From ff449b21c0d7067aa7540acc35b6be5818107470 Mon Sep 17 00:00:00 2001
From: Sylvain LE GAL <sylvain.legal@grap.coop>
Date: Wed, 22 Feb 2017 03:58:01 +0100
Subject: [PATCH] create a new module sql_request_abstract

---
 sql_request_abstract/README.rst               |  93 +++++++
 sql_request_abstract/__init__.py              |   3 +
 sql_request_abstract/__openerp__.py           |  23 ++
 sql_request_abstract/i18n/fr.po               | 145 ++++++++++
 .../i18n/sql_export_abstract.pot              | 140 ++++++++++
 sql_request_abstract/models/__init__.py       |   3 +
 .../models/sql_request_mixin.py               | 255 ++++++++++++++++++
 .../security/ir.model.access.csv              |   4 +
 .../security/ir_module_category.xml           |   9 +
 sql_request_abstract/security/res_groups.xml  |  23 ++
 .../static/description/icon.png               | Bin 0 -> 9455 bytes
 11 files changed, 698 insertions(+)
 create mode 100644 sql_request_abstract/README.rst
 create mode 100644 sql_request_abstract/__init__.py
 create mode 100644 sql_request_abstract/__openerp__.py
 create mode 100644 sql_request_abstract/i18n/fr.po
 create mode 100644 sql_request_abstract/i18n/sql_export_abstract.pot
 create mode 100644 sql_request_abstract/models/__init__.py
 create mode 100644 sql_request_abstract/models/sql_request_mixin.py
 create mode 100644 sql_request_abstract/security/ir.model.access.csv
 create mode 100644 sql_request_abstract/security/ir_module_category.xml
 create mode 100644 sql_request_abstract/security/res_groups.xml
 create mode 100644 sql_request_abstract/static/description/icon.png

diff --git a/sql_request_abstract/README.rst b/sql_request_abstract/README.rst
new file mode 100644
index 000000000..5c151fc74
--- /dev/null
+++ b/sql_request_abstract/README.rst
@@ -0,0 +1,93 @@
+.. image:: https://img.shields.io/badge/licence-AGPL--3-blue.svg
+   :target: http://www.gnu.org/licenses/agpl-3.0-standalone.html
+   :alt: License: AGPL-3
+
+=====================================
+Abstract Model to manage SQL Requests
+=====================================
+
+This module provide an abstract model to manage SQL Select request on database.
+It is not usefull for itself. You can see an exemple of implementation in the
+'sql_export' module. (same repository).
+
+Implemented features
+--------------------
+
+* Add some restrictions in the sql request:
+    * you can only read datas. No update, deletion or creation are possible.
+    * some tables are not allowed, because they could contains clear password
+      or keys. For the time being ('ir_config_parameter').
+
+* The request can be in a 'draft' or a 'SQL Valid' status. To be valid,
+  the request has to be cleaned, checked and tested. All of this operations
+  can be disabled in the inherited modules.
+
+* This module two new groups:
+    * SQL Request / User : Can see all the sql requests by default and execute
+      them, if they are valid.
+    * SQL Request / Manager : has full access on sql requests.
+
+Usage
+=====
+
+Inherit the model:
+
+    from openerp import models
+
+    class MyModel(models.model)
+        _name = 'my.model'
+        _inherit = ['sql.request.mixin']
+
+        _sql_request_groups_relation = 'my_model_groups_rel'
+
+        _sql_request_users_relation = 'my_model_users_rel'
+
+
+.. image:: https://odoo-community.org/website/image/ir.attachment/5784_f2813bd/datas
+   :alt: Try me on Runbot
+   :target: https://runbot.odoo-community.org/runbot/149/8.0
+
+Bug Tracker
+===========
+
+Bugs are tracked on `GitHub Issues
+<https://github.com/OCA/server-tools/issues>`_. In case of trouble, please
+check there if your issue has already been reported. If you spotted it first,
+help us smash it by providing detailed and welcomed feedback.
+
+Credits
+=======
+
+Images
+------
+
+* Odoo Community Association: `Icon <https://github.com/OCA/maintainer-tools/blob/master/template/module/static/description/icon.svg>`_.
