrWc3
zIS-JHzV7Yh=kYnql5>eQrA0Z#54wKDPS+@l%f>?CoT{9SX}FlZH(F`BG$%|8dDfjv
zNHw>nD;C}1W{{hbrGM+~Cqk$7@b)?wpQh(E*MV=fwo_3549LlOs|UX$A(Zz$U?y}`
z57+)XGdQAs`VPc7;lrbykvQAVN9oqIG0g$Q=QSVfTEmnfl~K7mC8!Ho{hV72y>?0L
zj!R7>aBY?9IslQxIj{Kdr|n^YR}n$)>ip(ZN00J$$(7|WI9<4AUql!{0MFH7DM!7^
zg2n&|ID2=@=-gy5QB$;^Ha|-5A*(B$GX#M?GIz8~Dlne-t_~#laq;l?n)OXx-o_pw
zhkmN^t-OtuaNA-MvZ-(WHIm<JWjear$5`-$F-(?AMs}ou;ZwV^yjzBF)skk|hKMF;
z|L|$_{dSuTby3_ZsoDl3^7R@ug-B!N(f8msd4O`=er|$W<5FQGLX>3FX^)4el0!={
z`08n{`hLS1*C-6pF&8_oD6DlDvfCb&&F~9_iOl3AsEO>HxxvWOICLbH?4r-%C+42<
z_?v9Si=?dYA~h*`7ncgrO1%(A>nMQQK(i%=vuwK@pX}9K&FP-zhMf?oRNH9E@kcFv
ziu}4~eDk!B-B&9Y%hH=SzD<gv*K@yg47AQ%h5@v_h>^}1E+VBT>DXQ1(=10|_<~Vs
z(16KP6-YQyZoZ7~lfCXc;5MG|C-X(Pu!!q8@*4(EMQkW_ROG`_B?aYAp<|+@M;IM=
zKlcjAaZQ(QmrLs3cO#>G0cpxEp8UQWf~%*yF)!(-pe;lwY0wZaxc+k8ly8ZWfqQs@
zS84~Ejk8Ilh>t}MW8~LSNjEQ-%V*0%T2)Mmp0MV|6R33F?#~UONP1~ee0?X9I(q-c
z&h*mPl*GPDQ`(%U7732a6N?gY60SHbeEr5aT+##&L0ha)+;ZyUu!;};`R1PEV;G&e
zj|>1n+i4H)Hpx3Bmt}aQWJCAv9B|M_ux$SQsg_br62!u4wYRypc->d4F!WUA#Pufe
z!FJ|{dHLOVytS&kni^g9u;9(j`%D(SW}Fdu*{HU)4;#<~GF)-%1g|f#Gpj51D_d6g
z>s4^#rT&aDCqx`8f%9vy5<+p8DZjcRM>by|?9%oK%hE)#-Yl(O$(la0WRocbQeEzH
z)G-{~M@!-KKOXoGg~y<sH^MHZ*QCAWzybC1?}b&bU~91h$rRpMV8)8Z*7%K&BO<Ln
z9NFsnOl_PLmg_FxK9j>p#Qr82cneMw4yyzg)_&y3<ZlIoO7Lem1y(Eh?}y-`^M5-~
zXj;K6GSX%5E#ywI+1_v8xj(9V%=(R4cuG35>-DXhrn=byynYIC89?_HFoH<Rvk`<e
z21oryF}b~v;cY%CmxUm!zOwl&O|J;z8l?AC7IiN+oF6S;b_?!1Ye)hB0sqASMSZ1t
z)%3x|vSv2%H5cr!Mi<DTuNh(Y$tK*Ajc07D&nc%`g((?0PxAfA-Mm;lEk?rC*r>9E
zShitz$uJ-85D9<DWq&7A=v=`pCf4g<%I)96WL=!B*rIaKabq*MUBwIjCkC7+d<@i*
zx-*o2d)}`+4qf-^n<U=WttVVR$5eT?0_HBYfd7tg-D4J`;o+kv`;_?JEQ1Y4@(qsM
zhKiEmfeyz8-A^jF{b`{w4-~ud8s~RE7Z7gT6*;oAsW@d*n6cv(V$TFupS7}-D^oHc
z{j&@MaYNty7O9Vq<KAT^9${zFcqM3Ctbs&+b+bt1Q#H?I1&}GUu0Tmdk~`x*xLNm_
zlr$gAinX6BWQ|)Z#bWtpp6~!IYX&pbrtY!*z1jw6`Rhz{ZZ9?p4~Bx0f0}`i@cH-5
zitvWFVEK!XT}h_hH%l~X&%hmNz%b3`CA0<E&GqI-%c*P;9N-&sf2UN15FV@lC^V_N
z*2Z*sD~6-1aA>teG+{S;DG^{)ZK?|I$Xd8(0p$IfD=q{<@it&2`XQ4zgXqLyu!1L>
zDUbkJ$s$oU=AHPj^<kMRx5=yz#kMW4U0qsHvq=h%(N6PnUCHXQxus~sz!ZN*yo0Ud
z<Kuk+AH%t;2-R;N&Bg6M|DkDzU2PfX$6j^zq<U94l{O@4v|Q)CQmU~&UdumvC#$NM
zf_&e2F5{IT6T9K=NNSx{eVB_kP>VHAdf`Cg5ABLePkD(-oZ;AG=_$WJ{aUB%EDrJ6
zDP!ltitED7ev^r;S(E)@OncG+eRtxeus#_UMtd4ADj1|Y0w!8c69%L*AYsCn(6*%;
zXM$$()1ZnkC9U1cL%(c}KF;6Th>H`~9%-rR0!9H2KGYM;tHYTZGz~fD*1fayhC<$|
z;s6R}H?IwlS~XTIVC!1UkA$A&D!wTOJci*LIRkV}5JCer8t0@Hm+6kL{h{ULSFiFu
zzQ*em%!{IvicDR-LmP0?0Gc)-)9G)FzrJ>DF9<OV`#c-Ao6<|5nH$05bM3@j;gh!0
z`F9x)Psg6nTPotQ_pQI&DR5tzMd{6AIb<#1*6(6V(iF4QT^p4t7LC(k8Gc(Pw93<i
zaz*dr=W&}JAM?bB2d_Q5V$|8=$<m<g?BDn<<zZwpbqvOhLp2lCqa$f=$!6JjM?Cyp
z-x&O{56rhQT!h4=!|JEx@p+uy^vG$w+^47P=O&9OF;runJo2sz5_C-JzyOEZ{mW;c
z+;0>JRTEA`t!I@rZKVH=pZ)@}m=oc%_nd96I;r-xV;&x&xfFk^u$Sgd2IHMs$J+sY
zR@&DucHwf&%?jax1lE@()T@s~@|YUBl>fz-)YCBDX+dUCWsTq@6!6?VhU5%~QbN)t
z#Yu|(D_~j|OJ%=tY`eW*QWD5`PbO{rI0ASwUXA}|_E0WeEoASnKY^W4@Lz;W?&=Mm
z_z>IaB<Pz7MmY>EcmzgVjl8R+Kc2s)TCUnG{Vw(ir0Eb^wNh74la~MGo#(F7rC48u
zjX@!EdB#jEV4@^D|BPt(t@X|+!<z{_aCOY%Zg?G3x!+eL%ID*p?&AsCl$)^q55jUV
z+J!i2-{l~jOS%J}>!LDrBxuAU>6A(e?iU0WM{utw%$EC;gz|l)syvisF&?xaVWz^j
zlQa%Bx(CYcq5Btdb{2@JySv#XC{Y(YP|}=#X9j>@Qycv(G<{ahfllkwY4@3QDwdx2
zeLR*W(XF%IV?c_l=Ru9J9J9HG9GNtd^U-d@wMFi?#Ph9`wwAN98t^75GJuS@sCs2G
zHZ!M!ivPH#VpT(2<W=Fgp*gFLj>JkNS^@mW>UNKA{HD#4$+LQ|F^?l^o#*=<%n#gE
zD4A9B>-jh3n0KDv1o%12PS$OabT~pRY~*f$$0qP9=QLF7w%_#hP{6@?ll|aGN;Xa$
zplABC!=hm(3WqtA+B`7BBqA6?<@{V%l70`wsKb$*J6qQ69{nmaGwnMzGGSPW6;QR%
z)Lu(LU7T3rC^VqG_52N1!UAQz0l#PZ@Ni8fKTB%`v+%4+B6Fm<uD+lHU(~d;Ij7K|
z{R=&<QiUD6Z>m2mO4LVleH{)r;ykkxe&40((hn6&&^mWDx0713J2c*_viiS&QV6%i
z+5Hyk`KADsY)q<k^?Wad&HwptcqmED;Pv+N`Q!Iqddr)IJT)Z~?C&_4w*H!hvskWC
zjSYSWR#o!(v<LX*iMu#*cvxLS9LFamcU#BX?=hf9w6aT(_gCwFFDmYr5wHCjpdye1
ziUlRSk}#Zka1cYNrN+@mV%hK2Xy~dYVuIGA7$S5%soB#q&XZhh^%1JM4AiB&^MIVS
zG@C?c>PG!U&$p;aGV094P@VU^t9q#+T*-7CtqixVAunMxcM>pH#S4d&?x^}2*J-v6
z<3$j1-D)W~t?)V@>o{IKMdffw2@R+M$X*-`5&KgJEl$l}z}v6_{Gz_(LWp(di^00`
zP0v@@%FAX^&0#Wg%Bv`ik8;&T1da=c><AW2(m8pc2l{wh`^ky@aI+t%5X}2^^!9}#
z_JWcr?;KRChwpA;;0>$w{8ht=e`C<Fu$OSq7TZnYLE3WqD|Bq)?~AdlDw1Cv;5r2|
zbZPm^dkjEMZ6Y>ZU!-I)#O^F^Jn$ogSa5#<xQjBj1`mL2w4>EsZLZP<A_{`C)La+J
zI#Y=?`5#mx6HGN^w3-7GrO&$Ju({ii+fj7drZq#EMsv}^{x>>W|NhY&{AL^cFXP^B
zP=I|<dEaOws!iS}0k7?l-Xx=x;##b$nBz~S<@HwBp=E~*qN23mooeQc^Rg+pmYD{P
zVtKag+6G^}Fjl|pb5?cAVv~!SPU}RB$6U!m!2`nT3Vma89k$KREw8ups=R7ZHEhL@
zbs9BhRm%5+22|A0aFQZR`$ZFI$9@IRw++KlCap1(fbVz$lG?JhYHBcB&ryBScf~a0
zCM%xu7MhXiydo{FlFC;(?)eWfY|f3OvwVtY()tMg4`0(SbQ{~NsfdM!O>3vvD=Z2*
z0>4|n<Lg8s-?lDOZD(yuI?Z7IWJ5PA(fSWc6R`hsmH3>(-Q1~qNCGr0KgG@3m(|UP
zK!`3a=)=Mpi%3~1Dq*%TFFxf`^?xX}wm=-EsgEEs{6?lwvXamdqr*!tJL7-VC)CC!
zTr9b>E)=&$d3_vVXw3ltysmGmcsq186H4bpk(Vwxk_Q)l44j>AK{Ed*O);&dm5-OQ
z2ysHBWR1~Mgbam=-x_!6YP;N?*5LNn=`;^+B<MUp+#wGoAd-vEEh3})9VrbU2#XXx
zr)+Z_`V*36t%D>RE6DTa5+_-kuZ%4An12fjV{mvs#7*j5m|DD1aun5tBx~MC1fp5d
zMv|P5$|x5>&@ya=C+dFLS4R2+SGeigCK2zv__)msY}?IW8V^(xTD%)diLyzlu1rdN
zVsck!TX$cb?=UA$X>U-iblN}URph8c0z@KYA55A;Fe2HA%=kM(NYoEL9)QF_1I(o0
z8#rrTE~A_t%$GyBEORx+<z$|uSZ;2m(qAsj)OX|8h-2q{tsHF0IzAo7vQ6xNzZq1}
zkJZWiTqrNu>4%uN_LD&Z(U~)?M!h2ErB)ehPe>N+nPXBq_ZsA!RTT+A2*^1$_?QcR
zcZ2ekSb}?|&uahFca7DH%Lh{87$XYJX=O7oCW#1HOjK1d;!bscDq)b))D(?9GlAMQ
z<r?j5VSB%5WB#d9RVn`M{&IKdLBobz#(pil`S<OKIz5zZ>q!q6esPs~U|E%ujI|~{
zJT&vK%k931CxX8N1Jx?m{WRi7!eXNKYfTYIm1_<<v-MqD9pS{1RaAp|Ux%P(YNld1
zX_bY-*p0nx#cf=iuSGI)*f1)W&*P;#PUzhkCDzjU1d+Ms=9QO^`aV^7;>&LtKI-Db
z=FC*VMgK-z+Ie5LuJ~^bafqLq<azyQB}4*Q1b>UybtzC+wsBA4(MeJ<^1lgny8{PZ
zwKfoiTrnsiWjCPO6z@a_!=Ky?&2P@^w2$7)1%7jXyYBYHi1lglK5euPb<?fz>K9%4
z#ZHO*4TJoC3tjYY;DQZ0menZg@Z0inU6hYba1nVoj%@-7&N6j$*TUIK#01wt-pk>A
z>D}9rabJ~^8ZYwuZsU=<>%Dg?-FP%LQGT3EZJ2M0BJq9KV|uSlN5Yp{oGO|ht911+
zu?YZh^_Xm&Ue{KpYqL`-E+%)Gd@-=-9icO%#AiMc)<bS96_WCweWeLopQF@C$OscO
z&<et}yv2XLsJU+lgE%@ihPab&9$s8fAo3dO(b4zH49O`cJG|&7#zDG`Uf$vZqae1u
z@p&SHr<qQW1Ktt8-)Mv$%=-5q7=h4jlI>kM4q#9IO}N-Y1ATV*B&L)q1xgT>mmk&W
zRU~^=XCc`n%1@~4JQxf+mNw4y1DxN!c0J+s<3`<QJAzSw2VrPCGQQwj;O#zqrnCDv
z=(?bz?pN}A*n?WE)#xnV8kV)y8S|g<Qg7P?tl}8FRcGVLz%;raJYG6NI$S?{K_Dw}
zyeZG3P<TYaqx3%OU2K8E`CXA1(aE6VEY53G5-QX5=px|7-Gi^8gRZlI)n>86d$sJ*
zyHUWt?s|q^p^(b4gQ@arJv{4dN$5!C=8R$0hkj3#dP$u+LO593(CWq;(fMTEvZ)9-
zx?0hqG`5M4#M@B^;&XMa=7hZU5%Fuf02-a^X&LYQdm9^U0);|X*ugRRenT8tHjc_O
z4X12lZI#I@+vr^-I+wP|fQQ)?5ZpD<F)PD)L($vH$O$in@Qrymh#5=;$YfQsun%4<
z#vq%5L#rS1iK#cjtsOMnSUT!|PK~+V7k%{R-IA~`h+1oFJT_x;2S0#Ca8VSF9}q;l
zV4k1I^P3yj8wO@$zgp*2#wz7Ko41^quzC245c+Hr2m0KCNCL@>aQ^A=*_9O<z;1q+
zJ2;$5B$hdf%=qO;DlT5r)#7qPPJY^FdT{lU10uMF=x>!gR+F111mI#e@CUqA=3fsA
zN;SRBmebYf2itG=oV@uTf-_`s=I%JMX<Xl=nHE1hOL%trVs?DHsy%p*MrC(#tNo&W
zUdpC<tCrO=V<W8%6{N~(8w-XL{UNe93?tp7jV^)S{!A%jjjne_j@MS`<X1aW-~P4Y
zM{QAEVzKB;`N0_{<Fi+j^l6vy;_C)V-MQ@M_5R&A{m}U^;peBlc=*#Mu-mseVrAXg
ze0jEbJs73Su82l&&3yCLdWd}6I2&^@q9mSY*WV_tnDHbOjjh%?fj2rcXko117)@BL
z$}|L>Nc^muO|3IhVDj;P#aLRVf5Ut!10j4oKimgJ9`sEm*Vd7`9l`Uvf47;icj;H6
z<B%l@ewq@ZYA|Sd^BJG7Z?|xNs<C{m=r1)oAW(Ml-*a5~W(RvKai2^ocwV7?2tANZ
zMH~?o85!B`=XmFF@*{S0zrw<xH<mKSt#Xw(U6)F_yVm{XRB9RZh}UPF+D5<ZtSX!5
z4#{pa?`6-_WbzELE{Q1n<!SI~;Acv54XqzrA)n-qqu=x4n3jV6#@eQlamyet9w7GH
zN7F0tt}3IiquezmZkLDzbH$Z(P&syIRRk%jmjl!Bk2ef~|GTh9z<}L}m)d2cU;!cN
z4YV7N)<8j(;O=ltWaMx97ga1|;0;4fK6?`tPJzasw!3+H7Gf!V@K4(tY?bc<^^}0@
z&ie+C3*!fj0vgLxC5~-U&Gg@h;6C>=DG9dQAKVh2-RG<ixL@?;+9iz{5*gMWPr<%}
z9+_^wFydPk72fkO@4q+-<QI;tV8=lVc5i0V_PZpOTWqLTKxF;As0-Q~w2h+b<YFc=
zDTM=k0{YIyH?}QCEOYwz$s@#1RTwlqxsk{eTe%R`eu^%pl%lBo=x-ovezcO5TaYJ`
zOd&L(!L?AahkfE=p3s%Ae;3uAtbQ2V+*q}Ir%;F1EzrTRvzhQQ5Ws13791I(2T)$_
zwh~jT!<*(lnLhkx*^r%KiOT6PlP9s^q7!Nnp^^Rn)peCYaW-9ca0w7BxVr=i79<Sr
z?k)-LHs}OR0!)It55e6%xCRIe8l2!3+?}1|t#7w>Yu|reUHw$`)3^Kfx!vcU_Qta@
zopo2RJ0HEFdU4e3GB@ba#kRbI5z8D{E%;FQxVID__R6=K7Zpt@L^X8IUUA}iBs7V~
zzi}WEaynvo^W}J)_8wS%2p#o^HlAb+(BaTBasy)0{Tb4aVpU43OUy2C7C}F%7ue%^
zadM+E<Z@ErB}um2_Kc@q+YclQCQ(vvS5FsDGI53XV^!$2Rc#jRVrdeaV%j*yS#|z@
z_)wyUFk)Syr_WvW^vwmBMgrh5i%s;N#}+J2MQeIpBzv9>S1=%Ey0#AMqQ5L6yuu8%
z_^EV3eYuEd{R|tZr06I@v<OZ-`>LMrz4Dn=v>w=JlQ6ugLa!Z~Gppoa8&J$xIApDE
z_&PPEBi_BL{!2NvW7(v-zEo(WmOIhQ+^|39FW|;u<(JmMrA0rLNe-;XBW5-;KHO|S
z*Zul2FElXlW^9nTmND*XyU-VPiH%M^?xm9c!7InJQumsz4#qj=e&Nw5F4|!;8NazE
z<V+YY{@OmT7HZVuldk;dWy<qf^7=D7$Vb9FimaVCyOv2Qe~uvrDJjUzSZE<34z(0=
zhhX-yL%HMk9|~s*q!C!(fBWS!7NKP)DVgFX-1&C4VaAG7t{>}I<hmgv;rQ@li!kyM
zD{U#cW)!15*4h7JbU10{WE&3uH_?SV=s!f4|ChT{j+hUqkFkWFdY@$Ozqb5wTI(_#
zE-dw*vkCt<giJ@5RD!$}DMS0xU5S7~h)qo&1M6s8J1xuUTS(B*qY8Bh6n9t5`zhEr
zzEPB&kxa16Ufaj>^TBaj{R{ZlWY%|2m!o{y5Ql?x8zu}|^0#t5Y)TsJY^Gnhh+I+d
zVpOV~SsJDlP3%kSoXeZwROeE<Y`s0h63<U;_7X(i2ONmqI(SyGln4rvl5vASTB+$A
zm}rX{lNYjnF<bF$-$OSueBD*8t@|pIJ1`AzjR;g5HvP$gfnBY$cbajw?JacI!{m~w
zqZ;vI3h3n2HLq$V6f~P!q{8nNy0KtmnStT1l0F_ImeB?$GWa33%|x4GV$JwkntAM(
zZ+wHF_A-b<7!(u^w^o|NhJ_=>M1w{8<>gLGC;L7Ev832W+EV7g^QBu9ksMc3+5SH?
zsq(!{?r;m<l=v_2%$tOVJ#86r2tuA6IpSc=Y0O><3+3MNN$wWm7=fa>^4-};3GElA
z@Rj2qaj+?c6c}X}XhOtkTw*J{?Y@8ZLXCzBi(P(Quu)oG*ZS2V@%fo1mHsE6w68^w
zJ5V9>w#TQI{TSL-JX%vkR7qZU_bsL0y@Dq^Vx>a?&fjryFjE@hrOK3eKT9(Jf~*C*
zZIG!^(81Z1YKB||vlR@cTbtSo$Pu-cG+4n;ms$#VAI?#}LRe4U3itu|N!FYrXJ(Wj
zoY2A@r8#3CGfOeg2v+Pd<wZne>~9=ivF@?xHtBBl<w1BVzB9k~rP`cQ(aq8O(S-PZ
z4Z8FeE05XkvmY0TK*qzM>}=^v7Wgwa29QeT2jgtJ?bsL~Ord@3&D21u%B~&iFOuRP
z&F<gw6zulu-5oaMaU@rto*+lGWvkD0M{mt<7QZTo>~D5ZF57`w5i+QPb5CCSh?iBJ
zR+V(<(GJ+VLsM1GUb7FE_E~N=Iv|^l8t18LSP0)XrH=D8wbbgZYsCNB{2JcgTn`zn
zx}uy#@2;uZYTyrdBa>;FKv}<kNmckFT%Lw~<h}WdXjk0HEym*S(2Su!=1mKwEtpd-
zORhU|O(;kL+jrKdDf?>Qje+BH0W?AV-kHL2(TG##MafPM8gFxRj)Zz9e96Xlihu*j
zib9E4lHgDWDCz>gEi^0`$3&barm-ph831tGqg!ZfWN4OB^YHrxq#!K$`LrGvzu}`G
z_}i_i*I1M7G&M=NcY53V<~Gj{Jk82FH{lcN;)p>?=?qRXB3r2Y@H+)S@@j($J_R6%
zd)BXHH7XlD`+g3C(<yemi9#3=o>BlzMgnx&J5$cZzyGEfIwtNQlMeB2glV0Bs>iSb
zQH6cA|7i7nPj`t<xt&(Um|h!kr1GFQpKF2SJ&-`-g~1!3)TO4PdTMr;K7HaDWGlnP
zo6zs@O*7}~y)){{Fh{Ruf40K6c0O0`M!HGdV95|RRm8^B^w-J)Qq_K#1{oTq-j#x0
z*S6ZTs6U)1y1Dc|&1+ph1p*S*j~__@0M{#Z(t?YQ1Lo=oUvXph-e85oCs&P3lFf8X
z<No8(tr@-)BAN<z6Ucefnk;Ou@XZy9EQ{^9kUd~*mg$XfeJPs97^mlJC7lXdzJ#x8
zft&uwD*!;5s;G$_QtLh1BdA(@!#Xx|AhWgHWAd0EzlnHWWoMW>Z=!5kS<+$NTf$;k
zln>WX1-?wj#Ydw05Tt&ObKYtsVaV}|jTsoXNWRp&6tyYX-4%|s1x-2h>Zu6H3Z)m@
zT+?J0cHzX=gN^R~uG7YOdg(r)MpK-#M==lK;djz2ScSQFXQnJ+hLh9n152W2x62K6
z`p=QzIhYI`axgLX-=AQF$SBAahVN)!XrgrOKDb*9Z8mWVH`^d~4C@KWK%A4=ERr-?
z65@kC0E~^b7*}hbH8^$fJIcM=cSWjW^w|AD(02Jrk9_CtI}BOGAV7YTMo7B1XxQe;
zE{$T#xzG3tUS+#OTwKoj-I*L`*81Y|%Yl!POT<G8ow9&pT#Q#quh3B5nM59Nw=gw!
zTdr+;83%i6yKe36v~hA^LQ}HD?0-_9@2*PKmbb_t=Ym9r+>RlOdj!RVz&C9`wypD>
zhodL|Q_@vo@SH%#U<rDo_mqRT)@J>FzXWf_4bqQL3$)X-CdmN<MD}jDHt10RJ<vTB
zr7fEEGmX5Q#Qf597~MXJaG9Zil}0}M$o&Ig*dp1TdhV$!t*$TbL>6N)9jeW=1H{6x
zAMvMNcNyaunzH8E)Ud}sedmM;@iVy~a2hF@i0x&d%g_1>%smp~wNI~@lsA*i=5IfJ
z=eg-ORhxQi$x~pHz_0p&lIbe$`S}c)G%k8x^fQ){=HT~k{G8S<viT7VR*5r{pY0lO
zWch+#6I)smf`Dy^E=_Lji(NCHW`O#0QUzEQsw2e+Z#=vlWSqz`(BHn5mH1*Gh>)M#
zBwdzmtRNXFt6IY;l5WaLk3h?&xLm`Yt2$}YDY_sLDH}nq9{|i%mVH;hYXmg7bI8w=
zL5^_bXy(hgSp77mDZ~^@K*>y}?LV#@in9%D0~JbORJEkD-sBvD>56u*8EMO&{q7J7
zxN1i4F=RiYFu0nA*dx`BULa4+dWKldHJ|g4Vi4*WY%8JpMDl#SSkezIj(0P;te+6j
zgmKbz*S}$W7U9`Awu#aY!fa$$jP`H1HxCX6fU@#4QO=IM78spY67na%6F6AFM2lSL
zT@9q(4mCOiGJQz$Ga5^2u%P@s3iTE490?t)^M{=eHct^BMbuBb)|ywc-p*I_TP5sb
zs`Fmi{fv%cvf^QiBp3s0Oei6GN0GI{$t-@R1drA|F=N>VMluRZK5C*Zjb%%gL%H+V
zQ?A+zt>a6q-K}4q?7I<`ukSW_vP!?O!p-<$=S^g*EIMCWWkrS}YDLznB@9_=*^%u2
z8%z)PJG8YS?088}4y}Lx)>hGxyjaW?G&@7SyiO;so7&()UDN0B@fBRrIe|a5IPvl<
z%$pDlSjD;UtPqPapxz)}b-M_QCSowcdVlrQuRrb<f?V`<7<s@yy)X<dP#`VGqBJIQ
z80uomzg`pqXr+~ax^NdF4Lwtl6Om8~L+C^Wa65MA&=2S8AydTUY*`RFXWT{A^S!(8
zJMfUiF_?`=ZF4=@xwy-@Yz5o)l@d@NDXAYlqr^YyOW<FyzGF-gZavzz(+OEM*(UwC
zUc>MR&TYGEl%sI$4SMX<cx1;1o{-9;QNkkM&3=^ODqXCxzjceqGxCv^h1FO9hM4Qr
z$rjua$yOS@26I(P5uXp*Dc9mX4)+X?N~?;BfOa2`Z1n9oZg-N}?VV?8ubz1<*LiMf
zzY^b-JqndAud?F1&*ULnZQ)d#eM{6BxV}$K_NtSQT-bRFE^}!thz@u;P;H%<x+c!d
z84{yPZ`T*7|HIAF4&=hcT4GarXupKI6a>-UZLt>|wp0!pi7L-g`-zixRU!>W^o~dy
z5YcPsJJON{H*1=F@T3ZzO1na{uaD<Bu;SNi+1-^IzWw896^juj5A~&-&SdpSi0DzS
z1UMG;3>TQtjXU~NF~-`ru@=O$7x*L(ih6^9VSrq1)mQ1eczdL#xk=`3CobIBd$E;5
z;WW7N)RmD87#&IyG!MuMhe_c`QkM*)xUFq+8|E*VEo$T{qh0rzlgA$mw)ta;2RN=n
zBY+L>xCz+8#AzNVufh80c~J3&#0-&?BSD9?pvD_MX-TG67ncWO>`V_T&yf*>@3FI`
zh~bR^2CG-p0dAiJd=EIe)*Ejru{N<Y7omrfyDok-xab=$fW^U2;_wnO;te~Jw>#~h
zQn0vrJzDTTwZYR=e=6WD@}PR)ylb;xsJ;QNRfLmX__}V6S%ur@O#|-bP6XZE!*e<$
z>In>^S?#&<mn~!q3$bGJlmZ?uT$!4gv+Sp9O$O8;I|GA@VacOt*iSECIu6t1QwXfv
zO!3)Wk%Wkkhx6%H-`DszqN1YAVY2;MtoV3@e#@Me3-JUFTO(=2K<}>GNtj=#OhWCC
z+IWSx&_0vW9+2~$iUs!H{%wdE9>m6V_kf*a%S@f8bP~)|(SYsy>BLamwvyqj453q_
z#I;ENhQ=O{VFu{fg4r6Xw$BUdy2c$CGV`!c%<NmfFk`2X>|em%%|&(6(Q^newwyBP
z+rS>+w6Q99AmJ}KIUbts&^CWsO=;X>%9J9a77PIWLcB>`e@ZIx7Y`gOWUg^pY;s$l
zcL^g(wRVEE>woF_`giocn`O_(iz+N<Za4VEHD4Z>7!39~D0ld-c7<MPK5=L~6z_Z^
zttC(-G<oDG7j6vD(j6)1poYI&k&B#n{n!Nqq912*TRmRx6AQxi-b*IDWk<0va4^%_
zEoY|T3JBROQR$-I1F*ZFoJJH>WOe37)<_lmj@!u@AESvG6TidN1wPl!Mu)s_W4;?T
z1+T?^1mta;3|^ce7Tn(5pazhDn=z40RF#X9O0H1ClYS8Zu}?8lUb)OYpD_gm1_JE2
z@PzY#2ljW}G`gAo)n2YeVWhgJFfVNTTPqon?(XNwZvipg`-ueo938iD$l?Z`?^e%e
z5ieR&Y`@P3#$qiryxn3^;*^4Q{`7w=$TU;-F!yRxN=rz5Y`N%J3ChmyTtOjMBUX}E
z<gz<1l(l_XK{aQnJJs1BFmbxVn*dMx3W$-hQ-vhZ^<s)Eeo?DPCnmwgT_NVSQ8|@@
z>?OACRfqnauM^KpL}hl1O<sppVp0E)tjnVHPw|5>xW<)FH{lM4oIUR)qgs({#56st
zt_{AM5j#XD8apXKQ_E<--R(|{AHJCjtI&QcZs2>FZt^Mj^&^P$VyXh7cGYWK(t{wr
zJ2WH$ldGJ&gIR>Nb9eY|D887>rySP%5~bf)tb#`NVT~)#49F+v_uj)jwe0fLJIwxJ
zU2BpvYyNoj$nEZo!2}r@w|LKg5K8gH8TpM*=;Ft?%AqI9#ZoE#)OV*)hhdjp*em$s
zyllLjucI?ot*3T5F(0r*)a2ZpAt`{<nqTQosP*@y#;EdcCrd<fl@fcU!A|+Fha>w{
z$nt*8vATr+;%h|k%S7lLQj=xYy*mV^$N32W>o(Ovr@RqEN@@2B7z2Yng5EAu17FsR
zY-C`RQ^OX{7;)0OELN&9-69xbZ5f{27i;irqhu@}P`R`sVm6h-U!OqpkUg)Zn;!sm
z?%0<iuDJXps%ac^+R4^Ci6x`5SSTVY1Z8Ic?VzqkqMzV%<EF*N^O_kl_d}9z40J9%
zq(WWQJL@tj-kGFnFwh|Y_<Hbw^w%unvq%R%6MnB`1|?g63>P<Gkk|~0lOR4F6vok^
z?mm+w&|2$pJO|iw_b!oDRwm<{0M*8mYnqSSzX$A*Xpv>7HlZ|;UHbSVbbDia#+$aC
zE8_&^+&4z(Hmd6ZbJ|oI;tO>i+AxK5<L`brrgaz?m~t?&cbL#0yKj{wD&-k7bkA8E
zJ5{RCq@7mG%!T<a@ZfdgMm%@7ZIAyIuH~zcD+UgEy`&HUyf@aE+oy_e8igso7v0@P
ztPUl?pV$@}Bu)#v6|7~=9a<r$PZZK~PUd4(Y14I%q!^T7d50}W`qz0rsc4s4`79+;
zYmSIP$en`Lxa#~fY;V^05B9)w66-lSf#!9~PM4>fmxkJZA|+DDzeGwN#dB!@0E)mL
zF2LWYsq$w7E+Im~v#_Q*8QFFB9dx)n`K>Vy08rZOX{mO4z(y*GRQ|$=X?Y1gaKt~E
z62^TgLQC+HXqC$0fE^jk@;X29Wle6r)mtjFZ?1k0@hi{CdqgtLCe00lnkqny6YHPJ
zMN6Tli^L?wGh^uSF7gC3=!xQI>>6&n!vd&Kn6!5Ni)dI(TLQke>BNd!E|pjpLz+kX
zlEzN+*+$D^5iGEks%CEUvN$6&e|2eda0uU8O&%WjWplZvH~aQj@)DL7jt!93`(1su
z2#c2e<kY#(#BuMgQzR-=_RnT?KT|3ydA-tz27Ah+_M${!;M8O3lH+A-cxs)FoUEO7
zXaTpMw>jBWQ=!8DUOpf?D{$lIGbk%MCVGbYgS`^14sOQsZGN>%GsTPy^Of>WjX5eI
zV~cG;b)<pfS9MiH97I<)mBf!Q&e?{CpH-BQ>K^Q|q#yabYUlIBrcT*m5JnOV0Aj+L
zEQa%PE%ifJaQu$LB$dy&^8`~r*3Tmov6v?dK`$DyXm(HrV-?;0r|r|j*K7322I@;!
z-R{RATt*YWR@-Crs1j`WL+9@UAHVl`WGsMJQ>v=(B!w_$(P>`L(f0FfWs8@UicPCe
zZRn;b-!De7S4Clt8dJ8-<jbrQOr8}GJV-#PfP4!j>9!F(y(|M=%<iRXd79V9=eI>E
zlet$t-tQ#-Y~&L#aRdN>{}M9Xl$Gdvu{T|+7uS8TzxCu}T}qC&GJ--%iZViJ<mS^8
zdA5nu&e?hy5+Z6jw6ZsqLDtD@)2KVu5F3O`WKCFCB!H?R{8_0Nb7-1!%65a{cTMf?
zCJ#PtPR<6$H=ezOG`>q)G=8#I&gM5a5j>=j=>nG<%Y(|qI3hgmn);22@SkDCno64~
z(yE}0aP<orUQ*$VyYq=mRL0Id=YowdECRe2`w#DZz2oAX-3qSfe(&Z$?L>Z7AKs@H
zA}u<mC@)+oLo<~8Pe%2Pm;eBmfSA~<nW^SVNLrK`es@dNWBR%`^b2=c{po0|r&(r^
z0QYZWYw1W6X8oj0C9e2bag9XJc2Lj^3xOf^{amfqzXTUngP_m2|0lSJXIN4E2lzbH
z&QBu$0q4K+qo8x_4m?`y2mb#9%sXNXTn@=sPuAeT{G}lg7`#HlF02{@;0L9yTsxkf
zA2)>&K99;Z`s8TroL+6;Ul$Z4^y&)DCrV&O9R#x5o{lWXO0U|H@5+CH5MS_8P%-`N
zV$r*dSvG?BFpGeP_uavZ$?(2hava$MUm6#&R~mdeZCnqucxK9Wkn{s$L2s=`kt|(4
zEWJ`4lAp@~q0v;Q53S{-ExR^C@Wj&h1y9f6XxKGVcH*-GGF23uINNDo(R-v+y6+A{
z>~=H2e|n(!kiI~F&#anpyZZd*gDyj_GWl%Z^FN)k5+E%tP<w`Mn#B|zk!4l5T7YRU
zDk_qXeQfltSJ*-)8%EgSdr}TZ@F>ajg{nqw1&VV<^)|&+??jC{xVO=aY*a5UE}-A^
zNRInJMyM2;f5GKBFK*n&->(93^!o-=_Q!wIQ;-H;sQ$Co&*@jvCm&y;r}j=QT&bDf
z-&TS!{{f$32s4*|VQR4W<4|Y4=s#N$uKvN_IsY$^6<HVj51xgeS#>=jsc2))GgQmH
RfV&@nf{dzkg`|1Ne*xxbTTlQ1