+
+Contributors
+------------
+
+* Florian da Costa <florian.dacosta@akretion.com>
+* Sylvain LE GAL (https://twitter.com/legalsylvain)
+
+Funders
+-------
+
+The development of this module has been financially supported by:
+
+* Akretion (<http://www.akretion.com>)
+* GRAP, Groupement Régional Alimentaire de Proximité (<http://www.grap.coop>)
+
+Maintainer
+----------
+
+.. image:: https://odoo-community.org/logo.png
+   :alt: Odoo Community Association
+   :target: https://odoo-community.org
+
+This module is maintained by the OCA.
+
+OCA, or the Odoo Community Association, is a nonprofit organization whose
+mission is to support the collaborative development of Odoo features and
+promote its widespread use.
+
+To contribute to this module, please visit https://odoo-community.org.
diff --git a/sql_request_abstract/__init__.py b/sql_request_abstract/__init__.py
new file mode 100644
index 000000000..cde864bae
--- /dev/null
+++ b/sql_request_abstract/__init__.py
@@ -0,0 +1,3 @@
+# -*- coding: utf-8 -*-
+
+from . import models
diff --git a/sql_request_abstract/__openerp__.py b/sql_request_abstract/__openerp__.py
new file mode 100644
index 000000000..f909dcc3c
--- /dev/null
+++ b/sql_request_abstract/__openerp__.py
@@ -0,0 +1,23 @@
+# -*- coding: utf-8 -*-
+# Copyright (C) 2017 - Today: GRAP (http://www.grap.coop)
+# @author: Sylvain LE GAL (https://twitter.com/legalsylvain)
+# License AGPL-3.0 or later (http://www.gnu.org/licenses/agpl.html).
+
+{
+    'name': 'SQL Request Abstract',
+    'version': '8.0.1.0.0',
+    'author': 'GRAP,Akretion,Odoo Community Association (OCA)',
+    'website': 'https://www.odoo-community.org',
+    'license': 'AGPL-3',
+    'category': 'Tools',
+    'summary': 'Abstract Model to manage SQL Requests',
+    'depends': [
+        'base',
+    ],
+    'data': [
+        'security/ir_module_category.xml',
+        'security/res_groups.xml',
+        'security/ir.model.access.csv',
+    ],
+    'installable': True,
+}
diff --git a/sql_request_abstract/i18n/fr.po b/sql_request_abstract/i18n/fr.po
new file mode 100644
index 000000000..5c8fb87c8
--- /dev/null
+++ b/sql_request_abstract/i18n/fr.po
@@ -0,0 +1,145 @@
+
+# Translation of Odoo Server.
+# This file contains the translation of the following modules:
+#	* sql_request_abstract
+#
+msgid ""
+msgstr ""
+"Project-Id-Version: Odoo Server 8.0\n"
+"Report-Msgid-Bugs-To: \n"
+"POT-Creation-Date: 2017-02-27 12:11+0000\n"
+"PO-Revision-Date: 2017-02-27 12:11+0000\n"
+"Last-Translator: <>\n"
+"Language-Team: \n"
+"MIME-Version: 1.0\n"
+"Content-Type: text/plain; charset=UTF-8\n"
+"Content-Transfer-Encoding: \n"
+"Plural-Forms: \n"
+
+#. module: sql_request_abstract
+#: field:sql.request.mixin,group_ids:0
+msgid "Allowed Groups"
+msgstr "Groupes autorisés"
+
+#. module: sql_request_abstract
+#: field:sql.request.mixin,user_ids:0
+msgid "Allowed Users"
+msgstr "Utilisateurs Autorisés"
+
+#. module: sql_request_abstract
+#: field:sql.request.mixin,create_uid:0
+msgid "Created by"
+msgstr "Créé par"
+
+#. module: sql_request_abstract
+#: field:sql.request.mixin,create_date:0
+msgid "Created on"
+msgstr "Créé le"
+
+#. module: sql_request_abstract
+#: field:sql.request.mixin,display_name:0
+msgid "Display Name"
+msgstr "Nom affiché"
+
+#. module: sql_request_abstract
+#: selection:sql.request.mixin,state:0
+msgid "Draft"
+msgstr "En brouillon"
+
+#. module: sql_request_abstract
+#: field:sql.request.mixin,id:0
+msgid "ID"
+msgstr "ID"
+
+#. module: sql_request_abstract
+#: code:addons/sql_request_abstract/models/sql_request_mixin.py:135
+#, python-format
+msgid "It is not allowed to execute a not checked request."