literal 0
HcmV?d00001

diff --git a/src/com/gitblit/ConfigUserService.java b/src/com/gitblit/ConfigUserService.java
index 831ede9b..d2740094 100644
--- a/src/com/gitblit/ConfigUserService.java
+++ b/src/com/gitblit/ConfigUserService.java
@@ -33,6 +33,7 @@ import org.eclipse.jgit.util.FS;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
+import com.gitblit.Constants.AccessPermission;
 import com.gitblit.models.TeamModel;
 import com.gitblit.models.UserModel;
 import com.gitblit.utils.ArrayUtils;
@@ -267,6 +268,55 @@ public class ConfigUserService implements IUserService {
 		return updateUserModel(model.username, model);
 	}
 
+	/**
+	 * Updates/writes all specified user objects.
+	 * 
+	 * @param models a list of user models
+	 * @return true if update is successful
+	 * @since 1.2.0
+	 */
+	@Override
+	public boolean updateUserModels(List<UserModel> models) {
+		try {
+			read();
+			for (UserModel model : models) {
+				UserModel originalUser = users.remove(model.username.toLowerCase());
+				users.put(model.username.toLowerCase(), model);
+				// null check on "final" teams because JSON-sourced UserModel
+				// can have a null teams object
+				if (model.teams != null) {
+					for (TeamModel team : model.teams) {
+						TeamModel t = teams.get(team.name.toLowerCase());
+						if (t == null) {
+							// new team
+							team.addUser(model.username);
+							teams.put(team.name.toLowerCase(), team);
+						} else {
+							// do not clobber existing team definition
+							// maybe because this is a federated user
+							t.addUser(model.username);							
+						}
+					}
+
+					// check for implicit team removal
+					if (originalUser != null) {
+						for (TeamModel team : originalUser.teams) {
+							if (!model.isTeamMember(team.name)) {
+								team.removeUser(model.username);
+							}
+						}
+					}
+				}
+			}
+			write();
+			return true;
+		} catch (Throwable t) {
+			logger.error(MessageFormat.format("Failed to update user {0} models!", models.size()),
+					t);
+		}
+		return false;
+	}
+
 	/**
 	 * Updates/writes and replaces a complete user object keyed by username.
 	 * This method allows for renaming a user.
@@ -413,7 +463,7 @@ public class ConfigUserService implements IUserService {
 			read();
 			for (Map.Entry<String, TeamModel> entry : teams.entrySet()) {
 				TeamModel model = entry.getValue();
-				if (model.hasRepository(role)) {
+				if (model.hasRepositoryPermission(role)) {
 					list.add(model.name);
 				}
 			}
@@ -447,10 +497,10 @@ public class ConfigUserService implements IUserService {
 			for (TeamModel team : teams.values()) {
 				// team has role, check against revised team list
 				if (specifiedTeams.contains(team.name.toLowerCase())) {
-					team.addRepository(role);
+					team.addRepositoryPermission(role);
 				} else {
 					// remove role from team
-					team.removeRepository(role);
+					team.removeRepositoryPermission(role);
 				}
 			}
 
@@ -494,6 +544,28 @@ public class ConfigUserService implements IUserService {
 		return updateTeamModel(model.name, model);
 	}
 
+	/**
+	 * Updates/writes all specified team objects.
+	 * 
+	 * @param models a list of team models
+	 * @return true if update is successful
+	 * @since 1.2.0
+	 */
+	@Override
+	public boolean updateTeamModels(List<TeamModel> models) {
+		try {
+			read();
+			for (TeamModel team : models) {
+				teams.put(team.name.toLowerCase(), team);
+			}
+			write();
+			return true;
+		} catch (Throwable t) {
+			logger.error(MessageFormat.format("Failed to update team {0} models!", models.size()), t);
+		}
+		return false;
+	}
+
 	/**
 	 * Updates/writes and replaces a complete team object keyed by teamname.
 	 * This method allows for renaming a team.
@@ -602,7 +674,7 @@ public class ConfigUserService implements IUserService {
 			read();
 			for (Map.Entry<String, UserModel> entry : users.entrySet()) {
 				UserModel model = entry.getValue();
-				if (model.hasRepository(role)) {
+				if (model.hasRepositoryPermission(role)) {
 					list.add(model.username);
 				}
 			}
@@ -623,6 +695,7 @@ public class ConfigUserService implements IUserService {
 	 * @return true if successful
 	 */
 	@Override
+	@Deprecated
 	public boolean setUsernamesForRepositoryRole(String role, List<String> usernames) {
 		try {
 			Set<String> specifiedUsers = new HashSet<String>();
@@ -636,10 +709,10 @@ public class ConfigUserService implements IUserService {
 			for (UserModel user : users.values()) {
 				// user has role, check against revised user list
 				if (specifiedUsers.contains(user.username.toLowerCase())) {
-					user.addRepository(role);
+					user.addRepositoryPermission(role);
 				} else {
 					// remove role from user
-					user.removeRepository(role);
+					user.removeRepositoryPermission(role);
 				}
 			}
 
@@ -665,17 +738,17 @@ public class ConfigUserService implements IUserService {
 			read();
 			// identify users which require role rename
 			for (UserModel model : users.values()) {
-				if (model.hasRepository(oldRole)) {
-					model.removeRepository(oldRole);
-					model.addRepository(newRole);
+				if (model.hasRepositoryPermission(oldRole)) {
+					AccessPermission permission = model.removeRepositoryPermission(oldRole);
+					model.setRepositoryPermission(newRole, permission);
 				}
 			}
 
 			// identify teams which require role rename
 			for (TeamModel model : teams.values()) {
-				if (model.hasRepository(oldRole)) {
-					model.removeRepository(oldRole);
-					model.addRepository(newRole);
+				if (model.hasRepositoryPermission(oldRole)) {
+					AccessPermission permission = model.removeRepositoryPermission(oldRole);
+					model.setRepositoryPermission(newRole, permission);
 				}
 			}
 			// persist changes
@@ -701,12 +774,12 @@ public class ConfigUserService implements IUserService {
 
 			// identify users which require role rename
 			for (UserModel user : users.values()) {
-				user.removeRepository(role);
+				user.removeRepositoryPermission(role);
 			}
 
 			// identify teams which require role rename
 			for (TeamModel team : teams.values()) {
-				team.removeRepository(role);
+				team.removeRepositoryPermission(role);
 			}
 
 			// persist changes
@@ -768,21 +841,44 @@ public class ConfigUserService implements IUserService {
 			config.setStringList(USER, model.username, ROLE, roles);
 
 			// repository memberships
-			// null check on "final" repositories because JSON-sourced UserModel
-			// can have a null repositories object
-			if (!ArrayUtils.isEmpty(model.repositories)) {
-				config.setStringList(USER, model.username, REPOSITORY, new ArrayList<String>(
-						model.repositories));
+			if (model.permissions == null) {
+				// null check on "final" repositories because JSON-sourced UserModel
+				// can have a null repositories object
+				if (!ArrayUtils.isEmpty(model.repositories)) {
+					config.setStringList(USER, model.username, REPOSITORY, new ArrayList<String>(
+							model.repositories));
+				}
+			} else {
+				// discrete repository permissions
+				List<String> permissions = new ArrayList<String>();
+				for (Map.Entry<String, AccessPermission> entry : model.permissions.entrySet()) {
+					if (entry.getValue().exceeds(AccessPermission.NONE)) {
+						permissions.add(entry.getValue().asRole(entry.getKey()));
+					}
+				}
+				config.setStringList(USER, model.username, REPOSITORY, permissions);
 			}
 		}
 
 		// write teams
 		for (TeamModel model : teams.values()) {
-			// null check on "final" repositories because JSON-sourced TeamModel
-			// can have a null repositories object
-			if (!ArrayUtils.isEmpty(model.repositories)) {
-				config.setStringList(TEAM, model.name, REPOSITORY, new ArrayList<String>(
-						model.repositories));
+			if (model.permissions == null) {
+				// null check on "final" repositories because JSON-sourced TeamModel
+				// can have a null repositories object
+				if (!ArrayUtils.isEmpty(model.repositories)) {
+					config.setStringList(TEAM, model.name, REPOSITORY, new ArrayList<String>(
+							model.repositories));
+				}
+			} else {
+				// discrete repository permissions
+				List<String> permissions = new ArrayList<String>();
+				for (Map.Entry<String, AccessPermission> entry : model.permissions.entrySet()) {
+					if (entry.getValue().exceeds(AccessPermission.NONE)) {
+						// code:repository (e.g. RW+:~james/myrepo.git
+						permissions.add(entry.getValue().asRole(entry.getKey()));
+					}
+				}
+				config.setStringList(TEAM, model.name, REPOSITORY, permissions);
 			}
 
 			// null check on "final" users because JSON-sourced TeamModel
@@ -872,7 +968,7 @@ public class ConfigUserService implements IUserService {
 					Set<String> repositories = new HashSet<String>(Arrays.asList(config
 							.getStringList(USER, username, REPOSITORY)));
 					for (String repository : repositories) {
-						user.addRepository(repository);
+						user.addRepositoryPermission(repository);
 					}
 
 					// update cache
@@ -886,7 +982,7 @@ public class ConfigUserService implements IUserService {
 				Set<String> teamnames = config.getSubsections(TEAM);
 				for (String teamname : teamnames) {
 					TeamModel team = new TeamModel(teamname);
-					team.addRepositories(Arrays.asList(config.getStringList(TEAM, teamname,
+					team.addRepositoryPermissions(Arrays.asList(config.getStringList(TEAM, teamname,
 							REPOSITORY)));
 					team.addUsers(Arrays.asList(config.getStringList(TEAM, teamname, USER)));
 					team.addMailingLists(Arrays.asList(config.getStringList(TEAM, teamname,
diff --git a/src/com/gitblit/Constants.java b/src/com/gitblit/Constants.java
index c831c42d..ed48bd27 100644
--- a/src/com/gitblit/Constants.java
+++ b/src/com/gitblit/Constants.java
@@ -15,6 +15,10 @@
  */
 package com.gitblit;
 
+import java.lang.annotation.Documented;
+import java.lang.annotation.Retention;
+import java.lang.annotation.RetentionPolicy;
+
 
 /**
  * Constant values used by Gitblit.
@@ -309,4 +313,72 @@ public class Constants {
 			return null;
 		}
 	}
+	
+	/**
+	 * The access permissions available for a repository. 
+	 */
+	public static enum AccessPermission {
+		NONE("N"), VIEW("V"), CLONE("R"), PUSH("RW"), CREATE("RWC"), DELETE("RWD"), REWIND("RW+");
+		
+		public static AccessPermission LEGACY = REWIND;
+		
+		public final String code;
+		
+		private AccessPermission(String code) {
+			this.code = code;
+		}
+		
+		public boolean atLeast(AccessPermission perm) {
+			return ordinal() >= perm.ordinal();
+		}
+
+		public boolean exceeds(AccessPermission perm) {
+			return ordinal() > perm.ordinal();
+		}
+		
+		public String asRole(String repository) {
+			return code + ":" + repository;
+		}
+		
+		@Override
+		public String toString() {
+			return code;
+		}
+		
+		public static AccessPermission permissionFromRole(String role) {
+			String [] fields = role.split(":", 2);
+			if (fields.length == 1) {
+				// legacy/undefined assume full permissions
+				return AccessPermission.LEGACY;
+			} else {
+				// code:repository
+				return AccessPermission.fromCode(fields[0]);
+			}
+		}
+		
+		public static String repositoryFromRole(String role) {
+			String [] fields = role.split(":", 2);
+			if (fields.length == 1) {
+				// legacy/undefined assume full permissions
+				return role;
+			} else {
+				// code:repository
+				return fields[1];
+			}
+		}
+		
+		public static AccessPermission fromCode(String code) {
+			for (AccessPermission perm : values()) {
+				if (perm.code.equalsIgnoreCase(code)) {
+					return perm;
+				}
+			}
+			return AccessPermission.NONE;
+		}
+	}
+	
+	@Documented
+	@Retention(RetentionPolicy.RUNTIME)
+	public @interface Unused {
+	}
 }
diff --git a/src/com/gitblit/DownloadZipFilter.java b/src/com/gitblit/DownloadZipFilter.java
index e515b55e..225e5e11 100644
--- a/src/com/gitblit/DownloadZipFilter.java
+++ b/src/com/gitblit/DownloadZipFilter.java
@@ -91,7 +91,7 @@ public class DownloadZipFilter extends AccessRestrictionFilter {
 	 */
 	@Override
 	protected boolean canAccess(RepositoryModel repository, UserModel user, String action) {
-		return user.canAccessRepository(repository);
+		return user.canView(repository);
 	}
 
 }
diff --git a/src/com/gitblit/FederationPullExecutor.java b/src/com/gitblit/FederationPullExecutor.java
index 7b9c55ba..03109dea 100644
--- a/src/com/gitblit/FederationPullExecutor.java
+++ b/src/com/gitblit/FederationPullExecutor.java
@@ -26,6 +26,7 @@ import java.util.ArrayList;
 import java.util.Arrays;
 import java.util.Collection;
 import java.util.Date;
+import java.util.HashMap;
 import java.util.HashSet;
 import java.util.List;
 import java.util.Map;
@@ -41,6 +42,7 @@ import org.eclipse.jgit.transport.UsernamePasswordCredentialsProvider;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
+import com.gitblit.Constants.AccessPermission;
 import com.gitblit.Constants.FederationPullStatus;
 import com.gitblit.Constants.FederationStrategy;
 import com.gitblit.GitBlitException.ForbiddenException;
@@ -333,10 +335,20 @@ public class FederationPullExecutor implements Runnable {
 						// reparent all repository permissions if the local
 						// repositories are stored within subfolders
 						if (!StringUtils.isEmpty(registrationFolder)) {
-							List<String> permissions = new ArrayList<String>(user.repositories);
-							user.repositories.clear();
-							for (String permission : permissions) {
-								user.addRepository(registrationFolder + "/" + permission);
+							if (user.permissions != null && user.permissions.size() > 0) {
+								// pulling from >= 1.2 version
+								Map<String, AccessPermission> copy = new HashMap<String, AccessPermission>(user.permissions);
+								user.permissions.clear();
+								for (Map.Entry<String, AccessPermission> entry : copy.entrySet()) {
+									user.setRepositoryPermission(registrationFolder + "/" + entry.getKey(), entry.getValue());
+								}
+							} else {
+								// pulling from <= 1.1 version
+								List<String> permissions = new ArrayList<String>(user.repositories);
+								user.repositories.clear();
+								for (String permission : permissions) {
+									user.addRepositoryPermission(registrationFolder + "/" + permission);
+								}
 							}
 						}
 
@@ -347,8 +359,17 @@ public class FederationPullExecutor implements Runnable {
 							GitBlit.self().updateUserModel(user.username, user, true);
 						} else {
 							// update repository permissions of local user
-							for (String repository : user.repositories) {
-								localUser.addRepository(repository);
+							if (user.permissions != null && user.permissions.size() > 0) {
+								// pulling from >= 1.2 version
+								Map<String, AccessPermission> copy = new HashMap<String, AccessPermission>(user.permissions);
+								for (Map.Entry<String, AccessPermission> entry : copy.entrySet()) {
+									localUser.setRepositoryPermission(entry.getKey(), entry.getValue());
+								}
+							} else {
+								// pulling from <= 1.1 version
+								for (String repository : user.repositories) {
+									localUser.addRepositoryPermission(repository);
+								}
 							}
 							localUser.password = user.password;
 							localUser.canAdmin = user.canAdmin;
@@ -369,12 +390,16 @@ public class FederationPullExecutor implements Runnable {
 
 							// update team repositories
 							TeamModel remoteTeam = user.getTeam(teamname);
-							if (remoteTeam != null && !ArrayUtils.isEmpty(remoteTeam.repositories)) {
-								int before = team.repositories.size();
-								team.addRepositories(remoteTeam.repositories);
-								int after = team.repositories.size();
-								if (after > before) {
-									// repository count changed, update
+							if (remoteTeam != null) {
+								if (remoteTeam.permissions != null) {
+									// pulling from >= 1.2
+									for (Map.Entry<String, AccessPermission> entry : remoteTeam.permissions.entrySet()){
+										team.setRepositoryPermission(entry.getKey(), entry.getValue());
+									}
+									GitBlit.self().updateTeamModel(teamname, team, false);
+								} else if(!ArrayUtils.isEmpty(remoteTeam.repositories)) {
+									// pulling from <= 1.1
+									team.addRepositoryPermissions(remoteTeam.repositories);
 									GitBlit.self().updateTeamModel(teamname, team, false);
 								}
 							}
diff --git a/src/com/gitblit/FileUserService.java b/src/com/gitblit/FileUserService.java
index f4394696..c06266dc 100644
--- a/src/com/gitblit/FileUserService.java
+++ b/src/com/gitblit/FileUserService.java
@@ -31,6 +31,7 @@ import java.util.concurrent.ConcurrentHashMap;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
+import com.gitblit.Constants.AccessPermission;
 import com.gitblit.models.TeamModel;
 import com.gitblit.models.UserModel;
 import com.gitblit.utils.ArrayUtils;
@@ -243,7 +244,7 @@ public class FileUserService extends FileSettings implements IUserService {
 				}
 				break;
 			default:
-				model.addRepository(role);
+				model.addRepositoryPermission(role);
 			}
 		}
 		// set the teams for the user
@@ -266,6 +267,29 @@ public class FileUserService extends FileSettings implements IUserService {
 		return updateUserModel(model.username, model);
 	}
 
+	/**
+	 * Updates/writes all specified user objects.
+	 * 
+	 * @param model a list of user models
+	 * @return true if update is successful
+	 * @since 1.2.0
+	 */
+	@Override
+	public boolean updateUserModels(List<UserModel> models) {
+		try {			
+			Properties allUsers = read();
+			for (UserModel model : models) {
+				updateUserCache(allUsers, model.username, model);
+			}
+			write(allUsers);
+			return true;
+		} catch (Throwable t) {
+			logger.error(MessageFormat.format("Failed to update {0} user models!", models.size()),
+					t);
+		}
+		return false;
+	}
+
 	/**
 	 * Updates/writes and replaces a complete user object keyed by username.
 	 * This method allows for renaming a user.
@@ -280,8 +304,43 @@ public class FileUserService extends FileSettings implements IUserService {
 	public boolean updateUserModel(String username, UserModel model) {
 		try {			
 			Properties allUsers = read();
+			updateUserCache(allUsers, username, model);
+			write(allUsers);
+			return true;
+		} catch (Throwable t) {
+			logger.error(MessageFormat.format("Failed to update user model {0}!", model.username),
+					t);
+		}
+		return false;
+	}
+	
+	/**
+	 * Updates/writes and replaces a complete user object keyed by username.
+	 * This method allows for renaming a user.
+	 * 
+	 * @param username
+	 *            the old username
+	 * @param model
+	 *            the user object to use for username
+	 * @return true if update is successful
+	 */
+	private boolean updateUserCache(Properties allUsers, String username, UserModel model) {
+		try {			
 			UserModel oldUser = getUserModel(username);
-			ArrayList<String> roles = new ArrayList<String>(model.repositories);
+			List<String> roles;
+			if (model.permissions == null) {
+				// legacy, use repository list
+				roles = new ArrayList<String>(model.repositories);
+			} else {
+				// discrete repository permissions
+				roles = new ArrayList<String>();
+				for (Map.Entry<String, AccessPermission> entry : model.permissions.entrySet()) {
+					if (entry.getValue().exceeds(AccessPermission.NONE)) {
+						// code:repository (e.g. RW+:~james/myrepo.git
+						roles.add(entry.getValue().asRole(entry.getKey()));
+					}
+				}
+			}
 
 			// Permissions
 			if (model.canAdmin) {
@@ -336,8 +395,6 @@ public class FileUserService extends FileSettings implements IUserService {
 					}
 				}
 			}
-
-			write(allUsers);
 			return true;
 		} catch (Throwable t) {
 			logger.error(MessageFormat.format("Failed to update user model {0}!", model.username),
@@ -552,8 +609,8 @@ public class FileUserService extends FileSettings implements IUserService {
 				String[] roles = value.split(",");
 				// skip first value (password)
 				for (int i = 1; i < roles.length; i++) {
-					String r = roles[i];
-					if (r.equalsIgnoreCase(oldRole)) {
+					String repository = AccessPermission.repositoryFromRole(roles[i]);
+					if (repository.equalsIgnoreCase(oldRole)) {
 						needsRenameRole.add(username);
 						break;
 					}
@@ -573,9 +630,13 @@ public class FileUserService extends FileSettings implements IUserService {
 
 				// skip first value (password)
 				for (int i = 1; i < values.length; i++) {
-					String value = values[i];
-					if (!value.equalsIgnoreCase(oldRole)) {
-						sb.append(value);
+					String repository = AccessPermission.repositoryFromRole(values[i]);
+					if (repository.equalsIgnoreCase(oldRole)) {
+						AccessPermission permission = AccessPermission.permissionFromRole(values[i]);
+						sb.append(permission.asRole(newRole));
+						sb.append(',');
+					} else {
+						sb.append(values[i]);
 						sb.append(',');
 					}
 				}
@@ -612,9 +673,9 @@ public class FileUserService extends FileSettings implements IUserService {
 				String value = allUsers.getProperty(username);
 				String[] roles = value.split(",");
 				// skip first value (password)
-				for (int i = 1; i < roles.length; i++) {
-					String r = roles[i];
-					if (r.equalsIgnoreCase(role)) {
+				for (int i = 1; i < roles.length; i++) {					
+					String repository = AccessPermission.repositoryFromRole(roles[i]);
+					if (repository.equalsIgnoreCase(role)) {
 						needsDeleteRole.add(username);
 						break;
 					}
@@ -630,10 +691,10 @@ public class FileUserService extends FileSettings implements IUserService {
 				sb.append(password);
 				sb.append(',');
 				// skip first value (password)
-				for (int i = 1; i < values.length; i++) {
-					String value = values[i];
-					if (!value.equalsIgnoreCase(role)) {
-						sb.append(value);
+				for (int i = 1; i < values.length; i++) {					
+					String repository = AccessPermission.repositoryFromRole(values[i]);
+					if (!repository.equalsIgnoreCase(role)) {
+						sb.append(values[i]);
 						sb.append(',');
 					}
 				}
@@ -722,7 +783,7 @@ public class FileUserService extends FileSettings implements IUserService {
 							repositories.add(role);
 						}
 					}
-					team.addRepositories(repositories);
+					team.addRepositoryPermissions(repositories);
 					team.addUsers(users);
 					team.addMailingLists(mailingLists);
 					team.preReceiveScripts.addAll(preReceive);
@@ -912,6 +973,27 @@ public class FileUserService extends FileSettings implements IUserService {
 	public boolean updateTeamModel(TeamModel model) {
 		return updateTeamModel(model.name, model);
 	}
+	
+	/**
+	 * Updates/writes all specified team objects.
+	 * 
+	 * @param models a list of team models
+	 * @return true if update is successful
+	 * @since 1.2.0
+	 */
+	public boolean updateTeamModels(List<TeamModel> models) {
+		try {
+			Properties allUsers = read();
+			for (TeamModel model : models) {
+				updateTeamCache(allUsers, model.name, model);
+			}
+			write(allUsers);
+			return true;
+		} catch (Throwable t) {
+			logger.error(MessageFormat.format("Failed to update {0} team models!", models.size()), t);
+		}
+		return false;
+	}
 
 	/**
 	 * Updates/writes and replaces a complete team object keyed by teamname.
@@ -939,12 +1021,30 @@ public class FileUserService extends FileSettings implements IUserService {
 
 	private void updateTeamCache(Properties allUsers, String teamname, TeamModel model) {
 		StringBuilder sb = new StringBuilder();
-		if (!ArrayUtils.isEmpty(model.repositories)) {
-			for (String repository : model.repositories) {
-				sb.append(repository);
-				sb.append(',');
+		List<String> roles;
+		if (model.permissions == null) {
+			// legacy, use repository list
+			if (model.repositories != null) {
+				roles = new ArrayList<String>(model.repositories);
+			} else {
+				roles = new ArrayList<String>();
+			}
+		} else {
+			// discrete repository permissions
+			roles = new ArrayList<String>();
+			for (Map.Entry<String, AccessPermission> entry : model.permissions.entrySet()) {
+				if (entry.getValue().exceeds(AccessPermission.NONE)) {
+					// code:repository (e.g. RW+:~james/myrepo.git
+					roles.add(entry.getValue().asRole(entry.getKey()));
+				}
 			}
 		}
+		
+		for (String role : roles) {
+				sb.append(role);
+				sb.append(',');
+		}
+		
 		if (!ArrayUtils.isEmpty(model.users)) {
 			for (String user : model.users) {
 				sb.append('!');
diff --git a/src/com/gitblit/GitBlit.java b/src/com/gitblit/GitBlit.java
index 7fbd3efd..8c6d9eba 100644
--- a/src/com/gitblit/GitBlit.java
+++ b/src/com/gitblit/GitBlit.java
@@ -69,6 +69,7 @@ import org.eclipse.jgit.util.FileUtils;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
+import com.gitblit.Constants.AccessPermission;
 import com.gitblit.Constants.AccessRestrictionType;
 import com.gitblit.Constants.AuthorizationControl;
 import com.gitblit.Constants.FederationRequest;
@@ -618,6 +619,7 @@ public class GitBlit implements ServletContextListener {
 	 * @param usernames
 	 * @return true if successful
 	 */
+	@Deprecated
 	public boolean setRepositoryUsers(RepositoryModel repository, List<String> repositoryUsers) {
 		return userService.setUsernamesForRepositoryRole(repository.name, repositoryUsers);
 	}
@@ -699,6 +701,7 @@ public class GitBlit implements ServletContextListener {
 	 * @param teamnames
 	 * @return true if successful
 	 */
+	@Deprecated
 	public boolean setRepositoryTeams(RepositoryModel repository, List<String> repositoryTeams) {
 		return userService.setTeamnamesForRepositoryRole(repository.name, repositoryTeams);
 	}
@@ -957,14 +960,13 @@ public class GitBlit implements ServletContextListener {
 		if (model == null) {
 			return null;
 		}
-		if (model.accessRestriction.atLeast(AccessRestrictionType.VIEW)) {
-			if (user != null && user.canAccessRepository(model)) {
-				return model;
-			}
-			return null;
-		} else {
+		if (user == null) {
+			user = UserModel.ANONYMOUS;
+		}
+		if (user.canView(model)) {
 			return model;
 		}
+		return null;
 	}
 
 	/**
@@ -1224,11 +1226,7 @@ public class GitBlit implements ServletContextListener {
 		}
 		model.hasCommits = JGitUtils.hasCommits(r);
 		model.lastChange = JGitUtils.getLastChange(r);
-		if (repositoryName.indexOf('/') == -1) {
-			model.projectPath = "";
-		} else {
-			model.projectPath = repositoryName.substring(0, repositoryName.indexOf('/'));
-		}
+		model.projectPath = StringUtils.getFirstPathElement(repositoryName);
 		
 		StoredConfig config = r.getConfig();
 		boolean hasOrigin = !StringUtils.isEmpty(config.getString("remote", "origin", "url"));
@@ -1449,6 +1447,9 @@ public class GitBlit implements ServletContextListener {
 	 */
 	private void closeRepository(String repositoryName) {
 		Repository repository = getRepository(repositoryName);
+		if (repository == null) {
+			return;
+		}
 		RepositoryCache.close(repository);
 
 		// assume 2 uses in case reflection fails
@@ -1756,7 +1757,7 @@ public class GitBlit implements ServletContextListener {
 			clearRepositoryMetadataCache(repositoryName);
 			
 			RepositoryModel model = removeFromCachedRepositoryList(repositoryName);
-			if (!ArrayUtils.isEmpty(model.forks)) {
+			if (model != null && !ArrayUtils.isEmpty(model.forks)) {
 				resetRepositoryListCache();
 			}
 
@@ -2646,26 +2647,46 @@ public class GitBlit implements ServletContextListener {
 
 		// create a Gitblit repository model for the clone
 		RepositoryModel cloneModel = repository.cloneAs(cloneName);
+		// owner has REWIND/RW+ permissions
 		cloneModel.owner = user.username;
 		updateRepositoryModel(cloneName, cloneModel, false);
 
-		if (AuthorizationControl.NAMED.equals(cloneModel.authorizationControl)) {
-			// add the owner of the source repository to the clone's access list
-			if (!StringUtils.isEmpty(repository.owner)) {
-				UserModel owner = getUserModel(repository.owner);
-				if (owner != null) {
-					owner.repositories.add(cloneName);
-					updateUserModel(owner.username, owner, false);
-				}
+		// add the owner of the source repository to the clone's access list
+		if (!StringUtils.isEmpty(repository.owner)) {
+			UserModel originOwner = getUserModel(repository.owner);
+			if (originOwner != null) {
+				originOwner.setRepositoryPermission(cloneName, AccessPermission.CLONE);
+				updateUserModel(originOwner.username, originOwner, false);
 			}
+		}
 
-			// inherit origin's access lists
-			List<String> users = getRepositoryUsers(repository);
-			setRepositoryUsers(cloneModel, users);
+		// grant origin's user list clone permission to fork
+		List<String> users = getRepositoryUsers(repository);
+		List<UserModel> cloneUsers = new ArrayList<UserModel>();
+		for (String name : users) {
+			if (!name.equalsIgnoreCase(user.username)) {
+				UserModel cloneUser = getUserModel(name);
+				if (cloneUser.canClone(repository)) {
+					// origin user can clone origin, grant clone access to fork
+					cloneUser.setRepositoryPermission(cloneName, AccessPermission.CLONE);
+				}
+				cloneUsers.add(cloneUser);
+			}
+		}
+		userService.updateUserModels(cloneUsers);
 
-			List<String> teams = getRepositoryTeams(repository);
-			setRepositoryTeams(cloneModel, teams);
+		// grant origin's team list clone permission to fork
+		List<String> teams = getRepositoryTeams(repository);
+		List<TeamModel> cloneTeams = new ArrayList<TeamModel>();
+		for (String name : teams) {
+			TeamModel cloneTeam = getTeamModel(name);
+			if (cloneTeam.canClone(repository)) {
+				// origin team can clone origin, grant clone access to fork
+				cloneTeam.setRepositoryPermission(cloneName, AccessPermission.CLONE);
+			}
+			cloneTeams.add(cloneTeam);
 		}
+		userService.updateTeamModels(cloneTeams);			
 
 		// add this clone to the cached model
 		addToCachedRepositoryList(cloneModel);
diff --git a/src/com/gitblit/GitFilter.java b/src/com/gitblit/GitFilter.java
index 8ce4d3a7..cfe4fe3f 100644
--- a/src/com/gitblit/GitFilter.java
+++ b/src/com/gitblit/GitFilter.java
@@ -147,33 +147,25 @@ public class GitFilter extends AccessRestrictionFilter {
 			// Git Servlet disabled
 			return false;
 		}		
-		boolean readOnly = repository.isFrozen;	
-		if (readOnly || repository.accessRestriction.atLeast(AccessRestrictionType.PUSH)) {
-			boolean authorizedUser = user.canAccessRepository(repository);
-			if (action.equals(gitReceivePack)) {
-				// Push request
-				if (!readOnly && authorizedUser) {
-					// clone-restricted or push-authorized
-					return true;
-				} else {
-					// user is unauthorized to push to this repository
-					logger.warn(MessageFormat.format("user {0} is not authorized to push to {1}",
-							user.username, repository));
-					return false;
-				}
-			} else if (action.equals(gitUploadPack)) {
-				// Clone request
-				boolean cloneRestricted = repository.accessRestriction
-						.atLeast(AccessRestrictionType.CLONE);
-				if (!cloneRestricted || (cloneRestricted && authorizedUser)) {
-					// push-restricted or clone-authorized
-					return true;
-				} else {
-					// user is unauthorized to clone this repository
-					logger.warn(MessageFormat.format("user {0} is not authorized to clone {1}",
-							user.username, repository));
-					return false;
-				}
+		if (action.equals(gitReceivePack)) {
+			// Push request
+			if (user.canPush(repository)) {
+				return true;
+			} else {
+				// user is unauthorized to push to this repository
+				logger.warn(MessageFormat.format("user {0} is not authorized to push to {1}",
+						user.username, repository));
+				return false;
+			}
+		} else if (action.equals(gitUploadPack)) {
+			// Clone request
+			if (user.canClone(repository)) {
+				return true;
+			} else {
+				// user is unauthorized to clone this repository
+				logger.warn(MessageFormat.format("user {0} is not authorized to clone {1}",
+						user.username, repository));
+				return false;
 			}
 		}
 		return true;
diff --git a/src/com/gitblit/GitServlet.java b/src/com/gitblit/GitServlet.java
index 2571693d..8e2326d4 100644
--- a/src/com/gitblit/GitServlet.java
+++ b/src/com/gitblit/GitServlet.java
@@ -105,6 +105,21 @@ public class GitServlet extends org.eclipse.jgit.http.server.GitServlet {
 				ReceivePack rp = super.create(req, db);
 				rp.setPreReceiveHook(hook);
 				rp.setPostReceiveHook(hook);
+
+				// determine pushing user
+				PersonIdent person = rp.getRefLogIdent();
+				UserModel user = GitBlit.self().getUserModel(person.getName());
+				if (user == null) {
+					// anonymous push, create a temporary usermodel
+					user = new UserModel(person.getName());
+				}
+				
+				// enforce advanced ref permissions
+				RepositoryModel repository = GitBlit.self().getRepositoryModel(repositoryName);
+				rp.setAllowCreates(user.canCreateRef(repository));
+				rp.setAllowDeletes(user.canDeleteRef(repository));
+				rp.setAllowNonFastForwards(user.canRewindRef(repository));
+				
 				return rp;
 			}
 		});
@@ -209,7 +224,25 @@ public class GitServlet extends org.eclipse.jgit.http.server.GitServlet {
 			scripts.addAll(repository.postReceiveScripts);
 			UserModel user = getUserModel(rp);
 			runGroovy(repository, user, commands, rp, scripts);
-
+			for (ReceiveCommand cmd : commands) {
+				if (Result.OK.equals(cmd.getResult())) {
+					// add some logging for important ref changes
+					switch (cmd.getType()) {
+					case DELETE:
+						logger.info(MessageFormat.format("{0} DELETED {1} in {2} ({3})", user.username, cmd.getRefName(), repository.name, cmd.getOldId().name()));
+						break;
+					case CREATE:
+						logger.info(MessageFormat.format("{0} CREATED {1} in {2}", user.username, cmd.getRefName(), repository.name));
+						break;
+					case UPDATE_NONFASTFORWARD:
+						logger.info(MessageFormat.format("{0} UPDATED NON-FAST-FORWARD {1} in {2} (from {3} to {4})", user.username, cmd.getRefName(), repository.name, cmd.getOldId().name(), cmd.getNewId().name()));
+						break;
+					default:
+						break;
+					}
+				}
+			}
+			
 			// Experimental
 			// runNativeScript(rp, "hooks/post-receive", commands);
 		}
diff --git a/src/com/gitblit/GitblitUserService.java b/src/com/gitblit/GitblitUserService.java
index b4640b58..141ad8f1 100644
--- a/src/com/gitblit/GitblitUserService.java
+++ b/src/com/gitblit/GitblitUserService.java
@@ -167,6 +167,11 @@ public class GitblitUserService implements IUserService {
 		return serviceImpl.updateUserModel(model);
 	}
 
+	@Override
+	public boolean updateUserModels(List<UserModel> models) {
+		return serviceImpl.updateUserModels(models);
+	}
+
 	@Override
 	public boolean updateUserModel(String username, UserModel model) {
 		if (supportsCredentialChanges()) {
@@ -232,6 +237,7 @@ public class GitblitUserService implements IUserService {
 	}
 
 	@Override
+	@Deprecated
 	public boolean setTeamnamesForRepositoryRole(String role, List<String> teamnames) {
 		return serviceImpl.setTeamnamesForRepositoryRole(role, teamnames);
 	}
@@ -246,6 +252,11 @@ public class GitblitUserService implements IUserService {
 		return serviceImpl.updateTeamModel(model);
 	}
 
+	@Override
+	public boolean updateTeamModels(List<TeamModel> models) {
+		return serviceImpl.updateTeamModels(models);
+	}
+
 	@Override
 	public boolean updateTeamModel(String teamname, TeamModel model) {
 		if (!supportsTeamMembershipChanges()) {
@@ -275,6 +286,7 @@ public class GitblitUserService implements IUserService {
 	}
 
 	@Override
+	@Deprecated
 	public boolean setUsernamesForRepositoryRole(String role, List<String> usernames) {
 		return serviceImpl.setUsernamesForRepositoryRole(role, usernames);
 	}
diff --git a/src/com/gitblit/IUserService.java b/src/com/gitblit/IUserService.java
index 8822d024..059d648a 100644
--- a/src/com/gitblit/IUserService.java
+++ b/src/com/gitblit/IUserService.java
@@ -126,6 +126,15 @@ public interface IUserService {
 	 */
 	boolean updateUserModel(UserModel model);
 
+	/**
+	 * Updates/writes all specified user objects.
+	 * 
+	 * @param models a list of user models
+	 * @return true if update is successful
+	 * @since 1.2.0
+	 */
+	boolean updateUserModels(List<UserModel> models);
+	
 	/**
 	 * Adds/updates a user object keyed by username. This method allows for
 	 * renaming a user.
@@ -205,7 +214,8 @@ public interface IUserService {
 	 * @param teamnames
 	 * @return true if successful
 	 * @since 0.8.0
-	 */	
+	 */
+	@Deprecated
 	boolean setTeamnamesForRepositoryRole(String role, List<String> teamnames);
 	
 	/**
@@ -226,6 +236,15 @@ public interface IUserService {
 	 */	
 	boolean updateTeamModel(TeamModel model);
 
+	/**
+	 * Updates/writes all specified team objects.
+	 * 
+	 * @param models a list of team models
+	 * @return true if update is successful
+	 * @since 1.2.0
+	 */	
+	boolean updateTeamModels(List<TeamModel> models);
+	
 	/**
 	 * Updates/writes and replaces a complete team object keyed by teamname.
 	 * This method allows for renaming a team.
@@ -277,6 +296,7 @@ public interface IUserService {
 	 * @param usernames
 	 * @return true if successful
 	 */
+	@Deprecated
 	boolean setUsernamesForRepositoryRole(String role, List<String> usernames);
 
 	/**
diff --git a/src/com/gitblit/PagesFilter.java b/src/com/gitblit/PagesFilter.java
index c092c64d..11cdfa56 100644
--- a/src/com/gitblit/PagesFilter.java
+++ b/src/com/gitblit/PagesFilter.java
@@ -111,6 +111,6 @@ public class PagesFilter extends AccessRestrictionFilter {
 	 */
 	@Override
 	protected boolean canAccess(RepositoryModel repository, UserModel user, String action) {		
-		return user.canAccessRepository(repository);
+		return user.canView(repository);
 	}
 }
diff --git a/src/com/gitblit/SyndicationFilter.java b/src/com/gitblit/SyndicationFilter.java
index 0dff1c87..61bf2258 100644
--- a/src/com/gitblit/SyndicationFilter.java
+++ b/src/com/gitblit/SyndicationFilter.java
@@ -113,7 +113,7 @@ public class SyndicationFilter extends AuthenticationFilter {
 					return;
 				} else {
 					// check user access for request
-					if (user.canAdmin || user.canAccessRepository(model)) {
+					if (user.canView(model)) {
 						// authenticated request permitted.
 						// pass processing to the restricted servlet.
 						newSession(authenticatedRequest, httpResponse);
diff --git a/src/com/gitblit/models/RepositoryModel.java b/src/com/gitblit/models/RepositoryModel.java
index caf7e7e4..914523df 100644
--- a/src/com/gitblit/models/RepositoryModel.java
+++ b/src/com/gitblit/models/RepositoryModel.java
@@ -88,7 +88,8 @@ public class RepositoryModel implements Serializable, Comparable<RepositoryModel
 		this.accessRestriction = AccessRestrictionType.NONE;
 		this.authorizationControl = AuthorizationControl.NAMED;
 		this.federationSets = new ArrayList<String>();
-		this.federationStrategy = FederationStrategy.FEDERATE_THIS;		
+		this.federationStrategy = FederationStrategy.FEDERATE_THIS;	
+		this.projectPath = StringUtils.getFirstPathElement(name);
 	}
 	
 	public List<String> getLocalBranches() {
@@ -175,8 +176,8 @@ public class RepositoryModel implements Serializable, Comparable<RepositoryModel
 		clone.projectPath = StringUtils.getFirstPathElement(cloneName);
 		clone.isBare = true;
 		clone.description = description;
-		clone.accessRestriction = accessRestriction;
-		clone.authorizationControl = authorizationControl;
+		clone.accessRestriction = AccessRestrictionType.PUSH;
+		clone.authorizationControl = AuthorizationControl.NAMED;
 		clone.federationStrategy = federationStrategy;
 		clone.showReadme = showReadme;
 		clone.showRemoteBranches = false;
diff --git a/src/com/gitblit/models/TeamModel.java b/src/com/gitblit/models/TeamModel.java
index 3d176e59..d185b9d6 100644
--- a/src/com/gitblit/models/TeamModel.java
+++ b/src/com/gitblit/models/TeamModel.java
@@ -18,10 +18,16 @@ package com.gitblit.models;
 import java.io.Serializable;
 import java.util.ArrayList;
 import java.util.Collection;
+import java.util.HashMap;
 import java.util.HashSet;
 import java.util.List;
+import java.util.Map;
 import java.util.Set;
 
+import com.gitblit.Constants.AccessPermission;
+import com.gitblit.Constants.AccessRestrictionType;
+import com.gitblit.Constants.Unused;
+
 /**
  * TeamModel is a serializable model class that represents a group of users and
  * a list of accessible repositories.
@@ -36,7 +42,10 @@ public class TeamModel implements Serializable, Comparable<TeamModel> {
 	// field names are reflectively mapped in EditTeam page
 	public String name;
 	public final Set<String> users = new HashSet<String>();
+	// retained for backwards-compatibility with RPC clients
+	@Deprecated
 	public final Set<String> repositories = new HashSet<String>();
+	public final Map<String, AccessPermission> permissions = new HashMap<String, AccessPermission>();
 	public final Set<String> mailingLists = new HashSet<String>();
 	public final List<String> preReceiveScripts = new ArrayList<String>();
 	public final List<String> postReceiveScripts = new ArrayList<String>();
@@ -45,24 +54,136 @@ public class TeamModel implements Serializable, Comparable<TeamModel> {
 		this.name = name;
 	}
 
+	/**
+	 * @use hasRepositoryPermission
+	 * @param name
+	 * @return
+	 */
+	@Deprecated
+	@Unused
 	public boolean hasRepository(String name) {
-		return repositories.contains(name.toLowerCase());
+		return hasRepositoryPermission(name);
 	}
 
+	@Deprecated
+	@Unused
 	public void addRepository(String name) {
-		repositories.add(name.toLowerCase());
+		addRepositoryPermission(name);
 	}
 	
+	@Deprecated
+	@Unused
 	public void addRepositories(Collection<String> names) {
-		for (String name:names) {
-			repositories.add(name.toLowerCase());
-		}
-	}	
+		addRepositoryPermissions(names);
+	}
 
+	@Deprecated
+	@Unused
 	public void removeRepository(String name) {
-		repositories.remove(name.toLowerCase());
+		removeRepositoryPermission(name);
+	}
+	
+	/**
+	 * Returns true if the team has any type of specified access permission for
+	 * this repository.
+	 * 
+	 * @param name
+	 * @return true if team has a specified access permission for the repository
+	 */
+	public boolean hasRepositoryPermission(String name) {
+		String repository = AccessPermission.repositoryFromRole(name).toLowerCase();
+		return permissions.containsKey(repository) || repositories.contains(repository);
 	}
 	
+	/**
+	 * Adds a repository permission to the team.
+	 * <p>
+	 * Role may be formatted as:
+	 * <ul>
+	 * <li> myrepo.git <i>(this is implicitly RW+)</i>
+	 * <li> RW+:myrepo.git
+	 * </ul>
+	 * @param role
+	 */
+	public void addRepositoryPermission(String role) {
+		AccessPermission permission = AccessPermission.permissionFromRole(role);
+		String repository = AccessPermission.repositoryFromRole(role).toLowerCase();
+		repositories.add(repository);
+		permissions.put(repository, permission);
+	}
+
+	public void addRepositoryPermissions(Collection<String> roles) {
+		for (String role:roles) {
+			addRepositoryPermission(role);
+		}
+	}
+	
+	public AccessPermission removeRepositoryPermission(String name) {
+		String repository = AccessPermission.repositoryFromRole(name).toLowerCase();
+		repositories.remove(repository);
+		return permissions.remove(repository);
+	}
+	
+	public void setRepositoryPermission(String repository, AccessPermission permission) {
+		permissions.put(repository.toLowerCase(), permission);
+		repositories.add(repository.toLowerCase());
+	}
+	
+	public AccessPermission getRepositoryPermission(RepositoryModel repository) {
+		AccessPermission permission = AccessPermission.NONE;
+		if (permissions.containsKey(repository.name.toLowerCase())) {
+			AccessPermission p = permissions.get(repository.name.toLowerCase());
+			if (p != null) {
+				permission = p;
+			}
+		}
+		return permission;
+	}
+	
+	private boolean canAccess(RepositoryModel repository, AccessRestrictionType ifRestriction, AccessPermission requirePermission) {
+		if (repository.accessRestriction.atLeast(ifRestriction)) {
+			AccessPermission permission = getRepositoryPermission(repository);
+			return permission.atLeast(requirePermission);
+		}
+		return true;
+	}
+	
+	public boolean canView(RepositoryModel repository) {
+		return canAccess(repository, AccessRestrictionType.VIEW, AccessPermission.VIEW);
+	}
+
+	public boolean canClone(RepositoryModel repository) {
+		return canAccess(repository, AccessRestrictionType.CLONE, AccessPermission.CLONE);
+	}
+
+	public boolean canPush(RepositoryModel repository) {
+		if (repository.isFrozen) {
+			return false;
+		}
+		return canAccess(repository, AccessRestrictionType.PUSH, AccessPermission.PUSH);
+	}
+
+	public boolean canCreateRef(RepositoryModel repository) {
+		if (repository.isFrozen) {
+			return false;
+		}
+		return canAccess(repository, AccessRestrictionType.PUSH, AccessPermission.CREATE);
+	}
+
+	public boolean canDeleteRef(RepositoryModel repository) {
+		if (repository.isFrozen) {
+			return false;
+		}
+		return canAccess(repository, AccessRestrictionType.PUSH, AccessPermission.DELETE);
+	}
+
+	public boolean canRewindRef(RepositoryModel repository) {
+		if (repository.isFrozen) {
+			return false;
+		}
+		return canAccess(repository, AccessRestrictionType.PUSH, AccessPermission.REWIND);
+	}
+
 	public boolean hasUser(String name) {
 		return users.contains(name.toLowerCase());
 	}
diff --git a/src/com/gitblit/models/UserModel.java b/src/com/gitblit/models/UserModel.java
index 94bd055d..ee730257 100644
--- a/src/com/gitblit/models/UserModel.java
+++ b/src/com/gitblit/models/UserModel.java
@@ -17,11 +17,15 @@ package com.gitblit.models;
 
 import java.io.Serializable;
 import java.security.Principal;
+import java.util.HashMap;
 import java.util.HashSet;
+import java.util.Map;
 import java.util.Set;
 
+import com.gitblit.Constants.AccessPermission;
 import com.gitblit.Constants.AccessRestrictionType;
 import com.gitblit.Constants.AuthorizationControl;
+import com.gitblit.Constants.Unused;
 import com.gitblit.utils.StringUtils;
 
 /**
@@ -48,7 +52,10 @@ public class UserModel implements Principal, Serializable, Comparable<UserModel>
 	public boolean canFork;
 	public boolean canCreate;
 	public boolean excludeFromFederation;
+	// retained for backwards-compatibility with RPC clients
+	@Deprecated
 	public final Set<String> repositories = new HashSet<String>();
+	public final Map<String, AccessPermission> permissions = new HashMap<String, AccessPermission>();
 	public final Set<TeamModel> teams = new HashSet<TeamModel>();
 
 	// non-persisted fields
@@ -77,6 +84,8 @@ public class UserModel implements Principal, Serializable, Comparable<UserModel>
 				|| hasTeamAccess(repositoryName);
 	}
 
+	@Deprecated
+	@Unused
 	public boolean canAccessRepository(RepositoryModel repository) {
 		boolean isOwner = !StringUtils.isEmpty(repository.owner)
 				&& repository.owner.equals(username);
@@ -85,62 +94,170 @@ public class UserModel implements Principal, Serializable, Comparable<UserModel>
 				|| hasTeamAccess(repository.name) || allowAuthenticated;
 	}
 
+	@Deprecated
+	@Unused
 	public boolean hasTeamAccess(String repositoryName) {
 		for (TeamModel team : teams) {
-			if (team.hasRepository(repositoryName)) {
+			if (team.hasRepositoryPermission(repositoryName)) {
 				return true;
 			}
 		}
 		return false;
 	}
 	