+msgstr "Il n'est pas autorisé d'exécuter une requête non vérifiée."
+
+#. module: sql_request_abstract
+#: field:sql.request.mixin,__last_update:0
+msgid "Last Modified on"
+msgstr "Dernière modification le"
+
+#. module: sql_request_abstract
+#: field:sql.request.mixin,write_uid:0
+msgid "Last Updated by"
+msgstr "Dernière mise à jour par"
+
+#. module: sql_request_abstract
+#: field:sql.request.mixin,write_date:0
+msgid "Last Updated on"
+msgstr "Dernière mise à jour le"
+
+#. module: sql_request_abstract
+#: model:res.groups,name:sql_request_abstract.group_sql_request_manager
+msgid "Manager"
+msgstr "Responsable"
+
+#. module: sql_request_abstract
+#: field:sql.request.mixin,name:0
+msgid "Name"
+msgstr "Nom"
+
+#. module: sql_request_abstract
+#: field:sql.request.mixin,query:0
+msgid "Query"
+msgstr "Requête"
+
+#. module: sql_request_abstract
+#: selection:sql.request.mixin,state:0
+msgid "SQL Valid"
+msgstr "SQL Validé"
+
+#. module: sql_request_abstract
+#: model:ir.module.category,name:sql_request_abstract.category_sql_abstract
+msgid "Sql Request"
+msgstr "Request SQL"
+
+#. module: sql_request_abstract
+#: field:sql.request.mixin,state:0
+msgid "State"
+msgstr "Etat"
+
+#. module: sql_request_abstract
+#: help:sql.request.mixin,state:0
+msgid "State of the Request:\n"
+" * 'Draft': Not tested\n"
+" * 'SQL Valid': SQL Request has been checked and is valid"
+msgstr "Etat de la requête:\n"
+" * 'En brouillon': non testée\n"
+" * 'SQL Validé': La requête SQL a été vérifiée et est valide"
+
+#. module: sql_request_abstract
+#: code:addons/sql_request_abstract/models/sql_request_mixin.py:248
+#, python-format
+msgid "The SQL query is not valid:\n"
+"\n"
+" %s"
+msgstr "La requête SQL n'est pas valide:\n"
+"\n"
+" %s"
+
+#. module: sql_request_abstract
+#: code:addons/sql_request_abstract/models/sql_request_mixin.py:217
+#, python-format
+msgid "The query is not allowed because it contains unsafe word '%s'"
+msgstr "La requête n'est pas autorisée car elle contient un terme non sécurisé '%s'"
+
+#. module: sql_request_abstract
+#: code:addons/sql_request_abstract/models/sql_request_mixin.py:156
+#, python-format
+msgid "Unimplemented mode : '%s'"
+msgstr "Mode non implémenté : '%s'"
+
+#. module: sql_request_abstract
+#: model:res.groups,name:sql_request_abstract.group_sql_request_user
+msgid "User"
+msgstr "Utilisateur"
+
+#. module: sql_request_abstract
+#: help:sql.request.mixin,query:0
+msgid "You can't use the following words: DELETE, DROP, CREATE, INSERT, ALTER, TRUNCATE, EXECUTE, UPDATE"
+msgstr "Vous ne pouvez pas utiliser les termes suivants : DELETE, DROP, CREATE, INSERT, ALTER, TRUNCATE, EXECUTE, UPDATE"
+
diff --git a/sql_request_abstract/i18n/sql_export_abstract.pot b/sql_request_abstract/i18n/sql_export_abstract.pot
new file mode 100644
index 000000000..43f61b722
--- /dev/null
+++ b/sql_request_abstract/i18n/sql_export_abstract.pot
@@ -0,0 +1,140 @@
+# Translation of Odoo Server.
+# This file contains the translation of the following modules:
+#	* sql_request_abstract
+#
+msgid ""
+msgstr ""
+"Project-Id-Version: Odoo Server 8.0\n"
+"Report-Msgid-Bugs-To: \n"
+"POT-Creation-Date: 2017-02-27 12:11+0000\n"
+"PO-Revision-Date: 2017-02-27 12:11+0000\n"
+"Last-Translator: <>\n"
+"Language-Team: \n"
+"MIME-Version: 1.0\n"
+"Content-Type: text/plain; charset=UTF-8\n"
+"Content-Transfer-Encoding: \n"
+"Plural-Forms: \n"
+
+#. module: sql_request_abstract
+#: field:sql.request.mixin,group_ids:0
+msgid "Allowed Groups"
+msgstr ""
+
+#. module: sql_request_abstract
+#: field:sql.request.mixin,user_ids:0
+msgid "Allowed Users"
+msgstr ""
+
+#. module: sql_request_abstract
+#: field:sql.request.mixin,create_uid:0
+msgid "Created by"
+msgstr ""
+
+#. module: sql_request_abstract
+#: field:sql.request.mixin,create_date:0
+msgid "Created on"
+msgstr ""
+
+#. module: sql_request_abstract
+#: field:sql.request.mixin,display_name:0
+msgid "Display Name"
+msgstr ""
+
+#. module: sql_request_abstract
+#: selection:sql.request.mixin,state:0
+msgid "Draft"
+msgstr ""
+
+#. module: sql_request_abstract
+#: field:sql.request.mixin,id:0
+msgid "ID"
+msgstr ""
+
+#. module: sql_request_abstract
+#: code:addons/sql_request_abstract/models/sql_request_mixin.py:135
+#, python-format
+msgid "It is not allowed to execute a not checked request."
+msgstr ""
+
+#. module: sql_request_abstract
+#: field:sql.request.mixin,__last_update:0
+msgid "Last Modified on"
+msgstr ""
+
+#. module: sql_request_abstract
+#: field:sql.request.mixin,write_uid:0
+msgid "Last Updated by"
+msgstr ""
+
+#. module: sql_request_abstract
+#: field:sql.request.mixin,write_date:0
+msgid "Last Updated on"
+msgstr ""
+
+#. module: sql_request_abstract
+#: model:res.groups,name:sql_request_abstract.group_sql_abstract_mixin_manager
+msgid "Manager"
+msgstr ""
+
+#. module: sql_request_abstract
+#: field:sql.request.mixin,name:0
+msgid "Name"
+msgstr ""
+
+#. module: sql_request_abstract
+#: field:sql.request.mixin,query:0
+msgid "Query"
+msgstr ""
+
+#. module: sql_request_abstract
+#: selection:sql.request.mixin,state:0
+msgid "SQL Valid"
+msgstr ""
+
+#. module: sql_request_abstract
+#: model:ir.module.category,name:sql_request_abstract.category_sql_abstract
+msgid "Sql Request"
+msgstr ""
+
+#. module: sql_request_abstract
+#: field:sql.request.mixin,state:0
+msgid "State"
+msgstr ""
+
+#. module: sql_request_abstract
+#: help:sql.request.mixin,state:0
+msgid "State of the Request:\n"
+" * 'Draft': Not tested\n"
+" * 'SQL Valid': SQL Request has been checked and is valid"
+msgstr ""
+
+#. module: sql_request_abstract
+#: code:addons/sql_request_abstract/models/sql_request_mixin.py:248
+#, python-format
+msgid "The SQL query is not valid:\n"
+"\n"
+" %s"
+msgstr ""
+
+#. module: sql_request_abstract
+#: code:addons/sql_request_abstract/models/sql_request_mixin.py:217
+#, python-format
+msgid "The query is not allowed because it contains unsafe word '%s'"
+msgstr ""
+
+#. module: sql_request_abstract
+#: code:addons/sql_request_abstract/models/sql_request_mixin.py:156
+#, python-format
+msgid "Unimplemented mode : '%s'"
+msgstr ""
+
+#. module: sql_request_abstract
+#: model:res.groups,name:sql_request_abstract.group_sql_abstract_mixin_user
+msgid "User"
+msgstr ""
+
+#. module: sql_request_abstract
+#: help:sql.request.mixin,query:0
+msgid "You can't use the following words: DELETE, DROP, CREATE, INSERT, ALTER, TRUNCATE, EXECUTE, UPDATE"
+msgstr ""
+
diff --git a/sql_request_abstract/models/__init__.py b/sql_request_abstract/models/__init__.py
new file mode 100644
index 000000000..72dc9ae94
--- /dev/null
+++ b/sql_request_abstract/models/__init__.py
@@ -0,0 +1,3 @@
+# -*- coding: utf-8 -*-
+
+from . import sql_request_mixin
diff --git a/sql_request_abstract/models/sql_request_mixin.py b/sql_request_abstract/models/sql_request_mixin.py
new file mode 100644
index 000000000..bd6ad4085
--- /dev/null
+++ b/sql_request_abstract/models/sql_request_mixin.py
@@ -0,0 +1,255 @@
+# -*- coding: utf-8 -*-
+# Copyright (C) 2015 Akretion (<http://www.akretion.com>)
+# Copyright (C) 2017 - Today: GRAP (http://www.grap.coop)
+# @author: Sylvain LE GAL (https://twitter.com/legalsylvain)
+# License AGPL-3.0 or later (http://www.gnu.org/licenses/agpl.html).