-	public boolean canViewRepository(RepositoryModel repository) {
-		if (canAdmin) {
-			return true;
+	@Deprecated
+	@Unused
+	public boolean hasRepository(String name) {
+		return hasRepositoryPermission(name);
+	}
+
+	@Deprecated
+	@Unused
+	public void addRepository(String name) {
+		addRepositoryPermission(name);
+	}
+
+	@Deprecated
+	@Unused
+	public void removeRepository(String name) {
+		removeRepositoryPermission(name);
+	}
+	
+	/**
+	 * Returns true if the user has any type of specified access permission for
+	 * this repository.
+	 * 
+	 * @param name
+	 * @return true if user has a specified access permission for the repository
+	 */
+	public boolean hasRepositoryPermission(String name) {
+		String repository = AccessPermission.repositoryFromRole(name).toLowerCase();
+		return permissions.containsKey(repository) || repositories.contains(repository);
+	}
+	
+	/**
+	 * Adds a repository permission to the team.
+	 * <p>
+	 * Role may be formatted as:
+	 * <ul>
+	 * <li> myrepo.git <i>(this is implicitly RW+)</i>
+	 * <li> RW+:myrepo.git
+	 * </ul>
+	 * @param role
+	 */
+	public void addRepositoryPermission(String role) {
+		AccessPermission permission = AccessPermission.permissionFromRole(role);
+		String repository = AccessPermission.repositoryFromRole(role).toLowerCase();
+		repositories.add(repository);
+		permissions.put(repository, permission);
+	}
+	
+	public AccessPermission removeRepositoryPermission(String name) {
+		String repository = AccessPermission.repositoryFromRole(name).toLowerCase();
+		repositories.remove(repository);
+		return permissions.remove(repository);
+	}
+		
+	public void setRepositoryPermission(String repository, AccessPermission permission) {
+		permissions.put(repository.toLowerCase(), permission);
+	}
+
+	public AccessPermission getRepositoryPermission(RepositoryModel repository) {
+		if (canAdmin || repository.isOwner(username) || repository.isUsersPersonalRepository(username)) {
+			return AccessPermission.REWIND;
+		}
+		if (AuthorizationControl.AUTHENTICATED.equals(repository.authorizationControl) && isAuthenticated) {
+			// AUTHENTICATED is a shortcut for authorizing all logged-in users RW access
+			return AccessPermission.REWIND;
 		}
-		if (repository.accessRestriction.atLeast(AccessRestrictionType.VIEW)) {
-			return canAccessRepository(repository);
+		
+		// determine best permission available based on user's personal permissions
+		// and the permissions of teams of which the user belongs
+		AccessPermission permission = AccessPermission.NONE;
+		if (permissions.containsKey(repository.name.toLowerCase())) {
+			AccessPermission p = permissions.get(repository.name.toLowerCase());
+			if (p != null) {
+				permission = p;
+			}
+		}
+		
+		for (TeamModel team : teams) {
+			AccessPermission p = team.getRepositoryPermission(repository);
+			if (permission == null || p.exceeds(permission)) {
+				// use team permission
+				permission = p;
+			}
+		}
+		return permission;
+	}
+	
+	private boolean canAccess(RepositoryModel repository, AccessRestrictionType ifRestriction, AccessPermission requirePermission) {
+		if (repository.accessRestriction.atLeast(ifRestriction)) {
+			AccessPermission permission = getRepositoryPermission(repository);
+			return permission.atLeast(requirePermission);
 		}
 		return true;
 	}
 	
-	public boolean canForkRepository(RepositoryModel repository) {
-		if (canAdmin) {
-			return true;
+	public boolean canView(RepositoryModel repository) {
+		return canAccess(repository, AccessRestrictionType.VIEW, AccessPermission.VIEW);
+	}
+
+	public boolean canClone(RepositoryModel repository) {
+		return canAccess(repository, AccessRestrictionType.CLONE, AccessPermission.CLONE);
+	}
+
+	public boolean canPush(RepositoryModel repository) {
+		if (repository.isFrozen) {
+			return false;
+		}
+		return canAccess(repository, AccessRestrictionType.PUSH, AccessPermission.PUSH);
+	}
+
+	public boolean canCreateRef(RepositoryModel repository) {
+		if (repository.isFrozen) {
+			return false;
 		}
-		if (!canFork) {
-			// user has been prohibited from forking
+		return canAccess(repository, AccessRestrictionType.PUSH, AccessPermission.CREATE);
+	}
+
+	public boolean canDeleteRef(RepositoryModel repository) {
+		if (repository.isFrozen) {
 			return false;
 		}
-		if (!isAuthenticated) {
-			// unauthenticated user model
+		return canAccess(repository, AccessRestrictionType.PUSH, AccessPermission.DELETE);
+	}
+
+	public boolean canRewindRef(RepositoryModel repository) {
+		if (repository.isFrozen) {
 			return false;
 		}
-		if (("~" + username).equalsIgnoreCase(repository.projectPath)) {
-			// this repository is already a personal repository
+		return canAccess(repository, AccessRestrictionType.PUSH, AccessPermission.REWIND);
+	}
+
+	public boolean canFork(RepositoryModel repository) {
+		if (repository.isUsersPersonalRepository(username)) {
+			// can not fork your own repository
 			return false;
 		}
+		if (canAdmin || repository.isOwner(username)) {
+			return true;
+		}
 		if (!repository.allowForks) {
-			// repository prohibits forks
 			return false;
 		}
-		if (repository.accessRestriction.atLeast(AccessRestrictionType.CLONE)) {
-			return canAccessRepository(repository);
+		if (!isAuthenticated || !canFork) {
+			return false;
 		}
-		// repository is not clone-restricted
-		return true;
-	}
-
-	public boolean hasRepository(String name) {
-		return repositories.contains(name.toLowerCase());
+		return canClone(repository);
 	}
-
-	public void addRepository(String name) {
-		repositories.add(name.toLowerCase());
+	
+	public boolean canDelete(RepositoryModel model) {
+		return canAdmin || model.isUsersPersonalRepository(username);
 	}
-
-	public void removeRepository(String name) {
-		repositories.remove(name.toLowerCase());
+	
+	public boolean canEdit(RepositoryModel model) {
+		return canAdmin || model.isUsersPersonalRepository(username) || model.isOwner(username);
 	}
 
 	public boolean isTeamMember(String teamname) {
diff --git a/src/com/gitblit/utils/JsonUtils.java b/src/com/gitblit/utils/JsonUtils.java
index bc9a1e00..24f4ecb8 100644
--- a/src/com/gitblit/utils/JsonUtils.java
+++ b/src/com/gitblit/utils/JsonUtils.java
@@ -32,6 +32,7 @@ import java.util.Locale;
 import java.util.Map;
 import java.util.TimeZone;
 
+import com.gitblit.Constants.AccessPermission;
 import com.gitblit.GitBlitException.ForbiddenException;
 import com.gitblit.GitBlitException.NotAllowedException;
 import com.gitblit.GitBlitException.UnauthorizedException;
@@ -266,6 +267,7 @@ public class JsonUtils {
 	public static Gson gson(ExclusionStrategy... strategies) {
 		GsonBuilder builder = new GsonBuilder();
 		builder.registerTypeAdapter(Date.class, new GmtDateTypeAdapter());
+		builder.registerTypeAdapter(AccessPermission.class, new AccessPermissionTypeAdapter());
 		builder.setPrettyPrinting();
 		if (!ArrayUtils.isEmpty(strategies)) {
 			builder.setExclusionStrategies(strategies);
@@ -303,6 +305,24 @@ public class JsonUtils {
 			}
 		}
 	}
+	
+	private static class AccessPermissionTypeAdapter implements JsonSerializer<AccessPermission>, JsonDeserializer<AccessPermission> {
+
+		private AccessPermissionTypeAdapter() {
+		}
+
+		@Override
+		public synchronized JsonElement serialize(AccessPermission permission, Type type,
+				JsonSerializationContext jsonSerializationContext) {
+			return new JsonPrimitive(permission.code);
+		}
+
+		@Override
+		public synchronized AccessPermission deserialize(JsonElement jsonElement, Type type,
+				JsonDeserializationContext jsonDeserializationContext) {
+			return AccessPermission.fromCode(jsonElement.getAsString());					
+		}
+	}
 
 	public static class ExcludeField implements ExclusionStrategy {
 
diff --git a/src/com/gitblit/wicket/pages/BasePage.java b/src/com/gitblit/wicket/pages/BasePage.java
index 00d9677f..cce323fd 100644
--- a/src/com/gitblit/wicket/pages/BasePage.java
+++ b/src/com/gitblit/wicket/pages/BasePage.java
@@ -297,7 +297,7 @@ public abstract class BasePage extends WebPage {
 			for (ProjectModel projectModel : availableModels) {
 				for (String repositoryName : projectModel.repositories) {
 					for (TeamModel teamModel : teamModels) {
-						if (teamModel.hasRepository(repositoryName)) {
+						if (teamModel.hasRepositoryPermission(repositoryName)) {
 							models.add(projectModel);
 						}
 					}
diff --git a/src/com/gitblit/wicket/pages/ForkPage.java b/src/com/gitblit/wicket/pages/ForkPage.java
index 082dab51..340bd823 100644
--- a/src/com/gitblit/wicket/pages/ForkPage.java
+++ b/src/com/gitblit/wicket/pages/ForkPage.java
@@ -40,7 +40,7 @@ public class ForkPage extends RepositoryPage {
 
 		RepositoryModel repository = getRepositoryModel();
 		UserModel user = session.getUser();
-		boolean canFork = user.canForkRepository(repository);
+		boolean canFork = user.canFork(repository);
 
 		if (!canFork) {
 			// redirect to the summary page if this repository is not empty
diff --git a/src/com/gitblit/wicket/pages/ForksPage.java b/src/com/gitblit/wicket/pages/ForksPage.java
index 2e67e2b7..6155f3ed 100644
--- a/src/com/gitblit/wicket/pages/ForksPage.java
+++ b/src/com/gitblit/wicket/pages/ForksPage.java
@@ -94,7 +94,7 @@ public class ForksPage extends RepositoryPage {
 				if (user == null) {
 					user = UserModel.ANONYMOUS;
 				}
-				if (user.canViewRepository(repository)) {
+				if (user.canView(repository)) {
 					if (pageRepository.equals(repository)) {
 						// do not link to self
 						item.add(new Label("aFork", StringUtils.stripDotGit(repo)));
diff --git a/src/com/gitblit/wicket/pages/RepositoryPage.java b/src/com/gitblit/wicket/pages/RepositoryPage.java
index 2afc2c4d..9048eba3 100644
--- a/src/com/gitblit/wicket/pages/RepositoryPage.java
+++ b/src/com/gitblit/wicket/pages/RepositoryPage.java
@@ -209,7 +209,7 @@ public abstract class RepositoryPage extends BasePage {
 			if (origin == null) {
 				// no origin repository
 				add(new Label("originRepository").setVisible(false));
-			} else if (!user.canViewRepository(origin)) {
+			} else if (!user.canView(origin)) {
 				// show origin repository without link
 				Fragment forkFrag = new Fragment("originRepository", "originFragment", this);
 				forkFrag.add(new Label("originRepository", StringUtils.stripDotGit(model.originRepository)));
@@ -242,7 +242,7 @@ public abstract class RepositoryPage extends BasePage {
 		} else {
 			String fork = GitBlit.self().getFork(user.username, model.name);
 			boolean hasFork = fork != null;
-			boolean canFork = user.canForkRepository(model);
+			boolean canFork = user.canFork(model);
 
 			if (hasFork || !canFork) {
 				// user not allowed to fork or fork already exists or repo forbids forking
diff --git a/src/com/gitblit/wicket/pages/RootPage.java b/src/com/gitblit/wicket/pages/RootPage.java
index 1e6f130c..adcd7b16 100644
--- a/src/com/gitblit/wicket/pages/RootPage.java
+++ b/src/com/gitblit/wicket/pages/RootPage.java
@@ -418,7 +418,7 @@ public abstract class RootPage extends BasePage {
 			// brute-force our way through finding the matching models
 			for (RepositoryModel repositoryModel : availableModels) {
 				for (TeamModel teamModel : teamModels) {
-					if (teamModel.hasRepository(repositoryModel.name)) {
+					if (teamModel.hasRepositoryPermission(repositoryModel.name)) {
 						models.add(repositoryModel);
 					}
 				}
diff --git a/tests/com/gitblit/tests/FederationTests.java b/tests/com/gitblit/tests/FederationTests.java
index 2c4ffdc9..c8f686ad 100644
--- a/tests/com/gitblit/tests/FederationTests.java
+++ b/tests/com/gitblit/tests/FederationTests.java
@@ -136,7 +136,7 @@ public class FederationTests {
 		
 		TeamModel team = new TeamModel("testteam");
 		team.addUser("test");
-		team.addRepository("helloworld.git");
+		team.addRepositoryPermission("helloworld.git");
 		assertTrue(RpcUtils.createTeam(team, url, account, password.toCharArray()));
 		
 		users = FederationUtils.getUsers(getRegistration());
diff --git a/tests/com/gitblit/tests/GitBlitSuite.java b/tests/com/gitblit/tests/GitBlitSuite.java
index 07c5e08e..22bcf137 100644
--- a/tests/com/gitblit/tests/GitBlitSuite.java
+++ b/tests/com/gitblit/tests/GitBlitSuite.java
@@ -49,7 +49,7 @@ import com.gitblit.utils.JGitUtils;
 @RunWith(Suite.class)
 @SuiteClasses({ ArrayUtilsTest.class, FileUtilsTest.class, TimeUtilsTest.class,
 		StringUtilsTest.class, Base64Test.class, JsonUtilsTest.class, ByteFormatTest.class,
-		ObjectCacheTest.class, UserServiceTest.class, LdapUserServiceTest.class,
+		ObjectCacheTest.class, PermissionsTest.class, UserServiceTest.class, LdapUserServiceTest.class,
 		MarkdownUtilsTest.class, JGitUtilsTest.class, SyndicationUtilsTest.class,
 		DiffUtilsTest.class, MetricUtilsTest.class, TicgitUtilsTest.class,
 		GitBlitTest.class, FederationTests.class, RpcTests.class, GitServletTest.class,
diff --git a/tests/com/gitblit/tests/GitBlitTest.java b/tests/com/gitblit/tests/GitBlitTest.java
index 418f9384..a188f180 100644
--- a/tests/com/gitblit/tests/GitBlitTest.java
+++ b/tests/com/gitblit/tests/GitBlitTest.java
@@ -52,20 +52,21 @@ public class GitBlitTest {
 		List<String> users = GitBlit.self().getAllUsernames();
 		assertTrue("No users found!", users.size() > 0);
 		assertTrue("Admin not found", users.contains("admin"));
-		UserModel model = GitBlit.self().getUserModel("admin");
-		assertEquals("admin", model.toString());
-		assertTrue("Admin missing #admin role!", model.canAdmin);
-		model.canAdmin = false;
-		assertFalse("Admin should not have #admin!", model.canAdmin);
+		UserModel user = GitBlit.self().getUserModel("admin");
+		assertEquals("admin", user.toString());
+		assertTrue("Admin missing #admin role!", user.canAdmin);
+		user.canAdmin = false;
+		assertFalse("Admin should not have #admin!", user.canAdmin);
 		String repository = GitBlitSuite.getHelloworldRepository().getDirectory().getName();
 		RepositoryModel repositoryModel = GitBlit.self().getRepositoryModel(repository);
+		repositoryModel.accessRestriction = AccessRestrictionType.VIEW;
 		assertFalse("Admin can still access repository!",
-				model.canAccessRepository(repositoryModel));
-		model.addRepository(repository);
-		assertTrue("Admin can't access repository!", model.canAccessRepository(repositoryModel));
-		assertEquals(GitBlit.self().getRepositoryModel(model, "pretend"), null);
-		assertNotNull(GitBlit.self().getRepositoryModel(model, repository));
-		assertTrue(GitBlit.self().getRepositoryModels(model).size() > 0);
+				user.canView(repositoryModel));
+		user.addRepositoryPermission(repository);
+		assertTrue("Admin can't access repository!", user.canView(repositoryModel));
+		assertEquals(GitBlit.self().getRepositoryModel(user, "pretend"), null);
+		assertNotNull(GitBlit.self().getRepositoryModel(user, repository));
+		assertTrue(GitBlit.self().getRepositoryModels(user).size() > 0);
 	}
 
 	@Test
diff --git a/tests/com/gitblit/tests/GitServletTest.java b/tests/com/gitblit/tests/GitServletTest.java
index bdbb2a5a..09e0e5ad 100644
--- a/tests/com/gitblit/tests/GitServletTest.java
+++ b/tests/com/gitblit/tests/GitServletTest.java
@@ -13,18 +13,28 @@ import java.util.concurrent.atomic.AtomicBoolean;
 
 import org.eclipse.jgit.api.CloneCommand;
 import org.eclipse.jgit.api.Git;
+import org.eclipse.jgit.api.ResetCommand.ResetType;
+import org.eclipse.jgit.api.errors.GitAPIException;
 import org.eclipse.jgit.lib.Constants;
+import org.eclipse.jgit.revwalk.RevCommit;
+import org.eclipse.jgit.transport.CredentialsProvider;
+import org.eclipse.jgit.transport.PushResult;
+import org.eclipse.jgit.transport.RefSpec;
+import org.eclipse.jgit.transport.RemoteRefUpdate;
+import org.eclipse.jgit.transport.RemoteRefUpdate.Status;
 import org.eclipse.jgit.transport.UsernamePasswordCredentialsProvider;
 import org.eclipse.jgit.util.FileUtils;
 import org.junit.AfterClass;
 import org.junit.BeforeClass;
 import org.junit.Test;
 
+import com.gitblit.Constants.AccessPermission;
 import com.gitblit.Constants.AccessRestrictionType;
 import com.gitblit.Constants.AuthorizationControl;
 import com.gitblit.GitBlit;
 import com.gitblit.models.RepositoryModel;
 import com.gitblit.models.UserModel;
+import com.gitblit.utils.JGitUtils;
 
 public class GitServletTest {
 
@@ -233,6 +243,213 @@ public class GitServletTest {
 		}
 		close(git);
 	}
+
+	@Test
+	public void testBlockClone() throws Exception {
+		testRefChange(AccessPermission.VIEW, null, null, null);
+	}
+
+	@Test
+	public void testBlockPush() throws Exception {
+		testRefChange(AccessPermission.CLONE, null, null, null);
+	}
+
+	@Test
+	public void testBlockBranchCreation() throws Exception {
+		testRefChange(AccessPermission.PUSH, Status.REJECTED_OTHER_REASON, null, null);
+	}
+
+	@Test
+	public void testBlockBranchDeletion() throws Exception {
+		testRefChange(AccessPermission.CREATE, Status.OK, Status.REJECTED_OTHER_REASON, null);
+	}
+	
+	@Test
+	public void testBlockBranchRewind() throws Exception {
+		testRefChange(AccessPermission.DELETE, Status.OK, Status.OK, Status.REJECTED_OTHER_REASON);
+	}
+
+	@Test
+	public void testBranchRewind() throws Exception {		
+		testRefChange(AccessPermission.REWIND, Status.OK, Status.OK, Status.OK);
+	}
+
+	private void testRefChange(AccessPermission permission, Status expectedCreate, Status expectedDelete, Status expectedRewind) throws Exception {
+
+		UserModel user = new UserModel("james");
+		user.password = "james";
+		
+		if (GitBlit.self().getUserModel(user.username) != null) {
+			GitBlit.self().deleteUser(user.username);
+		}
+		
+		CredentialsProvider cp = new UsernamePasswordCredentialsProvider(user.username, user.password);
+		
+		// fork from original to a temporary bare repo
+		File refChecks = new File(GitBlitSuite.REPOSITORIES, "refchecks/ticgit.git");
+		if (refChecks.exists()) {
+			FileUtils.delete(refChecks, FileUtils.RECURSIVE);
+		}
+		CloneCommand clone = Git.cloneRepository();
+		clone.setURI(MessageFormat.format("{0}/git/ticgit.git", url));
+		clone.setDirectory(refChecks);
+		clone.setBare(true);
+		clone.setCloneAllBranches(true);
+		clone.setCredentialsProvider(cp);
+		close(clone.call());
+
+		// elevate repository to clone permission
+		RepositoryModel model = GitBlit.self().getRepositoryModel("refchecks/ticgit.git");
+		switch (permission) {
+			case VIEW:
+				model.accessRestriction = AccessRestrictionType.CLONE;
+				break;
+			case CLONE:
+				model.accessRestriction = AccessRestrictionType.CLONE;
+				break;
+			default:
+				model.accessRestriction = AccessRestrictionType.PUSH;
+		}
+		model.authorizationControl = AuthorizationControl.NAMED;
+		
+		// grant user specified
+		user.setRepositoryPermission(model.name, permission);
+
+		GitBlit.self().updateUserModel(user.username, user, true);
+		GitBlit.self().updateRepositoryModel(model.name, model, false);
+
+		// clone temp bare repo to working copy
+		File local = new File(GitBlitSuite.REPOSITORIES, "refchecks/ticgit-wc");
+		if (local.exists()) {
+			FileUtils.delete(local, FileUtils.RECURSIVE);
+		}
+		clone = Git.cloneRepository();
+		clone.setURI(MessageFormat.format("{0}/git/{1}", url, model.name));
+		clone.setDirectory(local);
+		clone.setBare(false);
+		clone.setCloneAllBranches(true);
+		clone.setCredentialsProvider(cp);
+		
+		try {
+			close(clone.call());
+		} catch (GitAPIException e) {
+			if (permission.atLeast(AccessPermission.CLONE)) {
+				throw e;
+			} else {
+				// user does not have clone permission
+				assertTrue(e.getMessage(), e.getMessage().contains("not permitted"));				
+				return;
+			}
+		}
+		
+		Git git = Git.open(local);
+		
+		// commit a file and push it
+		File file = new File(local, "PUSHCHK");
+		OutputStreamWriter os = new OutputStreamWriter(new FileOutputStream(file, true), Constants.CHARSET);
+		BufferedWriter w = new BufferedWriter(os);
+		w.write("// " + new Date().toString() + "\n");
+		w.close();
+		git.add().addFilepattern(file.getName()).call();
+		git.commit().setMessage("push test").call();
+		Iterable<PushResult> results = null;
+		try {
+			results = git.push().setCredentialsProvider(cp).setRemote("origin").call();
+		} catch (GitAPIException e) {
+			if (permission.atLeast(AccessPermission.PUSH)) {
+				throw e;
+			} else {
+				// user does not have push permission
+				assertTrue(e.getMessage(), e.getMessage().contains("not permitted"));
+				close(git);
+				return;
+			}
+		}
+		
+		for (PushResult result : results) {
+			RemoteRefUpdate ref = result.getRemoteUpdate("refs/heads/master");
+			Status status = ref.getStatus();
+			if (permission.atLeast(AccessPermission.PUSH)) {
+				assertTrue("User failed to push commit?! " + status.name(), Status.OK.equals(status));
+			} else {
+				assertTrue("User was able to push commit! " + status.name(), Status.REJECTED_OTHER_REASON.equals(status));
+				close(git);
+				// skip delete test
+				return;
+			}
+		}
+		
+		// create a local branch and push the new branch back to the origin				
+		git.branchCreate().setName("protectme").call();
+		RefSpec refSpec = new RefSpec("refs/heads/protectme:refs/heads/protectme");
+		results = git.push().setCredentialsProvider(cp).setRefSpecs(refSpec).setRemote("origin").call();
+		for (PushResult result : results) {
+			RemoteRefUpdate ref = result.getRemoteUpdate("refs/heads/protectme");
+			Status status = ref.getStatus();
+			if (Status.OK.equals(expectedCreate)) {
+				assertTrue("User failed to push creation?! " + status.name(), status.equals(expectedCreate));
+			} else {
+				assertTrue("User was able to push ref creation! " + status.name(), status.equals(expectedCreate));
+				close(git);
+				// skip delete test
+				return;
+			}
+		}
+		
+		// delete the branch locally
+		git.branchDelete().setBranchNames("protectme").call();
+		
+		// push a delete ref command
+		refSpec = new RefSpec(":refs/heads/protectme");
+		results = git.push().setCredentialsProvider(cp).setRefSpecs(refSpec).setRemote("origin").call();
+		for (PushResult result : results) {
+			RemoteRefUpdate ref = result.getRemoteUpdate("refs/heads/protectme");
+			Status status = ref.getStatus();
+			if (Status.OK.equals(expectedDelete)) {
+				assertTrue("User failed to push ref deletion?! " + status.name(), status.equals(Status.OK));
+			} else {
+				assertTrue("User was able to push ref deletion?! " + status.name(), status.equals(expectedDelete));
+				close(git);
+				// skip rewind test
+				return;
+			}
+		}
+		
+		// rewind master by two commits
+		git.reset().setRef("HEAD~2").setMode(ResetType.HARD).call();
+		
+		// commit a change on this detached HEAD
+		file = new File(local, "REWINDCHK");
+		os = new OutputStreamWriter(new FileOutputStream(file, true), Constants.CHARSET);
+		w = new BufferedWriter(os);
+		w.write("// " + new Date().toString() + "\n");
+		w.close();
+		git.add().addFilepattern(file.getName()).call();
+		RevCommit commit = git.commit().setMessage("rewind master and new commit").call();
+		
+		// Reset master to our new commit now we our local branch tip is no longer
+		// upstream of the remote branch tip.  It is an alternate tip of the branch.
+		JGitUtils.setBranchRef(git.getRepository(), "refs/heads/master", commit.getName());
+		
+		// Try pushing our new tip to the origin.
+		// This requires the server to "rewind" it's master branch and update it
+		// to point to our alternate tip.  This leaves the original master tip
+		// unreferenced.
+		results = git.push().setCredentialsProvider(cp).setRemote("origin").setForce(true).call();
+		for (PushResult result : results) {
+			RemoteRefUpdate ref = result.getRemoteUpdate("refs/heads/master");
+			Status status = ref.getStatus();
+			if (Status.OK.equals(expectedRewind)) {
+				assertTrue("User failed to rewind master?! " + status.name(), status.equals(expectedRewind));
+			} else {
+				assertTrue("User was able to rewind master?! " + status.name(), status.equals(expectedRewind));
+			}
+		}
+		close(git);
+		
+		GitBlit.self().deleteUser(user.username);
+	}
+
 	
 	private void close(Git git) {
 		// really close the repository
diff --git a/tests/com/gitblit/tests/JGitUtilsTest.java b/tests/com/gitblit/tests/JGitUtilsTest.java
index f4870461..7e4d6309 100644
--- a/tests/com/gitblit/tests/JGitUtilsTest.java
+++ b/tests/com/gitblit/tests/JGitUtilsTest.java
@@ -35,6 +35,7 @@ import org.eclipse.jgit.lib.FileMode;
 import org.eclipse.jgit.lib.ObjectId;
 import org.eclipse.jgit.lib.PersonIdent;
 import org.eclipse.jgit.lib.Repository;
+import org.eclipse.jgit.lib.RepositoryCache;
 import org.eclipse.jgit.lib.RepositoryCache.FileKey;
 import org.eclipse.jgit.revwalk.RevCommit;
 import org.eclipse.jgit.revwalk.RevTree;
@@ -141,7 +142,8 @@ public class JGitUtilsTest {
 			assertEquals(folder.lastModified(), JGitUtils.getLastChange(repository).getTime());
 			assertNull(JGitUtils.getCommit(repository, null));
 			repository.close();
-			assertTrue(GitBlit.self().deleteRepository(repositoryName));
+			RepositoryCache.close(repository);
+			FileUtils.delete(repository.getDirectory(), FileUtils.RECURSIVE);
 		}
 	}
 