+
+import re
+import uuid
+import StringIO
+import base64
+from psycopg2 import ProgrammingError
+
+from openerp import _, api, fields, models
+from openerp.exceptions import Warning as UserError
+
+
+class SQLRequestMixin(models.Model):
+    _name = 'sql.request.mixin'
+
+    _clean_query_enabled = True
+
+    _check_prohibited_words_enabled = True
+
+    _check_execution_enabled = True
+
+    _sql_request_groups_relation = False
+
+    _sql_request_users_relation = False
+
+    STATE_SELECTION = [
+        ('draft', 'Draft'),
+        ('sql_valid', 'SQL Valid'),
+    ]
+
+    PROHIBITED_WORDS = [
+        'delete',
+        'drop',
+        'insert',
+        'alter',
+        'truncate',
+        'execute',
+        'create',
+        'update',
+        'ir_config_parameter',
+    ]
+
+    # Default Section
+    @api.model
+    def _default_group_ids(self):
+        ir_model_obj = self.env['ir.model.data']
+        return [ir_model_obj.xmlid_to_res_id(
+            'sql_request_abstract.group_sql_request_user')]
+
+    @api.model
+    def _default_user_ids(self):
+        return []
+
+    # Columns Section
+    name = fields.Char('Name', required=True)
+
+    query = fields.Text(
+        string='Query', required=True, help="You can't use the following words"
+        ": DELETE, DROP, CREATE, INSERT, ALTER, TRUNCATE, EXECUTE, UPDATE")
+
+    state = fields.Selection(
+        string='State', selection=STATE_SELECTION, default='draft',
+        help="State of the Request:\n"
+        " * 'Draft': Not tested\n"
+        " * 'SQL Valid': SQL Request has been checked and is valid")
+
+    group_ids = fields.Many2many(
+        comodel_name='res.groups', string='Allowed Groups',
+        relation=_sql_request_groups_relation,
+        column1='sql_id', column2='group_id',
+        default=_default_group_ids)
+
+    user_ids = fields.Many2many(
+        comodel_name='res.users', string='Allowed Users',
+        relation=_sql_request_users_relation,
+        column1='sql_id', column2='user_id',
+        default=_default_user_ids)
+
+    # Action Section
+    @api.multi
+    def button_clean_check_request(self):
+        for item in self:
+            if item._clean_query_enabled:
+                item._clean_query()
+            if item._check_prohibited_words_enabled:
+                item._check_prohibited_words()
+            if item._check_execution_enabled:
+                item._check_execution()
+            item.state = 'sql_valid'
+
+    @api.multi
+    def button_set_draft(self):
+        self.write({'state': 'draft'})
+
+    # API Section
+    @api.multi
+    def _execute_sql_request(
+            self, params=None, mode='fetchall', rollback=True,
+            view_name=False, copy_options="CSV HEADER DELIMITER ';'"):
+        """Execute a SQL request on the current database.
+
+        ??? This function checks before if the user has the
+        right to execute the request.
+
+        :param params: (dict) of keys / values that will be replaced in
+            the sql query, before executing it.
+        :param mode: (str) result type expected. Available settings :
+            * 'view': create a view with the select query. Extra param
+                required 'view_name'.
+            * 'materialized_view': create a MATERIALIZED VIEW with the
+                select query. Extra parameter required 'view_name'.
+            * 'fetchall': execute the select request, and return the
+                result of 'cr.fetchall()'.
+            * 'fetchone' : execute the select request, and return the
+                result of 'cr.fetchone()'
+        :param rollback: (boolean) mention if a rollback should be played after
+            the execution of the query. Please keep this feature enabled
+            for security reason, except if necessary.
+            (Ignored if @mode in ('view', 'materialized_view'))
+        :param view_name: (str) name of the view.
+            (Ignored if @mode not in ('view', 'materialized_view'))
+        :param copy_options: (str) mentions extra options for
+            "COPY request STDOUT WITH xxx" request.
+            (Ignored if @mode != 'stdout')
+
+        ..note:: The following exceptions could be raised:
+            psycopg2.ProgrammingError: Error in the SQL Request.
+            openerp.exceptions.Warning:
+                * 'mode' is not implemented.
+                * materialized view is not supported by the Postgresql Server.
+        """
+        self.ensure_one()
+        res = False
+        # Check if the request is in a valid state
+        if self.state == 'draft':
+            raise UserError(_(
+                "It is not allowed to execute a not checked request."))
+
+        # Disable rollback if a creation of a view is asked
+        if mode in ('view', 'materialized_view'):
+            rollback = False
+
+        params = params and params or {}
+        query = self.env.cr.mogrify(self.query, params).decode('utf-8')
+
+        if mode in ('fetchone', 'fetchall'):
+            pass
+        elif mode == 'stdout':
+            query = "COPY (%s) TO STDOUT WITH %s" % (query, copy_options)
+        elif mode in 'view':
+            query = "CREATE VIEW %s AS (%s);" % (query, view_name)
+        elif mode in 'materialized_view':
+            self._check_materialized_view_available()
+            query = "CREATE MATERIALIZED VIEW %s AS (%s);" % (query, view_name)
+        else:
+            raise UserError(_("Unimplemented mode : '%s'" % mode))
+
+        if rollback:
+            rollback_name = self._create_savepoint()
+        try:
+            if mode == 'stdout':
+                output = StringIO.StringIO()
+                self.env.cr.copy_expert(query, output)
+                output.getvalue()
+                res = base64.b64encode(output.getvalue())
+                output.close()
+            else:
+                self.env.cr.execute(query)
+                if mode == 'fetchall':
+                    res = self.env.cr.fetchall()
+                elif mode == 'fetchone':
+                    res = self.env.cr.fetchone()
+        finally:
+            self._rollback_savepoint(rollback_name)
+
+        return res
+
+    # Private Section
+    @api.model
+    def _create_savepoint(self):
+        rollback_name = '%s_%s' % (
+            self._name.replace('.', '_'), uuid.uuid1().hex)
+        req = "SAVEPOINT %s" % (rollback_name)
+        self.env.cr.execute(req)
+        return rollback_name
+
+    @api.model
+    def _rollback_savepoint(self, rollback_name):
+        req = "ROLLBACK TO SAVEPOINT %s" % (rollback_name)
+        self.env.cr.execute(req)
+
+    @api.model
+    def _check_materialized_view_available(self):
+        self.env.cr.execute("SHOW server_version;")
+        res = self.env.cr.fetchone()[0].split('.')
+        minor_version = float('.'.join(res[:2]))
+        return minor_version >= 9.3
+
+    @api.multi
+    def _clean_query(self):
+        self.ensure_one()
+        query = self.query.strip()
+        while query[-1] == ';':
+            query = query[:-1]
+        self.query = query
+
+    @api.multi
+    def _check_prohibited_words(self):
+        """Check if the query contains prohibited words, to avoid maliscious
+        SQL requests"""
+        self.ensure_one()
+        query = self.query.lower()
+        for word in self.PROHIBITED_WORDS:
+            expr = r'\b%s\b' % word
+            is_not_safe = re.search(expr, query)
+            if is_not_safe:
+                raise UserError(_(
+                    "The query is not allowed because it contains unsafe word"
+                    " '%s'") % (word))
+
+    @api.multi
+    def _check_execution(self):
+        """Ensure that the query is valid, trying to execute it. A rollback
+        is done after."""