diff --git a/tests/com/gitblit/tests/PermissionsTest.java b/tests/com/gitblit/tests/PermissionsTest.java
new file mode 100644
index 00000000..cb9925e8
--- /dev/null
+++ b/tests/com/gitblit/tests/PermissionsTest.java
@@ -0,0 +1,2391 @@
+/*
+ * Copyright 2012 gitblit.com.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package com.gitblit.tests;
+
+import java.util.Date;
+
+import junit.framework.Assert;
+
+import org.junit.Test;
+
+import com.gitblit.Constants.AccessPermission;
+import com.gitblit.Constants.AccessRestrictionType;
+import com.gitblit.Constants.AuthorizationControl;
+import com.gitblit.models.RepositoryModel;
+import com.gitblit.models.TeamModel;
+import com.gitblit.models.UserModel;
+
+/**
+ * Comprehensive, brute-force test of all permutations of discrete permissions.
+ * 
+ * @author James Moger
+ *
+ */
+public class PermissionsTest extends Assert {
+
+	/**
+	 * Admin access rights/permissions
+	 */
+	@Test
+	public void testAdmin() throws Exception {
+		UserModel user = new UserModel("admin");
+		user.canAdmin = true;
+		
+		for (AccessRestrictionType ar : AccessRestrictionType.values()) {
+			RepositoryModel repository = new RepositoryModel("myrepo.git", null, null, new Date());
+			repository.authorizationControl = AuthorizationControl.NAMED;
+			repository.accessRestriction = ar;
+				
+			assertTrue("admin CAN NOT view!", user.canView(repository));
+			assertTrue("admin CAN NOT clone!", user.canClone(repository));
+			assertTrue("admin CAN NOT push!", user.canPush(repository));
+			
+			assertTrue("admin CAN NOT create ref!", user.canCreateRef(repository));
+			assertTrue("admin CAN NOT delete ref!", user.canDeleteRef(repository));
+			assertTrue("admin CAN NOT rewind ref!", user.canRewindRef(repository));
+			
+			assertTrue("admin CAN NOT fork!", user.canFork(repository));
+			
+			assertTrue("admin CAN NOT delete!", user.canDelete(repository));
+			assertTrue("admin CAN NOT edit!", user.canEdit(repository));
+		}
+	}
+	
+	/**
+	 * Anonymous access rights/permissions 
+	 */
+	@Test
+	public void testAnonymous_NONE() throws Exception {
+		RepositoryModel repository = new RepositoryModel("myrepo.git", null, null, new Date());
+		repository.authorizationControl = AuthorizationControl.NAMED;
+		repository.accessRestriction = AccessRestrictionType.NONE;
+		
+		UserModel user = UserModel.ANONYMOUS;
+		
+		// all permissions, except fork
+		assertTrue("anonymous CAN NOT view!", user.canView(repository));
+		assertTrue("anonymous CAN NOT clone!", user.canClone(repository));
+		assertTrue("anonymous CAN NOT push!", user.canPush(repository));
+		
+		assertTrue("anonymous CAN NOT create ref!", user.canCreateRef(repository));
+		assertTrue("anonymous CAN NOT delete ref!", user.canDeleteRef(repository));
+		assertTrue("anonymous CAN NOT rewind ref!", user.canRewindRef(repository));
+
+		repository.allowForks = false;
+		assertFalse("anonymous CAN fork!", user.canFork(repository));
+		repository.allowForks = true;
+		assertFalse("anonymous CAN fork!", user.canFork(repository));
+		
+		assertFalse("anonymous CAN delete!", user.canDelete(repository));
+		assertFalse("anonymous CAN edit!", user.canEdit(repository));
+	}
+	
+	@Test
+	public void testAnonymous_PUSH() throws Exception {
+		RepositoryModel repository = new RepositoryModel("myrepo.git", null, null, new Date());
+		repository.authorizationControl = AuthorizationControl.NAMED;
+		repository.accessRestriction = AccessRestrictionType.PUSH;
+
+		UserModel user = UserModel.ANONYMOUS;
+
+		assertTrue("anonymous CAN NOT view!", user.canView(repository));
+		assertTrue("anonymous CAN NOT clone!", user.canClone(repository));
+		assertFalse("anonymous CAN push!", user.canPush(repository));
+		
+		assertFalse("anonymous CAN create ref!", user.canCreateRef(repository));
+		assertFalse("anonymous CAN delete ref!", user.canDeleteRef(repository));
+		assertFalse("anonymous CAN rewind ref!", user.canRewindRef(repository));
+		
+		repository.allowForks = false;
+		assertFalse("anonymous CAN fork!", user.canFork(repository));
+		repository.allowForks = true;
+		assertFalse("anonymous CAN fork!", user.canFork(repository));
+	}
+	
+	@Test
+	public void testAnonymous_CLONE() throws Exception {
+		RepositoryModel repository = new RepositoryModel("myrepo.git", null, null, new Date());
+		repository.authorizationControl = AuthorizationControl.NAMED;
+		repository.accessRestriction = AccessRestrictionType.CLONE;
+
+		UserModel user = UserModel.ANONYMOUS;
+
+		assertTrue("anonymous CAN NOT view!", user.canView(repository));
+		assertFalse("anonymous CAN clone!", user.canClone(repository));
+		assertFalse("anonymous CAN push!", user.canPush(repository));
+		
+		assertFalse("anonymous CAN create ref!", user.canCreateRef(repository));
+		assertFalse("anonymous CAN delete ref!", user.canDeleteRef(repository));
+		assertFalse("anonymous CAN rewind ref!", user.canRewindRef(repository));
+
+		repository.allowForks = false;
+		assertFalse("anonymous CAN fork!", user.canFork(repository));
+		repository.allowForks = true;
+		assertFalse("anonymous CAN fork!", user.canFork(repository));
+	}
+	
+	@Test
+	public void testAnonymous_VIEW() throws Exception {
+		RepositoryModel repository = new RepositoryModel("myrepo.git", null, null, new Date());
+		repository.authorizationControl = AuthorizationControl.NAMED;
+		repository.accessRestriction = AccessRestrictionType.VIEW;
+		
+		UserModel user = UserModel.ANONYMOUS;
+
+		assertFalse("anonymous CAN view!", user.canView(repository));
+		assertFalse("anonymous CAN clone!", user.canClone(repository));
+		assertFalse("anonymous CAN push!", user.canPush(repository));
+		
+		assertFalse("anonymous CAN create ref!", user.canCreateRef(repository));
+		assertFalse("anonymous CAN delete ref!", user.canDeleteRef(repository));
+		assertFalse("anonymous CAN rewind ref!", user.canRewindRef(repository));
+
+		repository.allowForks = false;
+		assertFalse("anonymous CAN fork!", user.canFork(repository));
+		repository.allowForks = true;
+		assertFalse("anonymous CAN fork!", user.canFork(repository));
+	}
+	
+	/**
+	 * Authenticated access rights/permissions 
+	 */
+	@Test
+	public void testAuthenticated_NONE() throws Exception {
+		RepositoryModel repository = new RepositoryModel("myrepo.git", null, null, new Date());
+		repository.authorizationControl = AuthorizationControl.AUTHENTICATED;
+		repository.accessRestriction = AccessRestrictionType.NONE;
+		
+		UserModel user = new UserModel("test");
+		
+		// all permissions, except fork
+		assertTrue("authenticated CAN NOT view!", user.canView(repository));
+		assertTrue("authenticated CAN NOT clone!", user.canClone(repository));
+		assertTrue("authenticated CAN NOT push!", user.canPush(repository));
+		
+		assertTrue("authenticated CAN NOT create ref!", user.canCreateRef(repository));
+		assertTrue("authenticated CAN NOT delete ref!", user.canDeleteRef(repository));
+		assertTrue("authenticated CAN NOT rewind ref!", user.canRewindRef(repository));
+
+		user.canFork = false;
+		repository.allowForks = false;
+		assertFalse("authenticated CAN fork!", user.canFork(repository));
+		repository.allowForks = true;
+		assertFalse("authenticated CAN fork!", user.canFork(repository));
+		user.canFork = true;
+		assertTrue("authenticated CAN NOT fork!", user.canFork(repository));
+		
+		assertFalse("authenticated CAN delete!", user.canDelete(repository));
+		assertFalse("authenticated CAN edit!", user.canEdit(repository));
+	}
+
+	@Test
+	public void testAuthenticated_PUSH() throws Exception {
+		RepositoryModel repository = new RepositoryModel("myrepo.git", null, null, new Date());
+		repository.authorizationControl = AuthorizationControl.AUTHENTICATED;
+		repository.accessRestriction = AccessRestrictionType.PUSH;
+		
+		UserModel user = new UserModel("test");
+
+		assertTrue("authenticated CAN NOT view!", user.canView(repository));
+		assertTrue("authenticated CAN NOT clone!", user.canClone(repository));
+		assertTrue("authenticated CAN NOT push!", user.canPush(repository));
+		
+		assertTrue("authenticated CAN NOT create ref!", user.canCreateRef(repository));
+		assertTrue("authenticated CAN NOT delete ref!", user.canDeleteRef(repository));
+		assertTrue("authenticated CAN NOT rewind ref!", user.canRewindRef(repository));
+
+		user.canFork = false;
+		repository.allowForks = false;
+		assertFalse("authenticated CAN fork!", user.canFork(repository));
+		repository.allowForks = true;
+		assertFalse("authenticated CAN fork!", user.canFork(repository));
+		user.canFork = true;
+		assertTrue("authenticated CAN NOT fork!", user.canFork(repository));
+	}
+	
+	@Test
+	public void testAuthenticated_CLONE() throws Exception {
+		RepositoryModel repository = new RepositoryModel("myrepo.git", null, null, new Date());
+		repository.authorizationControl = AuthorizationControl.AUTHENTICATED;
+		repository.accessRestriction = AccessRestrictionType.CLONE;
+			
+		UserModel user = new UserModel("test");
+
+		assertTrue("authenticated CAN NOT view!", user.canView(repository));
+		assertTrue("authenticated CAN NOT clone!", user.canClone(repository));
+		assertTrue("authenticated CAN NOT push!", user.canPush(repository));
+		
+		assertTrue("authenticated CAN NOT create ref!", user.canCreateRef(repository));
+		assertTrue("authenticated CAN NOT delete ref!", user.canDeleteRef(repository));
+		assertTrue("authenticated CAN NOT rewind ref!", user.canRewindRef(repository));
+
+		user.canFork = false;
+		repository.allowForks = false;
+		assertFalse("authenticated CAN fork!", user.canFork(repository));
+		repository.allowForks = true;
+		assertFalse("authenticated CAN fork!", user.canFork(repository));
+		user.canFork = true;
+		assertTrue("authenticated CAN NOT fork!", user.canFork(repository));
+	}
+	
+	@Test
+	public void testAuthenticated_VIEW() throws Exception {
+		RepositoryModel repository = new RepositoryModel("myrepo.git", null, null, new Date());
+		repository.authorizationControl = AuthorizationControl.AUTHENTICATED;
+		repository.accessRestriction = AccessRestrictionType.VIEW;
+			
+		UserModel user = new UserModel("test");
+
+		assertTrue("authenticated CAN NOT view!", user.canView(repository));
+		assertTrue("authenticated CAN NOT clone!", user.canClone(repository));
+		assertTrue("authenticated CAN NOT push!", user.canPush(repository));
+		
+		assertTrue("authenticated CAN NOT create ref!", user.canCreateRef(repository));
+		assertTrue("authenticated CAN NOT delete ref!", user.canDeleteRef(repository));
+		assertTrue("authenticated CAN NOT rewind ref!", user.canRewindRef(repository));
+
+		user.canFork = false;
+		repository.allowForks = false;
+		assertFalse("authenticated CAN fork!", user.canFork(repository));
+		repository.allowForks = true;
+		assertFalse("authenticated CAN fork!", user.canFork(repository));
+		user.canFork = true;
+		assertTrue("authenticated CAN NOT fork!", user.canFork(repository));
+	}
+	
+	/**
+	 * NONE_NONE = NO access restriction, NO access permission
+	 */
+	@Test
+	public void testNamed_NONE_NONE() throws Exception {
+		RepositoryModel repository = new RepositoryModel("myrepo.git", null, null, new Date());
+		repository.authorizationControl = AuthorizationControl.NAMED;
+		repository.accessRestriction = AccessRestrictionType.NONE;
+
+		UserModel user = new UserModel("test");
+		
+		assertTrue("named CAN NOT view!", user.canView(repository));
+		assertTrue("named CAN NOT clone!", user.canClone(repository));
+		assertTrue("named CAN NOT push!", user.canPush(repository));
+		
+		assertTrue("named CAN NOT create ref!", user.canCreateRef(repository));
+		assertTrue("named CAN NOT delete ref!", user.canDeleteRef(repository));
+		assertTrue("named CAN NOT rewind ref!", user.canRewindRef(repository));
+		
+		repository.allowForks = false;
+		user.canFork = false;
+		assertFalse("named CAN fork!", user.canFork(repository));
+		user.canFork = true;
+		assertFalse("named CAN fork!", user.canFork(repository));
+		repository.allowForks = true;
+		assertTrue("named CAN NOT fork!", user.canFork(repository));
+		
+		assertFalse("named CAN delete!", user.canDelete(repository));
+		assertFalse("named CAN edit!", user.canEdit(repository));
+	}
+	
+	/**
+	 * PUSH_NONE = PUSH access restriction, NO access permission
+	 */
+	@Test
+	public void testNamed_PUSH_NONE() throws Exception {
+		RepositoryModel repository = new RepositoryModel("myrepo.git", null, null, new Date());
+		repository.authorizationControl = AuthorizationControl.NAMED;
+		repository.accessRestriction = AccessRestrictionType.PUSH;
+		
+		UserModel user = new UserModel("test");
+		
+		assertTrue("named CAN NOT view!", user.canView(repository));
+		assertTrue("named CAN NOT clone!", user.canClone(repository));
+		assertFalse("named CAN push!", user.canPush(repository));
+		
+		assertFalse("named CAN create ref!", user.canCreateRef(repository));
+		assertFalse("named CAN delete ref!", user.canDeleteRef(repository));
+		assertFalse("named CAN rewind ref!", user.canRewindRef(repository));
+
+		repository.allowForks = false;
+		user.canFork = false;
+		assertFalse("named CAN fork!", user.canFork(repository));
+		user.canFork = true;
+		assertFalse("named CAN fork!", user.canFork(repository));
+		repository.allowForks = true;
+		assertTrue("named CAN NOT fork!", user.canFork(repository));
+	}
+	
+	/**
+	 * CLONE_NONE = CLONE access restriction, NO access permission
+	 */
+	@Test
+	public void testNamed_CLONE_NONE() throws Exception {
+		RepositoryModel repository = new RepositoryModel("myrepo.git", null, null, new Date());
+		repository.authorizationControl = AuthorizationControl.NAMED;
+		repository.accessRestriction = AccessRestrictionType.CLONE;
+		
+		UserModel user = new UserModel("test");
+		
+		assertTrue("named CAN NOT view!", user.canView(repository));
+		assertFalse("named CAN clone!", user.canClone(repository));
+		assertFalse("named CAN push!", user.canPush(repository));
+		
+		assertFalse("named CAN create ref!", user.canCreateRef(repository));
+		assertFalse("named CAN delete ref!", user.canDeleteRef(repository));
+		assertFalse("named CAN rewind ref!", user.canRewindRef(repository));
+
+		repository.allowForks = false;
+		user.canFork = false;
+		assertFalse("named CAN fork!", user.canFork(repository));
+		user.canFork = true;
+		assertFalse("named CAN fork!", user.canFork(repository));
+		repository.allowForks = true;
+		assertFalse("named CAN NOT fork!", user.canFork(repository));
+	}
+	
+	/**
+	 * VIEW_NONE = VIEW access restriction, NO access permission
+	 */
+	@Test
+	public void testNamed_VIEW_NONE() throws Exception {
+		RepositoryModel repository = new RepositoryModel("myrepo.git", null, null, new Date());
+		repository.authorizationControl = AuthorizationControl.NAMED;
+		repository.accessRestriction = AccessRestrictionType.VIEW;
+		
+		UserModel user = new UserModel("test");
+		
+		assertFalse("named CAN view!", user.canView(repository));
+		assertFalse("named CAN clone!", user.canClone(repository));
+		assertFalse("named CAN push!", user.canPush(repository));
+		
+		assertFalse("named CAN create ref!", user.canCreateRef(repository));
+		assertFalse("named CAN delete ref!", user.canDeleteRef(repository));
+		assertFalse("named CAN rewind ref!", user.canRewindRef(repository));
+		
+		repository.allowForks = false;
+		user.canFork = false;
+		assertFalse("named CAN fork!", user.canFork(repository));
+		user.canFork = true;
+		assertFalse("named CAN fork!", user.canFork(repository));
+		repository.allowForks = true;
+		assertFalse("named CAN NOT fork!", user.canFork(repository));
+	}
+
+	
+	/**
+	 * NONE_VIEW = NO access restriction, VIEW access permission.
+	 * (not useful scenario)
+	 */
+	@Test
+	public void testNamed_NONE_VIEW() throws Exception {
+		RepositoryModel repository = new RepositoryModel("myrepo.git", null, null, new Date());
+		repository.authorizationControl = AuthorizationControl.NAMED;
+		repository.accessRestriction = AccessRestrictionType.NONE;
+
+		UserModel user = new UserModel("test");
+		user.setRepositoryPermission(repository.name, AccessPermission.VIEW);
+		
+		assertTrue("named CAN NOT view!", user.canView(repository));
+		assertTrue("named CAN NOT clone!", user.canClone(repository));
+		assertTrue("named CAN NOT push!", user.canPush(repository));
+		
+		assertTrue("named CAN NOT create ref!", user.canCreateRef(repository));
+		assertTrue("named CAN NOT delete ref!", user.canDeleteRef(repository));
+		assertTrue("named CAN NOT rewind ref!", user.canRewindRef(repository));
+		
+		repository.allowForks = false;
+		user.canFork = false;
+		assertFalse("named CAN fork!", user.canFork(repository));
+		user.canFork = true;
+		assertFalse("named CAN fork!", user.canFork(repository));
+		repository.allowForks = true;
+		assertTrue("named CAN NOT fork!", user.canFork(repository));
+	}
+	
+	/**
+	 * PUSH_VIEW = PUSH access restriction, VIEW access permission
+	 */
+	@Test
+	public void testNamed_PUSH_VIEW() throws Exception {
+		RepositoryModel repository = new RepositoryModel("myrepo.git", null, null, new Date());
+		repository.authorizationControl = AuthorizationControl.NAMED;
+		repository.accessRestriction = AccessRestrictionType.PUSH;
+		
+		UserModel user = new UserModel("test");
+		user.setRepositoryPermission(repository.name, AccessPermission.VIEW);
+		
+		assertTrue("named CAN NOT view!", user.canView(repository));
+		assertTrue("named CAN NOT clone!", user.canClone(repository));
+		assertFalse("named CAN push!", user.canPush(repository));
+		
+		assertFalse("named CAN create ref!", user.canCreateRef(repository));
+		assertFalse("named CAN delete ref!", user.canDeleteRef(repository));
+		assertFalse("named CAN rewind ref!", user.canRewindRef(repository));
+
+		repository.allowForks = false;
+		user.canFork = false;
+		assertFalse("named CAN fork!", user.canFork(repository));
+		user.canFork = true;
+		assertFalse("named CAN fork!", user.canFork(repository));
+		repository.allowForks = true;
+		assertTrue("named CAN NOT fork!", user.canFork(repository));
+	}
+	
+	/**
+	 * CLONE_VIEW = CLONE access restriction, VIEW access permission
+	 */
+	@Test
+	public void testNamed_CLONE_VIEW() throws Exception {
+		RepositoryModel repository = new RepositoryModel("myrepo.git", null, null, new Date());
+		repository.authorizationControl = AuthorizationControl.NAMED;
+		repository.accessRestriction = AccessRestrictionType.CLONE;
+		
+		UserModel user = new UserModel("test");
+		user.setRepositoryPermission(repository.name, AccessPermission.VIEW);
+
+		assertTrue("named CAN NOT view!", user.canView(repository));
+		assertFalse("named CAN clone!", user.canClone(repository));
+		assertFalse("named CAN push!", user.canPush(repository));
+		
+		assertFalse("named CAN create ref!", user.canCreateRef(repository));
+		assertFalse("named CAN delete ref!", user.canDeleteRef(repository));
+		assertFalse("named CAN rewind ref!", user.canRewindRef(repository));
+
+		repository.allowForks = false;
+		user.canFork = false;
+		assertFalse("named CAN fork!", user.canFork(repository));
+		user.canFork = true;
+		assertFalse("named CAN fork!", user.canFork(repository));
+		repository.allowForks = true;
+		assertFalse("named CAN NOT fork!", user.canFork(repository));
+	}
+	
+	/**
+	 * VIEW_VIEW = VIEW access restriction, VIEW access permission
+	 */
+	@Test
+	public void testNamed_VIEW_VIEW() throws Exception {
+		RepositoryModel repository = new RepositoryModel("myrepo.git", null, null, new Date());
+		repository.authorizationControl = AuthorizationControl.NAMED;
+		repository.accessRestriction = AccessRestrictionType.VIEW;
+		
+		UserModel user = new UserModel("test");
+		user.setRepositoryPermission(repository.name, AccessPermission.VIEW);
+
+		assertTrue("named CAN NOT view!", user.canView(repository));
+		assertFalse("named CAN clone!", user.canClone(repository));
+		assertFalse("named CAN push!", user.canPush(repository));
+		
+		assertFalse("named CAN create ref!", user.canCreateRef(repository));
+		assertFalse("named CAN delete ref!", user.canDeleteRef(repository));
+		assertFalse("named CAN rewind ref!", user.canRewindRef(repository));
+		
+		repository.allowForks = false;
+		user.canFork = false;
+		assertFalse("named CAN fork!", user.canFork(repository));
+		user.canFork = true;
+		assertFalse("named CAN fork!", user.canFork(repository));
+		repository.allowForks = true;
+		assertFalse("named CAN NOT fork!", user.canFork(repository));
+	}
+	
+	/**
+	 * NONE_CLONE = NO access restriction, CLONE access permission.
+	 * (not useful scenario)
+	 */
+	@Test
+	public void testNamed_NONE_CLONE() throws Exception {
+		RepositoryModel repository = new RepositoryModel("myrepo.git", null, null, new Date());
+		repository.authorizationControl = AuthorizationControl.NAMED;
+		repository.accessRestriction = AccessRestrictionType.NONE;
+
+		UserModel user = new UserModel("test");
+		user.setRepositoryPermission(repository.name, AccessPermission.CLONE);
+		
+		assertTrue("named CAN NOT view!", user.canView(repository));
+		assertTrue("named CAN NOT clone!", user.canClone(repository));
+		assertTrue("named CAN NOT push!", user.canPush(repository));
+		
+		assertTrue("named CAN NOT create ref!", user.canCreateRef(repository));
+		assertTrue("named CAN NOT delete ref!", user.canDeleteRef(repository));
+		assertTrue("named CAN NOT rewind ref!", user.canRewindRef(repository));
+		
+		repository.allowForks = false;
+		user.canFork = false;
+		assertFalse("named CAN fork!", user.canFork(repository));
+		user.canFork = true;
+		assertFalse("named CAN fork!", user.canFork(repository));
+		repository.allowForks = true;
+		assertTrue("named CAN NOT fork!", user.canFork(repository));
+	}
+	
+	/**
+	 * PUSH_CLONE = PUSH access restriction, CLONE access permission
+	 */
+	@Test
+	public void testNamed_PUSH_READ() throws Exception {
+		RepositoryModel repository = new RepositoryModel("myrepo.git", null, null, new Date());
+		repository.authorizationControl = AuthorizationControl.NAMED;
+		repository.accessRestriction = AccessRestrictionType.PUSH;
+		
+		UserModel user = new UserModel("test");
+		user.setRepositoryPermission(repository.name, AccessPermission.CLONE);
+		
+		assertTrue("named CAN NOT view!", user.canView(repository));
+		assertTrue("named CAN NOT clone!", user.canClone(repository));
+		assertFalse("named CAN push!", user.canPush(repository));
+		
+		assertFalse("named CAN create ref!", user.canCreateRef(repository));
+		assertFalse("named CAN delete ref!", user.canDeleteRef(repository));
+		assertFalse("named CAN rewind ref!", user.canRewindRef(repository));
+
+		repository.allowForks = false;
+		user.canFork = false;
+		assertFalse("named CAN fork!", user.canFork(repository));
+		user.canFork = true;
+		assertFalse("named CAN fork!", user.canFork(repository));
+		repository.allowForks = true;
+		assertTrue("named CAN NOT fork!", user.canFork(repository));
+	}
+	
+	/**
+	 * CLONE_CLONE = CLONE access restriction, CLONE access permission
+	 */
+	@Test
+	public void testNamed_CLONE_CLONE() throws Exception {
+		RepositoryModel repository = new RepositoryModel("myrepo.git", null, null, new Date());
+		repository.authorizationControl = AuthorizationControl.NAMED;
+		repository.accessRestriction = AccessRestrictionType.CLONE;
+		
+		UserModel user = new UserModel("test");
+		user.setRepositoryPermission(repository.name, AccessPermission.CLONE);
+
+		assertTrue("named CAN NOT view!", user.canView(repository));
+		assertTrue("named CAN NOT clone!", user.canClone(repository));
+		assertFalse("named CAN push!", user.canPush(repository));
+		
+		assertFalse("named CAN create ref!", user.canCreateRef(repository));
+		assertFalse("named CAN delete ref!", user.canDeleteRef(repository));
+		assertFalse("named CAN rewind ref!", user.canRewindRef(repository));
+
+		repository.allowForks = false;
+		user.canFork = false;
+		assertFalse("named CAN fork!", user.canFork(repository));
+		user.canFork = true;
+		assertFalse("named CAN fork!", user.canFork(repository));
+		repository.allowForks = true;
+		assertTrue("named CAN NOT fork!", user.canFork(repository));
+	}
+	
+	/**
+	 * VIEW_CLONE = VIEW access restriction, CLONE access permission
+	 */
+	@Test
+	public void testNamed_VIEW_CLONE() throws Exception {
+		RepositoryModel repository = new RepositoryModel("myrepo.git", null, null, new Date());
+		repository.authorizationControl = AuthorizationControl.NAMED;
+		repository.accessRestriction = AccessRestrictionType.VIEW;
+		
+		UserModel user = new UserModel("test");
+		user.setRepositoryPermission(repository.name, AccessPermission.CLONE);
+
+		assertTrue("named CAN NOT view!", user.canView(repository));
+		assertTrue("named CAN NOT clone!", user.canClone(repository));
+		assertFalse("named CAN push!", user.canPush(repository));
+		
+		assertFalse("named CAN create ref!", user.canCreateRef(repository));
+		assertFalse("named CAN delete ref!", user.canDeleteRef(repository));
+		assertFalse("named CAN rewind ref!", user.canRewindRef(repository));
+		
+		repository.allowForks = false;
+		user.canFork = false;
+		assertFalse("named CAN fork!", user.canFork(repository));
+		user.canFork = true;
+		assertFalse("named CAN fork!", user.canFork(repository));
+		repository.allowForks = true;
+		assertTrue("named CAN NOT fork!", user.canFork(repository));
+	}	
+
+	/**
+	 * NONE_PUSH = NO access restriction, PUSH access permission.
+	 * (not useful scenario)
+	 */
+	@Test
+	public void testNamed_NONE_PUSH() throws Exception {
+		RepositoryModel repository = new RepositoryModel("myrepo.git", null, null, new Date());
+		repository.authorizationControl = AuthorizationControl.NAMED;
+		repository.accessRestriction = AccessRestrictionType.NONE;
+
+		UserModel user = new UserModel("test");
+		user.setRepositoryPermission(repository.name, AccessPermission.PUSH);
+		
+		assertTrue("named CAN NOT view!", user.canView(repository));
+		assertTrue("named CAN NOT clone!", user.canClone(repository));
+		assertTrue("named CAN NOT push!", user.canPush(repository));
+		
+		assertTrue("named CAN NOT create ref!", user.canCreateRef(repository));
+		assertTrue("named CAN NOT delete ref!", user.canDeleteRef(repository));
+		assertTrue("named CAN NOT rewind ref!", user.canRewindRef(repository));
+		
+		repository.allowForks = false;
+		user.canFork = false;
+		assertFalse("named CAN fork!", user.canFork(repository));
+		user.canFork = true;
+		assertFalse("named CAN fork!", user.canFork(repository));
+		repository.allowForks = true;
+		assertTrue("named CAN NOT fork!", user.canFork(repository));
+	}
+	
+	/**
+	 * PUSH_PUSH = PUSH access restriction, PUSH access permission
+	 */
+	@Test
+	public void testNamed_PUSH_PUSH() throws Exception {
+		RepositoryModel repository = new RepositoryModel("myrepo.git", null, null, new Date());
+		repository.authorizationControl = AuthorizationControl.NAMED;
+		repository.accessRestriction = AccessRestrictionType.PUSH;
+		
+		UserModel user = new UserModel("test");
+		user.setRepositoryPermission(repository.name, AccessPermission.PUSH);
+		
+		assertTrue("named CAN NOT view!", user.canView(repository));
+		assertTrue("named CAN NOT clone!", user.canClone(repository));
+		assertTrue("named CAN NOT push!", user.canPush(repository));
+		
+		assertFalse("named CAN create ref!", user.canCreateRef(repository));
+		assertFalse("named CAN delete ref!", user.canDeleteRef(repository));
+		assertFalse("named CAN rewind ref!", user.canRewindRef(repository));
+
+		repository.allowForks = false;
+		user.canFork = false;
+		assertFalse("named CAN fork!", user.canFork(repository));
+		user.canFork = true;
+		assertFalse("named CAN fork!", user.canFork(repository));
+		repository.allowForks = true;
+		assertTrue("named CAN NOT fork!", user.canFork(repository));
+	}
+	
+	/**
+	 * CLONE_PUSH = CLONE access restriction, PUSH access permission
+	 */
+	@Test
+	public void testNamed_CLONE_PUSH() throws Exception {
+		RepositoryModel repository = new RepositoryModel("myrepo.git", null, null, new Date());
+		repository.authorizationControl = AuthorizationControl.NAMED;
+		repository.accessRestriction = AccessRestrictionType.CLONE;
+		
+		UserModel user = new UserModel("test");
+		user.setRepositoryPermission(repository.name, AccessPermission.PUSH);
+
+		assertTrue("named CAN NOT view!", user.canView(repository));
+		assertTrue("named CAN NOT clone!", user.canClone(repository));
+		assertTrue("named CAN NOT push!", user.canPush(repository));
+		
+		assertFalse("named CAN create ref!", user.canCreateRef(repository));
+		assertFalse("named CAN delete red!", user.canDeleteRef(repository));
+		assertFalse("named CAN rewind ref!", user.canRewindRef(repository));
+
+		repository.allowForks = false;
+		user.canFork = false;
+		assertFalse("named CAN fork!", user.canFork(repository));
+		user.canFork = true;
+		assertFalse("named CAN fork!", user.canFork(repository));
+		repository.allowForks = true;
+		assertTrue("named CAN NOT fork!", user.canFork(repository));
+	}
+	
+	/**
+	 * VIEW_PUSH = VIEW access restriction, PUSH access permission
+	 */
+	@Test
+	public void testNamed_VIEW_PUSH() throws Exception {
+		RepositoryModel repository = new RepositoryModel("myrepo.git", null, null, new Date());
+		repository.authorizationControl = AuthorizationControl.NAMED;
+		repository.accessRestriction = AccessRestrictionType.VIEW;
+		
+		UserModel user = new UserModel("test");
+		user.setRepositoryPermission(repository.name, AccessPermission.PUSH);
+
+		assertTrue("named CAN NOT view!", user.canView(repository));
+		assertTrue("named CAN NOT clone!", user.canClone(repository));
+		assertTrue("named CAN not push!", user.canPush(repository));
+		
+		assertFalse("named CAN create ref!", user.canCreateRef(repository));
+		assertFalse("named CAN delete ref!", user.canDeleteRef(repository));
+		assertFalse("named CAN rewind ref!", user.canRewindRef(repository));
+		
+		repository.allowForks = false;
+		user.canFork = false;
+		assertFalse("named CAN fork!", user.canFork(repository));
+		user.canFork = true;
+		assertFalse("named CAN fork!", user.canFork(repository));
+		repository.allowForks = true;
+		assertTrue("named CAN NOT fork!", user.canFork(repository));
+	}
+
+	/**
+	 * NONE_CREATE = NO access restriction, CREATE access permission.
+	 * (not useful scenario)
+	 */
+	@Test
+	public void testNamed_NONE_CREATE() throws Exception {
+		RepositoryModel repository = new RepositoryModel("myrepo.git", null, null, new Date());
+		repository.authorizationControl = AuthorizationControl.NAMED;
+		repository.accessRestriction = AccessRestrictionType.NONE;
+
+		UserModel user = new UserModel("test");
+		user.setRepositoryPermission(repository.name, AccessPermission.CREATE);
+		
+		assertTrue("named CAN NOT view!", user.canView(repository));
+		assertTrue("named CAN NOT clone!", user.canClone(repository));
+		assertTrue("named CAN NOT push!", user.canPush(repository));
+		
+		assertTrue("named CAN NOT create ref!", user.canCreateRef(repository));
+		assertTrue("named CAN NOT delete ref!", user.canDeleteRef(repository));
+		assertTrue("named CAN NOT rewind ref!", user.canRewindRef(repository));
+		
+		repository.allowForks = false;
+		user.canFork = false;
+		assertFalse("named CAN fork!", user.canFork(repository));
+		user.canFork = true;
+		assertFalse("named CAN fork!", user.canFork(repository));
+		repository.allowForks = true;
+		assertTrue("named CAN NOT fork!", user.canFork(repository));
+	}
+	
+	/**
+	 * PUSH_CREATE = PUSH access restriction, CREATE access permission
+	 */
+	@Test
+	public void testNamed_PUSH_CREATE() throws Exception {
+		RepositoryModel repository = new RepositoryModel("myrepo.git", null, null, new Date());
+		repository.authorizationControl = AuthorizationControl.NAMED;
+		repository.accessRestriction = AccessRestrictionType.PUSH;
+		
+		UserModel user = new UserModel("test");
+		user.setRepositoryPermission(repository.name, AccessPermission.CREATE);
+		
+		assertTrue("named CAN NOT view!", user.canView(repository));
+		assertTrue("named CAN NOT clone!", user.canClone(repository));
+		assertTrue("named CAN NOT push!", user.canPush(repository));
+		
+		assertTrue("named CAN NOT create ref!", user.canCreateRef(repository));
+		assertFalse("named CAN delete ref!", user.canDeleteRef(repository));
+		assertFalse("named CAN rewind ref!", user.canRewindRef(repository));
+
+		repository.allowForks = false;
+		user.canFork = false;
+		assertFalse("named CAN fork!", user.canFork(repository));
+		user.canFork = true;
+		assertFalse("named CAN fork!", user.canFork(repository));
+		repository.allowForks = true;
+		assertTrue("named CAN NOT fork!", user.canFork(repository));
+	}
+	
+	/**
+	 * CLONE_CREATE = CLONE access restriction, CREATE access permission
+	 */
+	@Test
+	public void testNamed_CLONE_CREATE() throws Exception {
+		RepositoryModel repository = new RepositoryModel("myrepo.git", null, null, new Date());
+		repository.authorizationControl = AuthorizationControl.NAMED;
+		repository.accessRestriction = AccessRestrictionType.CLONE;
+		
+		UserModel user = new UserModel("test");
+		user.setRepositoryPermission(repository.name, AccessPermission.CREATE);
+
+		assertTrue("named CAN NOT view!", user.canView(repository));
+		assertTrue("named CAN NOT clone!", user.canClone(repository));
+		assertTrue("named CAN NOT push!", user.canPush(repository));
+		
+		assertTrue("named CAN NOT create ref!", user.canCreateRef(repository));
+		assertFalse("named CAN delete red!", user.canDeleteRef(repository));
+		assertFalse("named CAN rewind ref!", user.canRewindRef(repository));
+
+		repository.allowForks = false;
+		user.canFork = false;
+		assertFalse("named CAN fork!", user.canFork(repository));
+		user.canFork = true;
+		assertFalse("named CAN fork!", user.canFork(repository));
+		repository.allowForks = true;
+		assertTrue("named CAN NOT fork!", user.canFork(repository));
+	}
+	
+	/**
+	 * VIEW_CREATE = VIEW access restriction, CREATE access permission