+        self.ensure_one()
+        query = self._prepare_request_check_execution()
+        rollback_name = self._create_savepoint()
+        res = False
+        try:
+            self.env.cr.execute(query)
+            res = self._hook_executed_request()
+        except ProgrammingError as e:
+            raise UserError(
+                _("The SQL query is not valid:\n\n %s") % e.message)
+        finally:
+            self._rollback_savepoint(rollback_name)
+        return res
+
+    @api.multi
+    def _prepare_request_check_execution(self):
+        """Overload me to replace some part of the query, if it contains
+        parameters"""
+        self.ensure_one()
+        return self.query
+
+    def _hook_executed_request(self):
+        """Overload me to insert custom code, when the SQL request has
+        been executed, before the rollback.
+        """
+        self.ensure_one()
+        return False
diff --git a/sql_request_abstract/security/ir.model.access.csv b/sql_request_abstract/security/ir.model.access.csv
new file mode 100644
index 000000000..beacf42c2
--- /dev/null
+++ b/sql_request_abstract/security/ir.model.access.csv
@@ -0,0 +1,4 @@
+id,name,model_id:id,group_id:id,perm_read,perm_write,perm_create,perm_unlink
+access_sql_request_mixin_all,access_sql_request_mixin_all,model_sql_request_mixin,,0,0,0,0
+access_sql_request_mixin_user,access_sql_request_mixin_user,model_sql_request_mixin,sql_request_abstract.group_sql_request_user,1,0,0,0
+access_sql_request_mixin_manager,access_sql_request_mixin_manager,model_sql_request_mixin,sql_request_abstract.group_sql_request_manager,1,1,1,1
diff --git a/sql_request_abstract/security/ir_module_category.xml b/sql_request_abstract/security/ir_module_category.xml
new file mode 100644
index 000000000..2c7663336
--- /dev/null
+++ b/sql_request_abstract/security/ir_module_category.xml
@@ -0,0 +1,9 @@
+<?xml version="1.0" encoding="UTF-8"?>
+
+<openerp><data>
+
+    <record model="ir.module.category" id="category_sql_abstract">
+        <field name="name">Sql Request</field>
+    </record>
+
+</data></openerp>
diff --git a/sql_request_abstract/security/res_groups.xml b/sql_request_abstract/security/res_groups.xml
new file mode 100644
index 000000000..893449251
--- /dev/null
+++ b/sql_request_abstract/security/res_groups.xml
@@ -0,0 +1,23 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+Copyright (C) 2017 - Today: GRAP (http://www.grap.coop)
+@author Sylvain LE GAL (https://twitter.com/legalsylvain)
+License AGPL-3.0 or later (http://www.gnu.org/licenses/agpl.html).
+-->
+
+<openerp><data>
+
+    <record model="res.groups" id="group_sql_request_user">
+        <field name="name">User</field>
+        <field name="category_id" ref="category_sql_abstract" />
+    </record>
+
+
+    <record model="res.groups" id="group_sql_request_manager">
+        <field name="name">Manager</field>
+        <field name="category_id" ref="category_sql_abstract" />
+        <field name="users" eval="[(4, ref('base.user_root'))]"/>
+        <field name="implied_ids" eval="[(4, ref('group_sql_request_user'))]" />
+    </record>
+
+</data></openerp>
diff --git a/sql_request_abstract/static/description/icon.png b/sql_request_abstract/static/description/icon.png
new file mode 100644
index 0000000000000000000000000000000000000000..3a0328b516c4980e8e44cdb63fd945757ddd132d
GIT binary patch
literal 9455
zcmW++2RxMjAAjx~&dlBk9S+%}OXg)AGE&Cb*&}<C%<R2Kc9faym6aW`f0Dh5$js*d
z_}}Z!;XIG;_cPz`_vag-p{7Ve$Uq1H00~A(?iu(VaQlMefnU3&OozZXm@69d91cGG
z;O61r&je0NdamH#&)mKsXk?Zb_)B^>d0jUxM@u(PQx^-s)6<jB#=*|j%+$$(&(Xyy
zYgd8+09XKwoa}S2?48%%ZU#L~n^g{fE40h%YEx5by;GuJ(K|vI1uO;0m}=J7R4@Bs
z>97TX<v{QF=s?r`z`m$a0ZvrhBU7}{15RN9M`j!kv_Mp+3~{||YNuFzHNvhMYm3=Q
zo!q+OJ5(%-oNM^I^M%*luKMiVL`lo`bcKGymX7i3MIFWj1i|9+CGNvn`cu-RsK0Qh
zoYlwB>`ehR4?GS^qbkof1cslKgk<Uw6DeIxZyT_?=OwX|lwC*A?ac*gHF7jmS080$
z>U)h65qZ9Oc=ml_0temigYLJfnz{IDzUf>bGs4N!v3=Z3jMq&A#7%rM5eQ#dc?k~!