+	 */
+	@Test
+	public void testNamed_VIEW_CREATE() throws Exception {
+		RepositoryModel repository = new RepositoryModel("myrepo.git", null, null, new Date());
+		repository.authorizationControl = AuthorizationControl.NAMED;
+		repository.accessRestriction = AccessRestrictionType.VIEW;
+		
+		UserModel user = new UserModel("test");
+		user.setRepositoryPermission(repository.name, AccessPermission.CREATE);
+
+		assertTrue("named CAN NOT view!", user.canView(repository));
+		assertTrue("named CAN NOT clone!", user.canClone(repository));
+		assertTrue("named CAN not push!", user.canPush(repository));
+		
+		assertTrue("named CAN NOT create ref!", user.canCreateRef(repository));
+		assertFalse("named CAN delete ref!", user.canDeleteRef(repository));
+		assertFalse("named CAN rewind ref!", user.canRewindRef(repository));
+		
+		repository.allowForks = false;
+		user.canFork = false;
+		assertFalse("named CAN fork!", user.canFork(repository));
+		user.canFork = true;
+		assertFalse("named CAN fork!", user.canFork(repository));
+		repository.allowForks = true;
+		assertTrue("named CAN NOT fork!", user.canFork(repository));
+	}
+
+	/**
+	 * NONE_DELETE = NO access restriction, DELETE access permission.
+	 * (not useful scenario)
+	 */
+	@Test
+	public void testNamed_NONE_DELETE() throws Exception {
+		RepositoryModel repository = new RepositoryModel("myrepo.git", null, null, new Date());
+		repository.authorizationControl = AuthorizationControl.NAMED;
+		repository.accessRestriction = AccessRestrictionType.NONE;
+
+		UserModel user = new UserModel("test");
+		user.setRepositoryPermission(repository.name, AccessPermission.DELETE);
+		
+		assertTrue("named CAN NOT view!", user.canView(repository));
+		assertTrue("named CAN NOT clone!", user.canClone(repository));
+		assertTrue("named CAN NOT push!", user.canPush(repository));
+		
+		assertTrue("named CAN NOT create ref!", user.canCreateRef(repository));
+		assertTrue("named CAN NOT delete ref!", user.canDeleteRef(repository));
+		assertTrue("named CAN NOT rewind ref!", user.canRewindRef(repository));
+		
+		repository.allowForks = false;
+		user.canFork = false;
+		assertFalse("named CAN fork!", user.canFork(repository));
+		user.canFork = true;
+		assertFalse("named CAN fork!", user.canFork(repository));
+		repository.allowForks = true;
+		assertTrue("named CAN NOT fork!", user.canFork(repository));
+	}
+	
+	/**
+	 * PUSH_DELETE = PUSH access restriction, DELETE access permission
+	 */
+	@Test
+	public void testNamed_PUSH_DELETE() throws Exception {
+		RepositoryModel repository = new RepositoryModel("myrepo.git", null, null, new Date());
+		repository.authorizationControl = AuthorizationControl.NAMED;
+		repository.accessRestriction = AccessRestrictionType.PUSH;
+		
+		UserModel user = new UserModel("test");
+		user.setRepositoryPermission(repository.name, AccessPermission.DELETE);
+		
+		assertTrue("named CAN NOT view!", user.canView(repository));
+		assertTrue("named CAN NOT clone!", user.canClone(repository));
+		assertTrue("named CAN NOT push!", user.canPush(repository));
+		
+		assertTrue("named CAN NOT create ref!", user.canCreateRef(repository));
+		assertTrue("named CAN NOT delete ref!", user.canDeleteRef(repository));
+		assertFalse("named CAN rewind ref!", user.canRewindRef(repository));
+
+		repository.allowForks = false;
+		user.canFork = false;
+		assertFalse("named CAN fork!", user.canFork(repository));
+		user.canFork = true;
+		assertFalse("named CAN fork!", user.canFork(repository));
+		repository.allowForks = true;
+		assertTrue("named CAN NOT fork!", user.canFork(repository));
+	}
+	
+	/**
+	 * CLONE_DELETE = CLONE access restriction, DELETE access permission
+	 */
+	@Test
+	public void testNamed_CLONE_DELETE() throws Exception {
+		RepositoryModel repository = new RepositoryModel("myrepo.git", null, null, new Date());
+		repository.authorizationControl = AuthorizationControl.NAMED;
+		repository.accessRestriction = AccessRestrictionType.CLONE;
+		
+		UserModel user = new UserModel("test");
+		user.setRepositoryPermission(repository.name, AccessPermission.DELETE);
+
+		assertTrue("named CAN NOT view!", user.canView(repository));
+		assertTrue("named CAN NOT clone!", user.canClone(repository));
+		assertTrue("named CAN NOT push!", user.canPush(repository));
+		
+		assertTrue("named CAN NOT create ref!", user.canCreateRef(repository));
+		assertTrue("named CAN NOT delete red!", user.canDeleteRef(repository));
+		assertFalse("named CAN rewind ref!", user.canRewindRef(repository));
+
+		repository.allowForks = false;
+		user.canFork = false;
+		assertFalse("named CAN fork!", user.canFork(repository));
+		user.canFork = true;
+		assertFalse("named CAN fork!", user.canFork(repository));
+		repository.allowForks = true;
+		assertTrue("named CAN NOT fork!", user.canFork(repository));
+	}
+	
+	/**
+	 * VIEW_DELETE = VIEW access restriction, DELETE access permission
+	 */
+	@Test
+	public void testNamed_VIEW_DELETE() throws Exception {
+		RepositoryModel repository = new RepositoryModel("myrepo.git", null, null, new Date());
+		repository.authorizationControl = AuthorizationControl.NAMED;
+		repository.accessRestriction = AccessRestrictionType.VIEW;
+		
+		UserModel user = new UserModel("test");
+		user.setRepositoryPermission(repository.name, AccessPermission.DELETE);
+
+		assertTrue("named CAN NOT view!", user.canView(repository));
+		assertTrue("named CAN NOT clone!", user.canClone(repository));
+		assertTrue("named CAN not push!", user.canPush(repository));
+		
+		assertTrue("named CAN NOT create ref!", user.canCreateRef(repository));
+		assertTrue("named CAN NOT delete ref!", user.canDeleteRef(repository));
+		assertFalse("named CAN rewind ref!", user.canRewindRef(repository));
+		
+		repository.allowForks = false;
+		user.canFork = false;
+		assertFalse("named CAN fork!", user.canFork(repository));
+		user.canFork = true;
+		assertFalse("named CAN fork!", user.canFork(repository));
+		repository.allowForks = true;
+		assertTrue("named CAN NOT fork!", user.canFork(repository));
+	}
+	
+	/**
+	 * NONE_REWIND = NO access restriction, REWIND access permission.
+	 * (not useful scenario)
+	 */
+	@Test
+	public void testNamed_NONE_REWIND() throws Exception {
+		RepositoryModel repository = new RepositoryModel("myrepo.git", null, null, new Date());
+		repository.authorizationControl = AuthorizationControl.NAMED;
+		repository.accessRestriction = AccessRestrictionType.NONE;
+
+		UserModel user = new UserModel("test");
+		user.setRepositoryPermission(repository.name, AccessPermission.REWIND);
+		
+		assertTrue("named CAN NOT view!", user.canView(repository));
+		assertTrue("named CAN NOT clone!", user.canClone(repository));
+		assertTrue("named CAN NOT push!", user.canPush(repository));
+		
+		assertTrue("named CAN NOT create ref!", user.canCreateRef(repository));
+		assertTrue("named CAN NOT delete ref!", user.canDeleteRef(repository));
+		assertTrue("named CAN NOT rewind ref!", user.canRewindRef(repository));
+		
+		repository.allowForks = false;
+		user.canFork = false;
+		assertFalse("named CAN fork!", user.canFork(repository));
+		user.canFork = true;
+		assertFalse("named CAN fork!", user.canFork(repository));
+		repository.allowForks = true;
+		assertTrue("named CAN NOT fork!", user.canFork(repository));
+	}
+	
+	/**
+	 * PUSH_REWIND = PUSH access restriction, REWIND access permission
+	 */
+	@Test
+	public void testNamed_PUSH_REWIND() throws Exception {
+		RepositoryModel repository = new RepositoryModel("myrepo.git", null, null, new Date());
+		repository.authorizationControl = AuthorizationControl.NAMED;
+		repository.accessRestriction = AccessRestrictionType.PUSH;
+		
+		UserModel user = new UserModel("test");
+		user.setRepositoryPermission(repository.name, AccessPermission.REWIND);
+		
+		assertTrue("named CAN NOT view!", user.canView(repository));
+		assertTrue("named CAN NOT clone!", user.canClone(repository));
+		assertTrue("named CAN NOT push!", user.canPush(repository));
+		
+		assertTrue("named CAN NOT create ref!", user.canCreateRef(repository));
+		assertTrue("named CAN NOT delete ref!", user.canDeleteRef(repository));
+		assertTrue("named CAN NOT rewind ref!", user.canRewindRef(repository));
+
+		repository.allowForks = false;
+		user.canFork = false;
+		assertFalse("named CAN fork!", user.canFork(repository));
+		user.canFork = true;
+		assertFalse("named CAN fork!", user.canFork(repository));
+		repository.allowForks = true;
+		assertTrue("named CAN NOT fork!", user.canFork(repository));
+	}
+	
+	/**
+	 * CLONE_REWIND = CLONE access restriction, REWIND access permission
+	 */
+	@Test
+	public void testNamed_CLONE_REWIND() throws Exception {
+		RepositoryModel repository = new RepositoryModel("myrepo.git", null, null, new Date());
+		repository.authorizationControl = AuthorizationControl.NAMED;
+		repository.accessRestriction = AccessRestrictionType.CLONE;
+		
+		UserModel user = new UserModel("test");
+		user.setRepositoryPermission(repository.name, AccessPermission.REWIND);
+
+		assertTrue("named CAN NOT view!", user.canView(repository));
+		assertTrue("named CAN NOT clone!", user.canClone(repository));
+		assertTrue("named CAN NOT push!", user.canPush(repository));
+		
+		assertTrue("named CAN NOT create ref!", user.canCreateRef(repository));
+		assertTrue("named CAN NOT delete ref!", user.canDeleteRef(repository));
+		assertTrue("named CAN NOT rewind ref!", user.canRewindRef(repository));
+
+		repository.allowForks = false;
+		user.canFork = false;
+		assertFalse("named CAN fork!", user.canFork(repository));
+		user.canFork = true;
+		assertFalse("named CAN fork!", user.canFork(repository));
+		repository.allowForks = true;
+		assertTrue("named CAN NOT fork!", user.canFork(repository));
+	}
+	
+	/**
+	 * VIEW_REWIND = VIEW access restriction, REWIND access permission
+	 */
+	@Test
+	public void testNamed_VIEW_REWIND() throws Exception {
+		RepositoryModel repository = new RepositoryModel("myrepo.git", null, null, new Date());
+		repository.authorizationControl = AuthorizationControl.NAMED;
+		repository.accessRestriction = AccessRestrictionType.VIEW;
+		
+		UserModel user = new UserModel("test");
+		user.setRepositoryPermission(repository.name, AccessPermission.REWIND);
+
+		assertTrue("named CAN NOT view!", user.canView(repository));
+		assertTrue("named CAN NOT clone!", user.canClone(repository));
+		assertTrue("named CAN NOT push!", user.canPush(repository));
+		
+		assertTrue("named CAN NOT create ref!", user.canCreateRef(repository));
+		assertTrue("named CAN NOT delete ref!", user.canDeleteRef(repository));
+		assertTrue("named CAN NOT rewind ref!", user.canRewindRef(repository));
+		
+		repository.allowForks = false;
+		user.canFork = false;
+		assertFalse("named CAN fork!", user.canFork(repository));
+		user.canFork = true;
+		assertFalse("named CAN fork!", user.canFork(repository));
+		repository.allowForks = true;
+		assertTrue("named CAN NOT fork!", user.canFork(repository));
+	}
+	
+	/**
+	 * NONE_NONE = NO access restriction, NO access permission
+	 */
+	@Test
+	public void testTeam_NONE_NONE() throws Exception {
+		RepositoryModel repository = new RepositoryModel("myrepo.git", null, null, new Date());
+		repository.authorizationControl = AuthorizationControl.NAMED;
+		repository.accessRestriction = AccessRestrictionType.NONE;
+
+		TeamModel team = new TeamModel("test");
+		
+		assertTrue("team CAN NOT view!", team.canView(repository));
+		assertTrue("team CAN NOT clone!", team.canClone(repository));
+		assertTrue("team CAN NOT push!", team.canPush(repository));
+		
+		assertTrue("team CAN NOT create ref!", team.canCreateRef(repository));
+		assertTrue("team CAN NOT delete ref!", team.canDeleteRef(repository));
+		assertTrue("team CAN NOT rewind ref!", team.canRewindRef(repository));
+	}
+	
+	/**
+	 * PUSH_NONE = PUSH access restriction, NO access permission
+	 */
+	@Test
+	public void testTeam_PUSH_NONE() throws Exception {
+		RepositoryModel repository = new RepositoryModel("myrepo.git", null, null, new Date());
+		repository.authorizationControl = AuthorizationControl.NAMED;
+		repository.accessRestriction = AccessRestrictionType.PUSH;
+
+		TeamModel team = new TeamModel("test");
+		
+		assertTrue("team CAN NOT view!", team.canView(repository));
+		assertTrue("team CAN NOT clone!", team.canClone(repository));
+		assertFalse("team CAN push!", team.canPush(repository));
+		
+		assertFalse("team CAN create ref!", team.canCreateRef(repository));
+		assertFalse("team CAN delete ref!", team.canDeleteRef(repository));
+		assertFalse("team CAN rewind ref!", team.canRewindRef(repository));
+	}
+
+	/**
+	 * CLONE_NONE = CLONE access restriction, NO access permission
+	 */
+	@Test
+	public void testTeam_CLONE_NONE() throws Exception {
+		RepositoryModel repository = new RepositoryModel("myrepo.git", null, null, new Date());
+		repository.authorizationControl = AuthorizationControl.NAMED;
+		repository.accessRestriction = AccessRestrictionType.CLONE;
+
+		TeamModel team = new TeamModel("test");
+		
+		assertTrue("team CAN NOT view!", team.canView(repository));
+		assertFalse("team CAN clone!", team.canClone(repository));
+		assertFalse("team CAN push!", team.canPush(repository));
+		
+		assertFalse("team CAN create ref!", team.canCreateRef(repository));
+		assertFalse("team CAN delete ref!", team.canDeleteRef(repository));
+		assertFalse("team CAN rewind ref!", team.canRewindRef(repository));
+	}
+
+	/**
+	 * VIEW_NONE = VIEW access restriction, NO access permission
+	 */
+	@Test
+	public void testTeam_VIEW_NONE() throws Exception {
+		RepositoryModel repository = new RepositoryModel("myrepo.git", null, null, new Date());
+		repository.authorizationControl = AuthorizationControl.NAMED;
+		repository.accessRestriction = AccessRestrictionType.VIEW;
+
+		TeamModel team = new TeamModel("test");
+		
+		assertFalse("team CAN view!", team.canView(repository));
+		assertFalse("team CAN clone!", team.canClone(repository));
+		assertFalse("team CAN push!", team.canPush(repository));
+		
+		assertFalse("team CAN create ref!", team.canCreateRef(repository));
+		assertFalse("team CAN delete ref!", team.canDeleteRef(repository));
+		assertFalse("team CAN rewind ref!", team.canRewindRef(repository));
+	}
+	
+	/**
+	 * NONE_PUSH = NO access restriction, PUSH access permission
+	 * (not useful scenario)
+	 */
+	@Test
+	public void testTeam_NONE_PUSH() throws Exception {
+		RepositoryModel repository = new RepositoryModel("myrepo.git", null, null, new Date());
+		repository.authorizationControl = AuthorizationControl.NAMED;
+		repository.accessRestriction = AccessRestrictionType.NONE;
+
+		TeamModel team = new TeamModel("test");
+		team.setRepositoryPermission(repository.name, AccessPermission.PUSH);
+		
+		assertTrue("team CAN NOT view!", team.canView(repository));
+		assertTrue("team CAN NOT clone!", team.canClone(repository));
+		assertTrue("team CAN NOT push!", team.canPush(repository));
+		
+		assertTrue("team CAN NOT create ref!", team.canCreateRef(repository));
+		assertTrue("team CAN NOT delete ref!", team.canDeleteRef(repository));
+		assertTrue("team CAN NOT rewind ref!", team.canRewindRef(repository));
+	}
+	
+	/**
+	 * PUSH_PUSH = PUSH access restriction, PUSH access permission
+	 */
+	@Test
+	public void testTeam_PUSH_PUSH() throws Exception {
+		RepositoryModel repository = new RepositoryModel("myrepo.git", null, null, new Date());
+		repository.authorizationControl = AuthorizationControl.NAMED;
+		repository.accessRestriction = AccessRestrictionType.PUSH;
+
+		TeamModel team = new TeamModel("test");
+		team.setRepositoryPermission(repository.name, AccessPermission.PUSH);
+		
+		assertTrue("team CAN NOT view!", team.canView(repository));
+		assertTrue("team CAN NOT clone!", team.canClone(repository));
+		assertTrue("team CAN NOT push!", team.canPush(repository));
+		
+		assertFalse("team CAN create ref!", team.canCreateRef(repository));
+		assertFalse("team CAN delete ref!", team.canDeleteRef(repository));
+		assertFalse("team CAN rewind ref!", team.canRewindRef(repository));
+	}
+	
+	/**
+	 * CLONE_PUSH = CLONE access restriction, PUSH access permission
+	 */
+	@Test
+	public void testTeam_CLONE_PUSH() throws Exception {
+		RepositoryModel repository = new RepositoryModel("myrepo.git", null, null, new Date());
+		repository.authorizationControl = AuthorizationControl.NAMED;
+		repository.accessRestriction = AccessRestrictionType.CLONE;
+
+		TeamModel team = new TeamModel("test");
+		team.setRepositoryPermission(repository.name, AccessPermission.PUSH);
+		
+		assertTrue("team CAN NOT view!", team.canView(repository));
+		assertTrue("team CAN NOT clone!", team.canClone(repository));
+		assertTrue("team CAN NOT push!", team.canPush(repository));
+		
+		assertFalse("team CAN create ref!", team.canCreateRef(repository));
+		assertFalse("team CAN delete ref!", team.canDeleteRef(repository));
+		assertFalse("team CAN rewind ref!", team.canRewindRef(repository));
+	}
+	
+	/**
+	 * VIEW_PUSH = VIEW access restriction, PUSH access permission
+	 */
+	@Test
+	public void testTeam_VIEW_PUSH() throws Exception {
+		RepositoryModel repository = new RepositoryModel("myrepo.git", null, null, new Date());
+		repository.authorizationControl = AuthorizationControl.NAMED;
+		repository.accessRestriction = AccessRestrictionType.VIEW;
+
+		TeamModel team = new TeamModel("test");
+		team.setRepositoryPermission(repository.name, AccessPermission.PUSH);
+		
+		assertTrue("team CAN NOT view!", team.canView(repository));
+		assertTrue("team CAN NOT clone!", team.canClone(repository));
+		assertTrue("team CAN NOT push!", team.canPush(repository));
+		
+		assertFalse("team CAN create ref!", team.canCreateRef(repository));
+		assertFalse("team CAN delete ref!", team.canDeleteRef(repository));
+		assertFalse("team CAN rewind ref!", team.canRewindRef(repository));
+	}
+	
+	/**
+	 * NONE_CREATE = NO access restriction, CREATE access permission
+	 * (not useful scenario)
+	 */
+	@Test
+	public void testTeam_NONE_CREATE() throws Exception {
+		RepositoryModel repository = new RepositoryModel("myrepo.git", null, null, new Date());
+		repository.authorizationControl = AuthorizationControl.NAMED;
+		repository.accessRestriction = AccessRestrictionType.NONE;
+
+		TeamModel team = new TeamModel("test");
+		team.setRepositoryPermission(repository.name, AccessPermission.CREATE);
+		
+		assertTrue("team CAN NOT view!", team.canView(repository));
+		assertTrue("team CAN NOT clone!", team.canClone(repository));
+		assertTrue("team CAN NOT push!", team.canPush(repository));
+		
+		assertTrue("team CAN NOT create ref!", team.canCreateRef(repository));
+		assertTrue("team CAN NOT delete ref!", team.canDeleteRef(repository));
+		assertTrue("team CAN NOT rewind ref!", team.canRewindRef(repository));
+	}
+	
+	/**
+	 * PUSH_CREATE = PUSH access restriction, CREATE access permission
+	 */
+	@Test
+	public void testTeam_PUSH_CREATE() throws Exception {
+		RepositoryModel repository = new RepositoryModel("myrepo.git", null, null, new Date());
+		repository.authorizationControl = AuthorizationControl.NAMED;
+		repository.accessRestriction = AccessRestrictionType.PUSH;
+
+		TeamModel team = new TeamModel("test");
+		team.setRepositoryPermission(repository.name, AccessPermission.CREATE);
+		
+		assertTrue("team CAN NOT view!", team.canView(repository));
+		assertTrue("team CAN NOT clone!", team.canClone(repository));
+		assertTrue("team CAN NOT push!", team.canPush(repository));
+		
+		assertTrue("team CAN NOT create ref!", team.canCreateRef(repository));
+		assertFalse("team CAN delete ref!", team.canDeleteRef(repository));
+		assertFalse("team CAN rewind ref!", team.canRewindRef(repository));
+	}
+	
+	/**
+	 * CLONE_CREATE = CLONE access restriction, CREATE access permission
+	 */
+	@Test
+	public void testTeam_CLONE_CREATE() throws Exception {
+		RepositoryModel repository = new RepositoryModel("myrepo.git", null, null, new Date());
+		repository.authorizationControl = AuthorizationControl.NAMED;
+		repository.accessRestriction = AccessRestrictionType.CLONE;
+
+		TeamModel team = new TeamModel("test");
+		team.setRepositoryPermission(repository.name, AccessPermission.CREATE);
+		
+		assertTrue("team CAN NOT view!", team.canView(repository));
+		assertTrue("team CAN NOT clone!", team.canClone(repository));
+		assertTrue("team CAN NOT push!", team.canPush(repository));
+		
+		assertTrue("team CAN NOT create ref!", team.canCreateRef(repository));
+		assertFalse("team CAN delete ref!", team.canDeleteRef(repository));
+		assertFalse("team CAN rewind ref!", team.canRewindRef(repository));
+	}
+	
+	/**
+	 * VIEW_CREATE = VIEW access restriction, CREATE access permission
+	 */
+	@Test
+	public void testTeam_VIEW_CREATE() throws Exception {
+		RepositoryModel repository = new RepositoryModel("myrepo.git", null, null, new Date());
+		repository.authorizationControl = AuthorizationControl.NAMED;
+		repository.accessRestriction = AccessRestrictionType.VIEW;
+
+		TeamModel team = new TeamModel("test");
+		team.setRepositoryPermission(repository.name, AccessPermission.CREATE);
+		
+		assertTrue("team CAN NOT view!", team.canView(repository));
+		assertTrue("team CAN NOT clone!", team.canClone(repository));
+		assertTrue("team CAN NOT push!", team.canPush(repository));
+		
+		assertTrue("team CAN NOT create ref!", team.canCreateRef(repository));
+		assertFalse("team CAN delete ref!", team.canDeleteRef(repository));
+		assertFalse("team CAN rewind ref!", team.canRewindRef(repository));
+	}
+
+	/**
+	 * NONE_DELETE = NO access restriction, DELETE access permission
+	 * (not useful scenario)
+	 */
+	@Test
+	public void testTeam_NONE_DELETE() throws Exception {
+		RepositoryModel repository = new RepositoryModel("myrepo.git", null, null, new Date());
+		repository.authorizationControl = AuthorizationControl.NAMED;
+		repository.accessRestriction = AccessRestrictionType.NONE;
+
+		TeamModel team = new TeamModel("test");
+		team.setRepositoryPermission(repository.name, AccessPermission.DELETE);
+		
+		assertTrue("team CAN NOT view!", team.canView(repository));
+		assertTrue("team CAN NOT clone!", team.canClone(repository));
+		assertTrue("team CAN NOT push!", team.canPush(repository));
+		
+		assertTrue("team CAN NOT create ref!", team.canCreateRef(repository));
+		assertTrue("team CAN NOT delete ref!", team.canDeleteRef(repository));
+		assertTrue("team CAN NOT rewind ref!", team.canRewindRef(repository));
+	}
+	
+	/**
+	 * PUSH_DELETE = PUSH access restriction, DELETE access permission
+	 */
+	@Test
+	public void testTeam_PUSH_DELETE() throws Exception {
+		RepositoryModel repository = new RepositoryModel("myrepo.git", null, null, new Date());
+		repository.authorizationControl = AuthorizationControl.NAMED;
+		repository.accessRestriction = AccessRestrictionType.PUSH;
+
+		TeamModel team = new TeamModel("test");
+		team.setRepositoryPermission(repository.name, AccessPermission.DELETE);
+		
+		assertTrue("team CAN NOT view!", team.canView(repository));
+		assertTrue("team CAN NOT clone!", team.canClone(repository));
+		assertTrue("team CAN NOT push!", team.canPush(repository));
+		
+		assertTrue("team CAN NOT create ref!", team.canCreateRef(repository));
+		assertTrue("team CAN NOT delete ref!", team.canDeleteRef(repository));
+		assertFalse("team CAN rewind ref!", team.canRewindRef(repository));
+	}
+	
+	/**
+	 * CLONE_DELETE = CLONE access restriction, DELETE access permission
+	 */
+	@Test
+	public void testTeam_CLONE_DELETE() throws Exception {
+		RepositoryModel repository = new RepositoryModel("myrepo.git", null, null, new Date());
+		repository.authorizationControl = AuthorizationControl.NAMED;
+		repository.accessRestriction = AccessRestrictionType.CLONE;
+
+		TeamModel team = new TeamModel("test");
+		team.setRepositoryPermission(repository.name, AccessPermission.DELETE);
+		
+		assertTrue("team CAN NOT view!", team.canView(repository));
+		assertTrue("team CAN NOT clone!", team.canClone(repository));
+		assertTrue("team CAN NOT push!", team.canPush(repository));
+		
+		assertTrue("team CAN NOT create ref!", team.canCreateRef(repository));
+		assertTrue("team CAN NOT delete ref!", team.canDeleteRef(repository));
+		assertFalse("team CAN rewind ref!", team.canRewindRef(repository));
+	}
+	
+	/**
+	 * VIEW_DELETE = VIEW access restriction, DELETE access permission
+	 */
+	@Test
+	public void testTeam_VIEW_DELETE() throws Exception {
+		RepositoryModel repository = new RepositoryModel("myrepo.git", null, null, new Date());
+		repository.authorizationControl = AuthorizationControl.NAMED;
+		repository.accessRestriction = AccessRestrictionType.VIEW;
+
+		TeamModel team = new TeamModel("test");
+		team.setRepositoryPermission(repository.name, AccessPermission.DELETE);
+		
+		assertTrue("team CAN NOT view!", team.canView(repository));
+		assertTrue("team CAN NOT clone!", team.canClone(repository));
+		assertTrue("team CAN NOT push!", team.canPush(repository));
+		
+		assertTrue("team CAN NOT create ref!", team.canCreateRef(repository));
+		assertTrue("team CAN NOT delete ref!", team.canDeleteRef(repository));
+		assertFalse("team CAN rewind ref!", team.canRewindRef(repository));
+	}
+	
+	/**
+	 * NONE_REWIND = NO access restriction, REWIND access permission
+	 * (not useful scenario)
+	 */
+	@Test
+	public void testTeam_NONE_REWIND() throws Exception {
+		RepositoryModel repository = new RepositoryModel("myrepo.git", null, null, new Date());
+		repository.authorizationControl = AuthorizationControl.NAMED;
+		repository.accessRestriction = AccessRestrictionType.NONE;
+
+		TeamModel team = new TeamModel("test");
+		team.setRepositoryPermission(repository.name, AccessPermission.REWIND);
+		
+		assertTrue("team CAN NOT view!", team.canView(repository));
+		assertTrue("team CAN NOT clone!", team.canClone(repository));
+		assertTrue("team CAN NOT push!", team.canPush(repository));
+		
+		assertTrue("team CAN NOT create ref!", team.canCreateRef(repository));
+		assertTrue("team CAN NOT delete ref!", team.canDeleteRef(repository));
+		assertTrue("team CAN NOT rewind ref!", team.canRewindRef(repository));
+	}
+	
+	/**
+	 * PUSH_REWIND = PUSH access restriction, REWIND access permission
+	 */
+	@Test
+	public void testTeam_PUSH_REWIND() throws Exception {
+		RepositoryModel repository = new RepositoryModel("myrepo.git", null, null, new Date());
+		repository.authorizationControl = AuthorizationControl.NAMED;
+		repository.accessRestriction = AccessRestrictionType.PUSH;
+
+		TeamModel team = new TeamModel("test");
+		team.setRepositoryPermission(repository.name, AccessPermission.REWIND);
+		
+		assertTrue("team CAN NOT view!", team.canView(repository));
+		assertTrue("team CAN NOT clone!", team.canClone(repository));
+		assertTrue("team CAN NOT push!", team.canPush(repository));
+		
+		assertTrue("team CAN NOT create ref!", team.canCreateRef(repository));
+		assertTrue("team CAN NOT delete ref!", team.canDeleteRef(repository));
+		assertTrue("team CAN NOT rewind ref!", team.canRewindRef(repository));
+	}
+	
+	/**
+	 * CLONE_REWIND = CLONE access restriction, REWIND access permission
+	 */
+	@Test
+	public void testTeam_CLONE_REWIND() throws Exception {
+		RepositoryModel repository = new RepositoryModel("myrepo.git", null, null, new Date());
+		repository.authorizationControl = AuthorizationControl.NAMED;
+		repository.accessRestriction = AccessRestrictionType.CLONE;
+
+		TeamModel team = new TeamModel("test");
+		team.setRepositoryPermission(repository.name, AccessPermission.REWIND);
+		
+		assertTrue("team CAN NOT view!", team.canView(repository));
+		assertTrue("team CAN NOT clone!", team.canClone(repository));
+		assertTrue("team CAN NOT push!", team.canPush(repository));
+		
+		assertTrue("team CAN NOT create ref!", team.canCreateRef(repository));
+		assertTrue("team CAN NOT delete ref!", team.canDeleteRef(repository));
+		assertTrue("team CAN NOT rewind ref!", team.canRewindRef(repository));
+	}
+	
+	/**
+	 * VIEW_REWIND = VIEW access restriction, REWIND access permission
+	 */
+	@Test
+	public void testTeam_VIEW_REWIND() throws Exception {
+		RepositoryModel repository = new RepositoryModel("myrepo.git", null, null, new Date());
+		repository.authorizationControl = AuthorizationControl.NAMED;
+		repository.accessRestriction = AccessRestrictionType.VIEW;
+
+		TeamModel team = new TeamModel("test");
+		team.setRepositoryPermission(repository.name, AccessPermission.REWIND);
+		
+		assertTrue("team CAN NOT view!", team.canView(repository));
+		assertTrue("team CAN NOT clone!", team.canClone(repository));
+		assertTrue("team CAN NOT push!", team.canPush(repository));
+		
+		assertTrue("team CAN NOT create ref!", team.canCreateRef(repository));
+		assertTrue("team CAN NOT delete ref!", team.canDeleteRef(repository));
+		assertTrue("team CAN NOT rewind ref!", team.canRewindRef(repository));
+	}
+	
+	/**
+	 * NONE_CLONE = NO access restriction, CLONE access permission
+	 * (not useful scenario)
+	 */
+	@Test
+	public void testTeam_NONE_CLONE() throws Exception {
+		RepositoryModel repository = new RepositoryModel("myrepo.git", null, null, new Date());
+		repository.authorizationControl = AuthorizationControl.NAMED;
+		repository.accessRestriction = AccessRestrictionType.NONE;
+
+		TeamModel team = new TeamModel("test");
+		team.setRepositoryPermission(repository.name, AccessPermission.CLONE);
+		
+		assertTrue("team CAN NOT view!", team.canView(repository));
+		assertTrue("team CAN NOT clone!", team.canClone(repository));
+		assertTrue("team CAN NOT push!", team.canPush(repository));
+		
+		assertTrue("team CAN NOT create ref!", team.canCreateRef(repository));
+		assertTrue("team CAN NOT delete ref!", team.canDeleteRef(repository));
+		assertTrue("team CAN NOT rewind ref!", team.canRewindRef(repository));
+	}
+
+	/**
+	 * PUSH_CLONE = PUSH access restriction, CLONE access permission
+	 */
+	@Test
+	public void testTeam_PUSH_CLONE() throws Exception {
+		RepositoryModel repository = new RepositoryModel("myrepo.git", null, null, new Date());
+		repository.authorizationControl = AuthorizationControl.NAMED;
+		repository.accessRestriction = AccessRestrictionType.PUSH;
+
+		TeamModel team = new TeamModel("test");
+		team.setRepositoryPermission(repository.name, AccessPermission.CLONE);
+		
+		assertTrue("team CAN NOT view!", team.canView(repository));
+		assertTrue("team CAN NOT clone!", team.canClone(repository));
+		assertFalse("team CAN push!", team.canPush(repository));
+		
+		assertFalse("team CAN create ref!", team.canCreateRef(repository));
+		assertFalse("team CAN delete ref!", team.canDeleteRef(repository));
+		assertFalse("team CAN rewind ref!", team.canRewindRef(repository));
+	}
+
+	/**
+	 * CLONE_CLONE = CLONE access restriction, CLONE access permission
+	 */
+	@Test
+	public void testTeam_CLONE_CLONE() throws Exception {
+		RepositoryModel repository = new RepositoryModel("myrepo.git", null, null, new Date());
+		repository.authorizationControl = AuthorizationControl.NAMED;
+		repository.accessRestriction = AccessRestrictionType.CLONE;
+
+		TeamModel team = new TeamModel("test");
+		team.setRepositoryPermission(repository.name, AccessPermission.CLONE);
+		
+		assertTrue("team CAN NOT view!", team.canView(repository));
+		assertTrue("team CAN NOT clone!", team.canClone(repository));
+		assertFalse("team CAN push!", team.canPush(repository));
+		
+		assertFalse("team CAN create ref!", team.canCreateRef(repository));
+		assertFalse("team CAN delete ref!", team.canDeleteRef(repository));
+		assertFalse("team CAN rewind ref!", team.canRewindRef(repository));
+	}
+	
+	/**
+	 * VIEW_CLONE = VIEW access restriction, CLONE access permission
+	 */
+	@Test
+	public void testTeam_VIEW_CLONE() throws Exception {
+		RepositoryModel repository = new RepositoryModel("myrepo.git", null, null, new Date());
+		repository.authorizationControl = AuthorizationControl.NAMED;
+		repository.accessRestriction = AccessRestrictionType.VIEW;
+
+		TeamModel team = new TeamModel("test");
+		team.setRepositoryPermission(repository.name, AccessPermission.CLONE);
+		
+		assertTrue("team CAN NOT view!", team.canView(repository));
+		assertTrue("team CAN NOT clone!", team.canClone(repository));
+		assertFalse("team CAN push!", team.canPush(repository));
+		
+		assertFalse("team CAN create ref!", team.canCreateRef(repository));
+		assertFalse("team CAN delete ref!", team.canDeleteRef(repository));
+		assertFalse("team CAN rewind ref!", team.canRewindRef(repository));
+	}
+
+	/**
+	 * NONE_VIEW = NO access restriction, VIEW access permission
+	 * (not useful scenario)
+	 */
+	@Test
+	public void testTeam_NONE_VIEW() throws Exception {
+		RepositoryModel repository = new RepositoryModel("myrepo.git", null, null, new Date());
+		repository.authorizationControl = AuthorizationControl.NAMED;
+		repository.accessRestriction = AccessRestrictionType.NONE;
+
+		TeamModel team = new TeamModel("test");
+		team.setRepositoryPermission(repository.name, AccessPermission.VIEW);
+		
+		assertTrue("team CAN NOT view!", team.canView(repository));
+		assertTrue("team CAN NOT clone!", team.canClone(repository));
+		assertTrue("team CAN NOT push!", team.canPush(repository));
+		
+		assertTrue("team CAN NOT create ref!", team.canCreateRef(repository));
+		assertTrue("team CAN NOT delete ref!", team.canDeleteRef(repository));
+		assertTrue("team CAN NOT rewind ref!", team.canRewindRef(repository));
+	}
+
+	/**
+	 * PUSH_VIEW = PUSH access restriction, VIEW access permission
+	 */
+	@Test
+	public void testTeam_PUSH_VIEW() throws Exception {
+		RepositoryModel repository = new RepositoryModel("myrepo.git", null, null, new Date());
+		repository.authorizationControl = AuthorizationControl.NAMED;
+		repository.accessRestriction = AccessRestrictionType.PUSH;
+
+		TeamModel team = new TeamModel("test");
+		team.setRepositoryPermission(repository.name, AccessPermission.VIEW);
+		
+		assertTrue("team CAN NOT view!", team.canView(repository));
+		assertTrue("team CAN NOT clone!", team.canClone(repository));
+		assertFalse("team CAN push!", team.canPush(repository));
+		
+		assertFalse("team CAN create ref!", team.canCreateRef(repository));
+		assertFalse("team CAN delete ref!", team.canDeleteRef(repository));
+		assertFalse("team CAN rewind ref!", team.canRewindRef(repository));
+	}
+	
+	/**
+	 * CLONE_VIEW = CLONE access restriction, VIEW access permission
+	 */
+	@Test
+	public void testTeam_CLONE_VIEW() throws Exception {
+		RepositoryModel repository = new RepositoryModel("myrepo.git", null, null, new Date());
+		repository.authorizationControl = AuthorizationControl.NAMED;
+		repository.accessRestriction = AccessRestrictionType.CLONE;
+
+		TeamModel team = new TeamModel("test");
+		team.setRepositoryPermission(repository.name, AccessPermission.VIEW);
+		
+		assertTrue("team CAN NOT view!", team.canView(repository));
+		assertFalse("team CAN clone!", team.canClone(repository));
+		assertFalse("team CAN push!", team.canPush(repository));
+		
+		assertFalse("team CAN create ref!", team.canCreateRef(repository));
+		assertFalse("team CAN delete ref!", team.canDeleteRef(repository));
+		assertFalse("team CAN rewind ref!", team.canRewindRef(repository));
+	}
+	
+	/**
+	 * VIEW_VIEW = VIEW access restriction, VIEW access permission
+	 */
+	@Test
+	public void testTeam_VIEW_VIEW() throws Exception {
+		RepositoryModel repository = new RepositoryModel("myrepo.git", null, null, new Date());
+		repository.authorizationControl = AuthorizationControl.NAMED;
+		repository.accessRestriction = AccessRestrictionType.VIEW;
+
+		TeamModel team = new TeamModel("test");
+		team.setRepositoryPermission(repository.name, AccessPermission.VIEW);
+		
+		assertTrue("team CAN NOT view!", team.canView(repository));
+		assertFalse("team CAN clone!", team.canClone(repository));
+		assertFalse("team CAN push!", team.canPush(repository));
+		
+		assertFalse("team CAN create ref!", team.canCreateRef(repository));
+		assertFalse("team CAN delete ref!", team.canDeleteRef(repository));
+		assertFalse("team CAN rewind ref!", team.canRewindRef(repository));
+	}
+	
+	/**
+	 * NONE_NONE = NO access restriction, NO access permission
+	 */
+	@Test
+	public void testTeamMember_NONE_NONE() throws Exception {
+		RepositoryModel repository = new RepositoryModel("myrepo.git", null, null, new Date());
+		repository.authorizationControl = AuthorizationControl.NAMED;
+		repository.accessRestriction = AccessRestrictionType.NONE;
+
+		TeamModel team = new TeamModel("test");
+		UserModel user = new UserModel("test");
+		user.teams.add(team);
+		
+		assertTrue("team member CAN NOT view!", user.canView(repository));
+		assertTrue("team member CAN NOT clone!", user.canClone(repository));
+		assertTrue("team member CAN NOT push!", user.canPush(repository));
+		
+		assertTrue("team member CAN NOT create ref!", user.canCreateRef(repository));
+		assertTrue("team member CAN NOT delete ref!", user.canDeleteRef(repository));
+		assertTrue("team member CAN NOT rewind ref!", user.canRewindRef(repository));
+	}
+	
+	/**
+	 * PUSH_NONE = PUSH access restriction, NO access permission
+	 */
+	@Test
+	public void testTeamMember_PUSH_NONE() throws Exception {
+		RepositoryModel repository = new RepositoryModel("myrepo.git", null, null, new Date());
+		repository.authorizationControl = AuthorizationControl.NAMED;
+		repository.accessRestriction = AccessRestrictionType.PUSH;
+
+		TeamModel team = new TeamModel("test");
+		UserModel user = new UserModel("test");
+		user.teams.add(team);
+		
+		assertTrue("team member CAN NOT view!", user.canView(repository));
+		assertTrue("team member CAN NOT clone!", user.canClone(repository));
+		assertFalse("team member CAN push!", user.canPush(repository));
+		
+		assertFalse("team member CAN create ref!", user.canCreateRef(repository));
+		assertFalse("team member CAN delete ref!", user.canDeleteRef(repository));
+		assertFalse("team member CAN rewind ref!", user.canRewindRef(repository));
+	}
+
+	/**
+	 * CLONE_NONE = CLONE access restriction, NO access permission
+	 */
+	@Test
+	public void testTeamMember_CLONE_NONE() throws Exception {
+		RepositoryModel repository = new RepositoryModel("myrepo.git", null, null, new Date());
+		repository.authorizationControl = AuthorizationControl.NAMED;
+		repository.accessRestriction = AccessRestrictionType.CLONE;
+
+		TeamModel team = new TeamModel("test");
+		UserModel user = new UserModel("test");
+		user.teams.add(team);
+		
+		assertTrue("team member CAN NOT view!", user.canView(repository));
+		assertFalse("team member CAN clone!", user.canClone(repository));
+		assertFalse("team member CAN push!", user.canPush(repository));
+		
+		assertFalse("team member CAN create ref!", user.canCreateRef(repository));
+		assertFalse("team member CAN delete ref!", user.canDeleteRef(repository));
+		assertFalse("team member CAN rewind ref!", user.canRewindRef(repository));
+	}
+
+	/**
+	 * VIEW_NONE = VIEW access restriction, NO access permission
+	 */
+	@Test
+	public void testTeamMember_VIEW_NONE() throws Exception {
+		RepositoryModel repository = new RepositoryModel("myrepo.git", null, null, new Date());
+		repository.authorizationControl = AuthorizationControl.NAMED;
+		repository.accessRestriction = AccessRestrictionType.VIEW;
+
+		TeamModel team = new TeamModel("test");
+		UserModel user = new UserModel("test");
+		user.teams.add(team);
+		
+		assertFalse("team member CAN view!", user.canView(repository));
+		assertFalse("team member CAN clone!", user.canClone(repository));
+		assertFalse("team member CAN push!", user.canPush(repository));
+		
+		assertFalse("team member CAN create ref!", user.canCreateRef(repository));
+		assertFalse("team member CAN delete ref!", user.canDeleteRef(repository));
+		assertFalse("team member CAN rewind ref!", user.canRewindRef(repository));
+	}
+	
+	/**
+	 * NONE_PUSH = NO access restriction, PUSH access permission
+	 * (not useful scenario)
+	 */
+	@Test
+	public void testTeamMember_NONE_PUSH() throws Exception {
+		RepositoryModel repository = new RepositoryModel("myrepo.git", null, null, new Date());
+		repository.authorizationControl = AuthorizationControl.NAMED;
+		repository.accessRestriction = AccessRestrictionType.NONE;
+
+		TeamModel team = new TeamModel("test");
+		team.setRepositoryPermission(repository.name, AccessPermission.PUSH);
+		UserModel user = new UserModel("test");
+		user.teams.add(team);
+		
+		assertTrue("team member CAN NOT view!", user.canView(repository));
+		assertTrue("team member CAN NOT clone!", user.canClone(repository));
+		assertTrue("team member CAN NOT push!", user.canPush(repository));
+		
+		assertTrue("team member CAN NOT create ref!", user.canCreateRef(repository));
+		assertTrue("team member CAN NOT delete ref!", user.canDeleteRef(repository));
+		assertTrue("team member CAN NOT rewind ref!", user.canRewindRef(repository));
+	}
+	
+	/**
+	 * PUSH_PUSH = PUSH access restriction, PUSH access permission
+	 */
+	@Test
+	public void testTeamMember_PUSH_PUSH() throws Exception {
+		RepositoryModel repository = new RepositoryModel("myrepo.git", null, null, new Date());
+		repository.authorizationControl = AuthorizationControl.NAMED;
+		repository.accessRestriction = AccessRestrictionType.PUSH;
+
+		TeamModel team = new TeamModel("test");
+		team.setRepositoryPermission(repository.name, AccessPermission.PUSH);
+		UserModel user = new UserModel("test");
+		user.teams.add(team);
+
+		assertTrue("team member CAN NOT view!", user.canView(repository));
+		assertTrue("team member CAN NOT clone!", user.canClone(repository));
+		assertTrue("team member CAN NOT push!", user.canPush(repository));
+		
+		assertFalse("team member CAN create ref!", user.canCreateRef(repository));
+		assertFalse("team member CAN delete ref!", user.canDeleteRef(repository));
+		assertFalse("team member CAN rewind ref!", user.canRewindRef(repository));
+	}
+	
+	/**
+	 * CLONE_PUSH = CLONE access restriction, PUSH access permission
+	 */
+	@Test
+	public void testTeamMember_CLONE_PUSH() throws Exception {
+		RepositoryModel repository = new RepositoryModel("myrepo.git", null, null, new Date());
+		repository.authorizationControl = AuthorizationControl.NAMED;
+		repository.accessRestriction = AccessRestrictionType.CLONE;
+
+		TeamModel team = new TeamModel("test");
+		team.setRepositoryPermission(repository.name, AccessPermission.PUSH);
+		UserModel user = new UserModel("test");
+		user.teams.add(team);
+
+		assertTrue("team member CAN NOT view!", user.canView(repository));
+		assertTrue("team member CAN NOT clone!", user.canClone(repository));
+		assertTrue("team member CAN NOT push!", user.canPush(repository));
+		
+		assertFalse("team member CAN create ref!", user.canCreateRef(repository));
+		assertFalse("team member CAN delete ref!", user.canDeleteRef(repository));
+		assertFalse("team member CAN rewind ref!", user.canRewindRef(repository));
+	}
+	
+	/**
+	 * VIEW_PUSH = VIEW access restriction, PUSH access permission
+	 */
+	@Test
+	public void testTeamMember_VIEW_PUSH() throws Exception {
+		RepositoryModel repository = new RepositoryModel("myrepo.git", null, null, new Date());
+		repository.authorizationControl = AuthorizationControl.NAMED;
+		repository.accessRestriction = AccessRestrictionType.VIEW;
+
+		TeamModel team = new TeamModel("test");
+		team.setRepositoryPermission(repository.name, AccessPermission.PUSH);
+		UserModel user = new UserModel("test");
+		user.teams.add(team);
+
+		assertTrue("team member CAN NOT view!", user.canView(repository));
+		assertTrue("team member CAN NOT clone!", user.canClone(repository));
+		assertTrue("team member CAN NOT push!", user.canPush(repository));
+		
+		assertFalse("team member CAN create ref!", user.canCreateRef(repository));
+		assertFalse("team member CAN delete ref!", user.canDeleteRef(repository));
+		assertFalse("team member CAN rewind ref!", user.canRewindRef(repository));
+	}
+	
+	/**
+	 * NONE_CREATE = NO access restriction, CREATE access permission
+	 * (not useful scenario)
+	 */
+	@Test
+	public void testTeamMember_NONE_CREATE() throws Exception {
+		RepositoryModel repository = new RepositoryModel("myrepo.git", null, null, new Date());
+		repository.authorizationControl = AuthorizationControl.NAMED;
+		repository.accessRestriction = AccessRestrictionType.NONE;
+
+		TeamModel team = new TeamModel("test");
+		team.setRepositoryPermission(repository.name, AccessPermission.CREATE);
+		UserModel user = new UserModel("test");
+		user.teams.add(team);
+		
+		assertTrue("team member CAN NOT view!", user.canView(repository));
+		assertTrue("team member CAN NOT clone!", user.canClone(repository));
+		assertTrue("team member CAN NOT push!", user.canPush(repository));
+		
+		assertTrue("team member CAN NOT create ref!", user.canCreateRef(repository));
+		assertTrue("team member CAN NOT delete ref!", user.canDeleteRef(repository));
+		assertTrue("team member CAN NOT rewind ref!", user.canRewindRef(repository));
+	}
+	
+	/**
+	 * PUSH_CREATE = PUSH access restriction, CREATE access permission
+	 */
+	@Test
+	public void testTeamMember_PUSH_CREATE() throws Exception {
+		RepositoryModel repository = new RepositoryModel("myrepo.git", null, null, new Date());
+		repository.authorizationControl = AuthorizationControl.NAMED;
+		repository.accessRestriction = AccessRestrictionType.PUSH;
+
+		TeamModel team = new TeamModel("test");
+		team.setRepositoryPermission(repository.name, AccessPermission.CREATE);
+		UserModel user = new UserModel("test");
+		user.teams.add(team);
+
+		assertTrue("team member CAN NOT view!", user.canView(repository));
+		assertTrue("team member CAN NOT clone!", user.canClone(repository));
+		assertTrue("team member CAN NOT push!", user.canPush(repository));
+		
+		assertTrue("team member CAN NOT create ref!", user.canCreateRef(repository));
+		assertFalse("team member CAN delete ref!", user.canDeleteRef(repository));
+		assertFalse("team member CAN rewind ref!", user.canRewindRef(repository));
+	}
+	
+	/**
+	 * CLONE_CREATE = CLONE access restriction, CREATE access permission
+	 */
+	@Test
+	public void testTeamMember_CLONE_CREATE() throws Exception {
+		RepositoryModel repository = new RepositoryModel("myrepo.git", null, null, new Date());
+		repository.authorizationControl = AuthorizationControl.NAMED;
+		repository.accessRestriction = AccessRestrictionType.CLONE;
+
+		TeamModel team = new TeamModel("test");
+		team.setRepositoryPermission(repository.name, AccessPermission.CREATE);
+		UserModel user = new UserModel("test");
+		user.teams.add(team);
+
+		assertTrue("team member CAN NOT view!", user.canView(repository));
+		assertTrue("team member CAN NOT clone!", user.canClone(repository));
+		assertTrue("team member CAN NOT push!", user.canPush(repository));
+		
+		assertTrue("team member CAN NOT create ref!", user.canCreateRef(repository));
+		assertFalse("team member CAN delete ref!", user.canDeleteRef(repository));
+		assertFalse("team member CAN rewind ref!", user.canRewindRef(repository));
+	}
+	
+	/**
+	 * VIEW_CREATE = VIEW access restriction, CREATE access permission
+	 */
+	@Test
+	public void testTeamMember_VIEW_CREATE() throws Exception {
+		RepositoryModel repository = new RepositoryModel("myrepo.git", null, null, new Date());
+		repository.authorizationControl = AuthorizationControl.NAMED;
+		repository.accessRestriction = AccessRestrictionType.VIEW;
+
+		TeamModel team = new TeamModel("test");
+		team.setRepositoryPermission(repository.name, AccessPermission.CREATE);
+		UserModel user = new UserModel("test");
+		user.teams.add(team);
+
+		assertTrue("team member CAN NOT view!", user.canView(repository));
+		assertTrue("team member CAN NOT clone!", user.canClone(repository));
+		assertTrue("team member CAN NOT push!", user.canPush(repository));
+		
+		assertTrue("team member CAN NOT create ref!", user.canCreateRef(repository));
+		assertFalse("team member CAN delete ref!", user.canDeleteRef(repository));
+		assertFalse("team member CAN rewind ref!", user.canRewindRef(repository));
+	}
+
+	/**
+	 * NONE_DELETE = NO access restriction, DELETE access permission
+	 * (not useful scenario)
+	 */
+	@Test
+	public void testTeamMember_NONE_DELETE() throws Exception {
+		RepositoryModel repository = new RepositoryModel("myrepo.git", null, null, new Date());
+		repository.authorizationControl = AuthorizationControl.NAMED;
+		repository.accessRestriction = AccessRestrictionType.NONE;
+
+		TeamModel team = new TeamModel("test");
+		team.setRepositoryPermission(repository.name, AccessPermission.DELETE);
+		UserModel user = new UserModel("test");
+		user.teams.add(team);
+		
+		assertTrue("team member CAN NOT view!", user.canView(repository));
+		assertTrue("team member CAN NOT clone!", user.canClone(repository));
+		assertTrue("team member CAN NOT push!", user.canPush(repository));
+		
+		assertTrue("team member CAN NOT create ref!", user.canCreateRef(repository));
+		assertTrue("team member CAN NOT delete ref!", user.canDeleteRef(repository));
+		assertTrue("team member CAN NOT rewind ref!", user.canRewindRef(repository));
+	}
+	
+	/**
+	 * PUSH_DELETE = PUSH access restriction, DELETE access permission
+	 */
+	@Test
+	public void testTeamMember_PUSH_DELETE() throws Exception {
+		RepositoryModel repository = new RepositoryModel("myrepo.git", null, null, new Date());
+		repository.authorizationControl = AuthorizationControl.NAMED;
+		repository.accessRestriction = AccessRestrictionType.PUSH;
+
+		TeamModel team = new TeamModel("test");
+		team.setRepositoryPermission(repository.name, AccessPermission.DELETE);
+		UserModel user = new UserModel("test");
+		user.teams.add(team);
+
+		assertTrue("team member CAN NOT view!", user.canView(repository));
+		assertTrue("team member CAN NOT clone!", user.canClone(repository));
+		assertTrue("team member CAN NOT push!", user.canPush(repository));
+		
+		assertTrue("team member CAN NOT create ref!", user.canCreateRef(repository));
+		assertTrue("team member CAN NOT delete ref!", user.canDeleteRef(repository));
+		assertFalse("team member CAN rewind ref!", user.canRewindRef(repository));
+	}
+	
+	/**
+	 * CLONE_DELETE = CLONE access restriction, DELETE access permission
+	 */
+	@Test
+	public void testTeamMember_CLONE_DELETE() throws Exception {
+		RepositoryModel repository = new RepositoryModel("myrepo.git", null, null, new Date());
+		repository.authorizationControl = AuthorizationControl.NAMED;
+		repository.accessRestriction = AccessRestrictionType.CLONE;
+
+		TeamModel team = new TeamModel("test");
+		team.setRepositoryPermission(repository.name, AccessPermission.DELETE);
+		UserModel user = new UserModel("test");
+		user.teams.add(team);
+
+		assertTrue("team member CAN NOT view!", user.canView(repository));
+		assertTrue("team member CAN NOT clone!", user.canClone(repository));
+		assertTrue("team member CAN NOT push!", user.canPush(repository));
+		
+		assertTrue("team member CAN NOT create ref!", user.canCreateRef(repository));
+		assertTrue("team member CAN NOT delete ref!", user.canDeleteRef(repository));
+		assertFalse("team member CAN rewind ref!", user.canRewindRef(repository));
+	}
+	
+	/**
+	 * VIEW_DELETE = VIEW access restriction, DELETE access permission
+	 */
+	@Test
+	public void testTeamMember_VIEW_DELETE() throws Exception {
+		RepositoryModel repository = new RepositoryModel("myrepo.git", null, null, new Date());
+		repository.authorizationControl = AuthorizationControl.NAMED;
+		repository.accessRestriction = AccessRestrictionType.VIEW;
+
+		TeamModel team = new TeamModel("test");
+		team.setRepositoryPermission(repository.name, AccessPermission.DELETE);
+		UserModel user = new UserModel("test");
+		user.teams.add(team);
+
+		assertTrue("team member CAN NOT view!", user.canView(repository));
+		assertTrue("team member CAN NOT clone!", user.canClone(repository));
+		assertTrue("team member CAN NOT push!", user.canPush(repository));
+		
+		assertTrue("team member CAN NOT create ref!", user.canCreateRef(repository));
+		assertTrue("team member CAN NOT delete ref!", user.canDeleteRef(repository));
+		assertFalse("team member CAN rewind ref!", user.canRewindRef(repository));
+	}
+
+	/**
+	 * NONE_REWIND = NO access restriction, REWIND access permission
+	 * (not useful scenario)
+	 */
+	@Test
+	public void testTeamMember_NONE_REWIND() throws Exception {
+		RepositoryModel repository = new RepositoryModel("myrepo.git", null, null, new Date());
+		repository.authorizationControl = AuthorizationControl.NAMED;
+		repository.accessRestriction = AccessRestrictionType.NONE;
+
+		TeamModel team = new TeamModel("test");
+		team.setRepositoryPermission(repository.name, AccessPermission.REWIND);
+		UserModel user = new UserModel("test");
+		user.teams.add(team);
+		
+		assertTrue("team member CAN NOT view!", user.canView(repository));
+		assertTrue("team member CAN NOT clone!", user.canClone(repository));
+		assertTrue("team member CAN NOT push!", user.canPush(repository));
+		
+		assertTrue("team member CAN NOT create ref!", user.canCreateRef(repository));
+		assertTrue("team member CAN NOT delete ref!", user.canDeleteRef(repository));
+		assertTrue("team member CAN NOT rewind ref!", user.canRewindRef(repository));
+	}
+	
+	/**
+	 * PUSH_REWIND = PUSH access restriction, REWIND access permission
+	 */
+	@Test
+	public void testTeamMember_PUSH_REWIND() throws Exception {
+		RepositoryModel repository = new RepositoryModel("myrepo.git", null, null, new Date());
+		repository.authorizationControl = AuthorizationControl.NAMED;
+		repository.accessRestriction = AccessRestrictionType.PUSH;
+
+		TeamModel team = new TeamModel("test");
+		team.setRepositoryPermission(repository.name, AccessPermission.REWIND);
+		UserModel user = new UserModel("test");
+		user.teams.add(team);
+
+		assertTrue("team member CAN NOT view!", user.canView(repository));
+		assertTrue("team member CAN NOT clone!", user.canClone(repository));
+		assertTrue("team member CAN NOT push!", user.canPush(repository));
+		
+		assertTrue("team member CAN NOT create ref!", user.canCreateRef(repository));
+		assertTrue("team member CAN NOT delete ref!", user.canDeleteRef(repository));
+		assertTrue("team member CAN NOT rewind ref!", user.canRewindRef(repository));
+	}
+	
+	/**
+	 * CLONE_REWIND = CLONE access restriction, REWIND access permission
+	 */
+	@Test
+	public void testTeamMember_CLONE_REWIND() throws Exception {
+		RepositoryModel repository = new RepositoryModel("myrepo.git", null, null, new Date());
+		repository.authorizationControl = AuthorizationControl.NAMED;
+		repository.accessRestriction = AccessRestrictionType.CLONE;
+
+		TeamModel team = new TeamModel("test");
+		team.setRepositoryPermission(repository.name, AccessPermission.REWIND);
+		UserModel user = new UserModel("test");
+		user.teams.add(team);
+
+		assertTrue("team member CAN NOT view!", user.canView(repository));
+		assertTrue("team member CAN NOT clone!", user.canClone(repository));
+		assertTrue("team member CAN NOT push!", user.canPush(repository));
+		
+		assertTrue("team member CAN NOT create ref!", user.canCreateRef(repository));
+		assertTrue("team member CAN NOT delete ref!", user.canDeleteRef(repository));
+		assertTrue("team member CAN NOT rewind ref!", user.canRewindRef(repository));
+	}
+	
+	/**
+	 * VIEW_REWIND = VIEW access restriction, REWIND access permission
+	 */
+	@Test
+	public void testTeamMember_VIEW_REWIND() throws Exception {
+		RepositoryModel repository = new RepositoryModel("myrepo.git", null, null, new Date());
+		repository.authorizationControl = AuthorizationControl.NAMED;
+		repository.accessRestriction = AccessRestrictionType.VIEW;
+
+		TeamModel team = new TeamModel("test");
+		team.setRepositoryPermission(repository.name, AccessPermission.REWIND);
+		UserModel user = new UserModel("test");
+		user.teams.add(team);
+
+		assertTrue("team member CAN NOT view!", user.canView(repository));
+		assertTrue("team member CAN NOT clone!", user.canClone(repository));
+		assertTrue("team member CAN NOT push!", user.canPush(repository));
+		
+		assertTrue("team member CAN NOT create ref!", user.canCreateRef(repository));
+		assertTrue("team member CAN NOT delete ref!", user.canDeleteRef(repository));
+		assertTrue("team member CAN NOT rewind ref!", user.canRewindRef(repository));
+	}
+	
+	/**
+	 * NONE_CLONE = NO access restriction, CLONE access permission
+	 * (not useful scenario)
+	 */
+	@Test
+	public void testTeamMember_NONE_CLONE() throws Exception {
+		RepositoryModel repository = new RepositoryModel("myrepo.git", null, null, new Date());
+		repository.authorizationControl = AuthorizationControl.NAMED;
+		repository.accessRestriction = AccessRestrictionType.NONE;
+
+		TeamModel team = new TeamModel("test");
+		team.setRepositoryPermission(repository.name, AccessPermission.CLONE);
+		UserModel user = new UserModel("test");
+		user.teams.add(team);
+
+		assertTrue("team member CAN NOT view!", user.canView(repository));
+		assertTrue("team member CAN NOT clone!", user.canClone(repository));
+		assertTrue("team member CAN NOT push!", user.canPush(repository));
+		
+		assertTrue("team member CAN NOT create ref!", user.canCreateRef(repository));
+		assertTrue("team member CAN NOT delete ref!", user.canDeleteRef(repository));
+		assertTrue("team member CAN NOT rewind ref!", user.canRewindRef(repository));
+	}
+
+	/**
+	 * PUSH_CLONE = PUSH access restriction, CLONE access permission
+	 */
+	@Test
+	public void testTeamMember_PUSH_CLONE() throws Exception {
+		RepositoryModel repository = new RepositoryModel("myrepo.git", null, null, new Date());
+		repository.authorizationControl = AuthorizationControl.NAMED;
+		repository.accessRestriction = AccessRestrictionType.PUSH;
+
+		TeamModel team = new TeamModel("test");
+		team.setRepositoryPermission(repository.name, AccessPermission.CLONE);
+		UserModel user = new UserModel("test");
+		user.teams.add(team);
+
+		assertTrue("team member CAN NOT view!", user.canView(repository));
+		assertTrue("team member CAN NOT clone!", user.canClone(repository));
+		assertFalse("team member CAN push!", user.canPush(repository));
+		
+		assertFalse("team member CAN create ref!", user.canCreateRef(repository));
+		assertFalse("team member CAN delete ref!", user.canDeleteRef(repository));
+		assertFalse("team member CAN rewind ref!", user.canRewindRef(repository));
+	}
+
+	/**
+	 * CLONE_CLONE = CLONE access restriction, CLONE access permission
+	 */
+	@Test
+	public void testTeamMember_CLONE_CLONE() throws Exception {
+		RepositoryModel repository = new RepositoryModel("myrepo.git", null, null, new Date());
+		repository.authorizationControl = AuthorizationControl.NAMED;
+		repository.accessRestriction = AccessRestrictionType.CLONE;
+
+		TeamModel team = new TeamModel("test");
+		team.setRepositoryPermission(repository.name, AccessPermission.CLONE);
+		UserModel user = new UserModel("test");
+		user.teams.add(team);
+
+		assertTrue("team member CAN NOT view!", user.canView(repository));
+		assertTrue("team member CAN NOT clone!", user.canClone(repository));
+		assertFalse("team member CAN push!", user.canPush(repository));
+		
+		assertFalse("team member CAN create ref!", user.canCreateRef(repository));
+		assertFalse("team member CAN delete ref!", user.canDeleteRef(repository));
+		assertFalse("team member CAN rewind ref!", user.canRewindRef(repository));
+	}
+	
+	/**
+	 * VIEW_CLONE = VIEW access restriction, CLONE access permission
+	 */
+	@Test
+	public void testTeamMember_VIEW_CLONE() throws Exception {
+		RepositoryModel repository = new RepositoryModel("myrepo.git", null, null, new Date());
+		repository.authorizationControl = AuthorizationControl.NAMED;
+		repository.accessRestriction = AccessRestrictionType.VIEW;
+
+		TeamModel team = new TeamModel("test");
+		team.setRepositoryPermission(repository.name, AccessPermission.CLONE);
+		UserModel user = new UserModel("test");
+		user.teams.add(team);
+
+		assertTrue("team member CAN NOT view!", user.canView(repository));
+		assertTrue("team member CAN NOT clone!", user.canClone(repository));
+		assertFalse("team member CAN push!", user.canPush(repository));
+		
+		assertFalse("team member CAN create ref!", user.canCreateRef(repository));
+		assertFalse("team member CAN delete ref!", user.canDeleteRef(repository));
+		assertFalse("team member CAN rewind ref!", user.canRewindRef(repository));
+	}
+
+	/**
+	 * NONE_VIEW = NO access restriction, VIEW access permission
+	 * (not useful scenario)
+	 */
+	@Test
+	public void testTeamMember_NONE_VIEW() throws Exception {
+		RepositoryModel repository = new RepositoryModel("myrepo.git", null, null, new Date());
+		repository.authorizationControl = AuthorizationControl.NAMED;
+		repository.accessRestriction = AccessRestrictionType.NONE;
+
+		TeamModel team = new TeamModel("test");
+		team.setRepositoryPermission(repository.name, AccessPermission.VIEW);
+		UserModel user = new UserModel("test");
+		user.teams.add(team);
+
+		assertTrue("team member CAN NOT view!", user.canView(repository));
+		assertTrue("team member CAN NOT clone!", user.canClone(repository));
+		assertTrue("team member CAN NOT push!", user.canPush(repository));
+		
+		assertTrue("team member CAN NOT create ref!", user.canCreateRef(repository));
+		assertTrue("team member CAN NOT delete ref!", user.canDeleteRef(repository));
+		assertTrue("team member CAN NOT rewind ref!", user.canRewindRef(repository));
+	}
+
+	/**
+	 * PUSH_VIEW = PUSH access restriction, VIEW access permission
+	 */
+	@Test
+	public void testTeamMember_PUSH_VIEW() throws Exception {
+		RepositoryModel repository = new RepositoryModel("myrepo.git", null, null, new Date());
+		repository.authorizationControl = AuthorizationControl.NAMED;
+		repository.accessRestriction = AccessRestrictionType.PUSH;
+
+		TeamModel team = new TeamModel("test");
+		team.setRepositoryPermission(repository.name, AccessPermission.VIEW);
+		UserModel user = new UserModel("test");
+		user.teams.add(team);
+
+		assertTrue("team member CAN NOT view!", user.canView(repository));
+		assertTrue("team member CAN NOT clone!", user.canClone(repository));
+		assertFalse("team member CAN push!", user.canPush(repository));
+		
+		assertFalse("team member CAN create ref!", user.canCreateRef(repository));
+		assertFalse("team member CAN delete ref!", user.canDeleteRef(repository));
+		assertFalse("team member CAN rewind ref!", user.canRewindRef(repository));
+	}
+	
+	/**
+	 * CLONE_VIEW = CLONE access restriction, VIEW access permission
+	 */
+	@Test
+	public void testTeamMember_CLONE_VIEW() throws Exception {
+		RepositoryModel repository = new RepositoryModel("myrepo.git", null, null, new Date());
+		repository.authorizationControl = AuthorizationControl.NAMED;
+		repository.accessRestriction = AccessRestrictionType.CLONE;
+
+		TeamModel team = new TeamModel("test");
+		team.setRepositoryPermission(repository.name, AccessPermission.VIEW);
+		UserModel user = new UserModel("test");
+		user.teams.add(team);
+
+		assertTrue("team member CAN NOT view!", user.canView(repository));
+		assertFalse("team member CAN clone!", user.canClone(repository));
+		assertFalse("team member CAN push!", user.canPush(repository));
+		
+		assertFalse("team member CAN create ref!", user.canCreateRef(repository));
+		assertFalse("team member CAN delete ref!", user.canDeleteRef(repository));
+		assertFalse("team member CAN rewind ref!", user.canRewindRef(repository));
+	}
+	
+	/**
+	 * VIEW_VIEW = VIEW access restriction, VIEW access permission
+	 */
+	@Test
+	public void testTeamMember_VIEW_VIEW() throws Exception {
+		RepositoryModel repository = new RepositoryModel("myrepo.git", null, null, new Date());
+		repository.authorizationControl = AuthorizationControl.NAMED;
+		repository.accessRestriction = AccessRestrictionType.VIEW;
+
+		TeamModel team = new TeamModel("test");
+		team.setRepositoryPermission(repository.name, AccessPermission.VIEW);
+		UserModel user = new UserModel("test");
+		user.teams.add(team);
+
+		assertTrue("team member CAN NOT view!", user.canView(repository));
+		assertFalse("team member CAN clone!", user.canClone(repository));
+		assertFalse("team member CAN push!", user.canPush(repository));
+		
+		assertFalse("team member CAN create ref!", user.canCreateRef(repository));
+		assertFalse("team member CAN delete ref!", user.canDeleteRef(repository));
+		assertFalse("team member CAN rewind ref!", user.canRewindRef(repository));
+	}
+	
+	@Test
+	public void testOwner() throws Exception {
+		RepositoryModel repository = new RepositoryModel("myrepo.git", null, null, new Date());
+		repository.authorizationControl = AuthorizationControl.NAMED;
+		repository.accessRestriction = AccessRestrictionType.VIEW;
+
+		UserModel user = new UserModel("test");
+		repository.owner = user.username;
+
+		assertTrue("owner CAN NOT view!", user.canView(repository));
+		assertTrue("owner CAN NOT clone!", user.canClone(repository));
+		assertTrue("owner CAN NOT push!", user.canPush(repository));
+		
+		assertTrue("owner CAN NOT create ref!", user.canCreateRef(repository));
+		assertTrue("owner CAN NOT delete ref!", user.canDeleteRef(repository));
+		assertTrue("owner CAN NOT rewind ref!", user.canRewindRef(repository));
+
+		assertTrue("owner CAN NOT fork!", user.canFork(repository));
+		
+		assertFalse("owner CAN NOT delete!", user.canDelete(repository));
+		assertTrue("owner CAN NOT edit!", user.canEdit(repository));
+	}
+	
+	@Test
+	public void testOwnerPersonalRepository() throws Exception {
+		RepositoryModel repository = new RepositoryModel("~test/myrepo.git", null, null, new Date());
+		repository.authorizationControl = AuthorizationControl.NAMED;
+		repository.accessRestriction = AccessRestrictionType.VIEW;
+
+		UserModel user = new UserModel("test");
+		repository.owner = user.username;
+
+		assertTrue("user CAN NOT view!", user.canView(repository));
+		assertTrue("user CAN NOT clone!", user.canClone(repository));
+		assertTrue("user CAN NOT push!", user.canPush(repository));
+		
+		assertTrue("user CAN NOT create ref!", user.canCreateRef(repository));
+		assertTrue("user CAN NOT delete ref!", user.canDeleteRef(repository));
+		assertTrue("user CAN NOT rewind ref!", user.canRewindRef(repository));
+
+		assertFalse("user CAN fork!", user.canFork(repository));
+		
+		assertTrue("user CAN NOT delete!", user.canDelete(repository));
+		assertTrue("user CAN NOT edit!", user.canEdit(repository));
+	}
+
+	@Test
+	public void testVisitorPersonalRepository() throws Exception {
+		RepositoryModel repository = new RepositoryModel("~test/myrepo.git", null, null, new Date());
+		repository.authorizationControl = AuthorizationControl.NAMED;
+		repository.accessRestriction = AccessRestrictionType.VIEW;
+
+		UserModel user = new UserModel("visitor");
+		repository.owner = "test";
+
+		assertFalse("user CAN view!", user.canView(repository));
+		assertFalse("user CAN clone!", user.canClone(repository));
+		assertFalse("user CAN push!", user.canPush(repository));
+		
+		assertFalse("user CAN create ref!", user.canCreateRef(repository));
+		assertFalse("user CAN delete ref!", user.canDeleteRef(repository));
+		assertFalse("user CAN rewind ref!", user.canRewindRef(repository));
+
+		assertFalse("user CAN fork!", user.canFork(repository));
+		
+		assertFalse("user CAN delete!", user.canDelete(repository));
+		assertFalse("user CAN edit!", user.canEdit(repository));
+	}
+}
diff --git a/tests/com/gitblit/tests/RpcTests.java b/tests/com/gitblit/tests/RpcTests.java
index 1080849c..3ad0ec59 100644
--- a/tests/com/gitblit/tests/RpcTests.java
+++ b/tests/com/gitblit/tests/RpcTests.java
@@ -247,7 +247,7 @@ public class RpcTests {
 		// Create the A-Team
 		TeamModel aTeam = new TeamModel("A-Team");
 		aTeam.users.add("admin");
-		aTeam.repositories.add("helloworld.git");
+		aTeam.addRepositoryPermission("helloworld.git");
 		assertTrue(RpcUtils.createTeam(aTeam, url, account, password.toCharArray()));
 
 		aTeam = null;
@@ -261,7 +261,7 @@ public class RpcTests {
 		}
 		assertNotNull(aTeam);
 		assertTrue(aTeam.hasUser("admin"));
-		assertTrue(aTeam.hasRepository("helloworld.git"));
+		assertTrue(aTeam.hasRepositoryPermission("helloworld.git"));
 
 		RepositoryModel helloworld = null;
 		Map<String, RepositoryModel> repositories = RpcUtils.getRepositories(url, account,
diff --git a/tests/com/gitblit/tests/UserServiceTest.java b/tests/com/gitblit/tests/UserServiceTest.java
index 03051bdb..710d1f35 100644
--- a/tests/com/gitblit/tests/UserServiceTest.java
+++ b/tests/com/gitblit/tests/UserServiceTest.java
@@ -25,8 +25,10 @@ import java.io.IOException;
 import org.junit.Test;
 
 import com.gitblit.ConfigUserService;
+import com.gitblit.Constants.AccessRestrictionType;
 import com.gitblit.FileUserService;
 import com.gitblit.IUserService;
+import com.gitblit.models.RepositoryModel;
 import com.gitblit.models.TeamModel;
 import com.gitblit.models.UserModel;
 
@@ -74,9 +76,9 @@ public class UserServiceTest {
 		// add new user
 		UserModel newUser = new UserModel("test");
 		newUser.password = "testPassword";
-		newUser.addRepository("repo1");
-		newUser.addRepository("repo2");
-		newUser.addRepository("sub/repo3");
+		newUser.addRepositoryPermission("repo1");
+		newUser.addRepositoryPermission("repo2");
+		newUser.addRepositoryPermission("sub/repo3");
 		service.updateUserModel(newUser);
 
 		// add one more new user and then test reload of first new user
@@ -93,10 +95,10 @@ public class UserServiceTest {
 		// confirm reloaded test user
 		newUser = service.getUserModel("test");
 		assertEquals("testPassword", newUser.password);
-		assertEquals(3, newUser.repositories.size());
-		assertTrue(newUser.hasRepository("repo1"));
-		assertTrue(newUser.hasRepository("repo2"));
-		assertTrue(newUser.hasRepository("sub/repo3"));
+		assertEquals(3, newUser.permissions.size());
+		assertTrue(newUser.hasRepositoryPermission("repo1"));
+		assertTrue(newUser.hasRepositoryPermission("repo2"));
+		assertTrue(newUser.hasRepositoryPermission("sub/repo3"));
 
 		// confirm authentication of test user
 		UserModel testUser = service.authenticate("test", "testPassword".toCharArray());
@@ -106,7 +108,7 @@ public class UserServiceTest {
 		// delete a repository role and confirm role removal from test user
 		service.deleteRepositoryRole("repo2");
 		testUser = service.getUserModel("test");
-		assertEquals(2, testUser.repositories.size());
+		assertEquals(2, testUser.permissions.size());
 
 		// delete garbage user and confirm user count
 		service.deleteUser("garbage");
@@ -115,7 +117,7 @@ public class UserServiceTest {
 		// rename repository and confirm role change for test user
 		service.renameRepositoryRole("repo1", "newrepo1");
 		testUser = service.getUserModel("test");
-		assertTrue(testUser.hasRepository("newrepo1"));
+		assertTrue(testUser.hasRepositoryPermission("newrepo1"));
 	}
 
 	protected void testTeams(IUserService service) {
@@ -123,41 +125,51 @@ public class UserServiceTest {
 		// confirm we have 1 team (admins)
 		assertEquals(1, service.getAllTeamNames().size());
 		assertEquals("admins", service.getAllTeamNames().get(0));
+		
+		RepositoryModel newrepo1 = new RepositoryModel("newrepo1", null, null, null);
+		newrepo1.accessRestriction = AccessRestrictionType.VIEW;
+		RepositoryModel NEWREPO1 = new RepositoryModel("NEWREPO1", null, null, null);
+		NEWREPO1.accessRestriction = AccessRestrictionType.VIEW;
 
 		// remove newrepo1 from test user
 		// now test user has no repositories
 		UserModel user = service.getUserModel("test");
-		user.repositories.clear();
+		user.permissions.clear();
 		service.updateUserModel(user);
 		user = service.getUserModel("test");
-		assertEquals(0, user.repositories.size());
-		assertFalse(user.canAccessRepository("newrepo1"));
-		assertFalse(user.canAccessRepository("NEWREPO1"));
+		assertEquals(0, user.permissions.size());
+		assertFalse(user.canView(newrepo1));
+		assertFalse(user.canView(NEWREPO1));
 
 		// create test team and add test user and newrepo1
 		TeamModel team = new TeamModel("testteam");
 		team.addUser("test");
-		team.addRepository("newrepo1");
+		team.addRepositoryPermission(newrepo1.name);
 		service.updateTeamModel(team);
 
 		// confirm 1 user and 1 repo
 		team = service.getTeamModel("testteam");
-		assertEquals(1, team.repositories.size());
+		assertEquals(1, team.permissions.size());
 		assertEquals(1, team.users.size());
 
 		// confirm team membership
 		user = service.getUserModel("test");
-		assertEquals(0, user.repositories.size());
+		assertEquals(0, user.permissions.size());
 		assertEquals(1, user.teams.size());
 
 		// confirm team access
-		assertTrue(team.hasRepository("newrepo1"));
-		assertTrue(user.hasTeamAccess("newrepo1"));
-		assertTrue(team.hasRepository("NEWREPO1"));
-		assertTrue(user.hasTeamAccess("NEWREPO1"));
+		assertTrue(team.hasRepositoryPermission(newrepo1.name));
+		assertTrue(user.canView(newrepo1));
+		assertTrue(team.hasRepositoryPermission(NEWREPO1.name));
+		assertTrue(user.canView(NEWREPO1));
 
 		// rename the team and add new repository
-		team.addRepository("newrepo2");
+		RepositoryModel newrepo2 = new RepositoryModel("newrepo2", null, null, null);
+		newrepo2.accessRestriction = AccessRestrictionType.VIEW;
+		RepositoryModel NEWREPO2 = new RepositoryModel("NEWREPO2", null, null, null);
+		NEWREPO2.accessRestriction = AccessRestrictionType.VIEW;
+		
+		team.addRepositoryPermission(newrepo2.name);
 		team.name = "testteam2";
 		service.updateTeamModel("testteam", team);
 
@@ -165,11 +177,11 @@ public class UserServiceTest {
 		user = service.getUserModel("test");
 
 		// confirm user and team can access newrepo2
-		assertEquals(2, team.repositories.size());
-		assertTrue(team.hasRepository("newrepo2"));
-		assertTrue(user.hasTeamAccess("newrepo2"));
-		assertTrue(team.hasRepository("NEWREPO2"));
-		assertTrue(user.hasTeamAccess("NEWREPO2"));
+		assertEquals(2, team.permissions.size());
+		assertTrue(team.hasRepositoryPermission(newrepo2.name));
+		assertTrue(user.canView(newrepo2));
+		assertTrue(team.hasRepositoryPermission(NEWREPO2.name));
+		assertTrue(user.canView(NEWREPO2));
 
 		// delete testteam2
 		service.deleteTeam("testteam2");
@@ -178,28 +190,28 @@ public class UserServiceTest {
 
 		// confirm team does not exist and user can not access newrepo1 and 2
 		assertEquals(null, team);
-		assertFalse(user.canAccessRepository("newrepo1"));
-		assertFalse(user.canAccessRepository("newrepo2"));
+		assertFalse(user.canView(newrepo1));
+		assertFalse(user.canView(newrepo2));
 
 		// create new team and add it to user
 		// this tests the inverse team creation/team addition
 		team = new TeamModel("testteam");
-		team.addRepository("NEWREPO1");
-		team.addRepository("NEWREPO2");
+		team.addRepositoryPermission(NEWREPO1.name);
+		team.addRepositoryPermission(NEWREPO2.name);
 		user.teams.add(team);
 		service.updateUserModel(user);
 
 		// confirm the inverted team addition
 		user = service.getUserModel("test");
 		team = service.getTeamModel("testteam");
-		assertTrue(user.hasTeamAccess("newrepo1"));
-		assertTrue(user.hasTeamAccess("newrepo2"));
+		assertTrue(user.canView(newrepo1));
+		assertTrue(user.canView(newrepo2));
 		assertTrue(team.hasUser("test"));
 
 		// drop testteam from user and add nextteam to user
 		team = new TeamModel("nextteam");
-		team.addRepository("NEWREPO1");
-		team.addRepository("NEWREPO2");
+		team.addRepositoryPermission(NEWREPO1.name);
+		team.addRepositoryPermission(NEWREPO2.name);
 		user.teams.clear();
 		user.teams.add(team);
 		service.updateUserModel(user);
@@ -207,8 +219,8 @@ public class UserServiceTest {
 		// confirm implicit drop
 		user = service.getUserModel("test");
 		team = service.getTeamModel("testteam");
-		assertTrue(user.hasTeamAccess("newrepo1"));
-		assertTrue(user.hasTeamAccess("newrepo2"));
+		assertTrue(user.canView(newrepo1));
+		assertTrue(user.canView(newrepo2));
 		assertFalse(team.hasUser("test"));
 		team = service.getTeamModel("nextteam");
 		assertTrue(team.hasUser("test"));
-- 
2.39.5