zVpnB`o+K7|Al`Q_U<UrcmRnh6jExs}l(hZs0%T~Dnpu-NENdhioRv(T{Qmv>;eD$B
zfJtP*jH`siUq~{KE)`jP2|#TUEFGRryE2`i0**z#*^6~AI|YzIWy$Cu#CSLW3q=GA
z6`?GZymC;dCPk~rBS%eCb`5OLr;RUZ;D`}um=H)BfVIq%7VhiMr)_#G0N#zrNH|__
zc+blN2UAB0=617@>_<D4$IPL<k1zq(*VmlDPer&h1n6`AG;9A!_W=N$JthhQWXZ<i
zGURc6f<i*joK3xSWaOOXxAc8ES>u;MPHN;P;N#YoE=)R#i$k_`UAA>WWCcEVMh~L_
zj--gtp&|K1#58Yz*AHCTMziU1Jzt_jG0I@qAOHsk$2}yTmVkBp_eHuY$A9)>P6o~I
z%aQ?!(GqeQ-Y+b0I(m9pwgi(IIZZzsbMv+9w{PFtd_<_(LA~0H(xz<Z(Qt1jC2cC|
z6WbMo9YgON{L#ZDl$sV4*<CP(>{=FhLB@(1&qHA5EJw1>>=%q2f&^X>IQ{!GJ4e9U
z&KlB)z(84HmNgm2hg2C0>WM{E(DdPr+EeU_N@57;PC2&DmGFW_9kP&%?X4}+xWi)(
z;)z%wI5>D4a*5XwD)P--sPkoY(a~WBw;E~AW`Yue4kFa^LM3X`8x|}ZUeMnqr}>kH
zG%WWW>3ml$Yez?i%)2pbKPI7?5o?hydokgQyZsNEr{a|mLdt;X2TX(#B1j35xPnPW
z*bMSSOauW>o;*=kO8ojw91VX!qoOQb)zHJ!odWB}d+*K?#sY_jqPdg{Sm2HdYzdEx
zOGVPhVRTGPtv0o}RfVP;Nd(|CB)<HrC1(%ZOEd8PI?r9b_$Cp-${bh59Z_R7n&YCp
zl8lfMpes*8{FVm;oJH@0LLoWmxD59u?JwHz2iRrAaE0`Hc&g;t5~$P*kdeOZn9OJ3
zRczo@ZkWU)RG+hcfH~{49Vvb3D(W0wRX#|$cA0Iqy^VR~(4hqA2AFI-rK!FM!#fJ_
zGFI@iqJOPXZ!=VjTS3dMuu~9xU3K1&?th;$)cqM#WGxbDEyB$y`#9j%>I;*t&QO8h
zFfekr30S!-LHmV_Su-W+rEwYXJ^;6&3|L$mMC8*bQptyOo9;>Qb9Q9`ySe3%V$A*9
zeKEe+b0{#KWGp$F+tga)0RtI)nhMa-K@JS}2krK~n8vJ=Ngm?R!9G<~RyuU0d?nz#
z-5EK$o(!F?hmX*2Yt6+coY`6jGbb7t<dboft~zeDZwK=+l2bFWs5^+|r{J6GO9Cwl
z&SW58BRs?XdFLuhtzl7WLbQ#~z#`jAB3AbSUg6jW6@qVd2Q~9qN(izT1y*>F#6nHA
zuKk=GGJ;ZwON1iAfG$E#Y7MnZVmrY|j0eVI(DN_MNFJmyZ|;w4tf@=CCDZ#5N_0K=
z$;R~bbk?}TpfDjfB&aiQ$VA}s?P}xPERJG{kxk5~R`iRS(SK5d+Xs9swCozZISbnS
zk!)I0>t=A<-^z(cmSFz3=jZ23u13X><0b)P)^1T_))Kr`e!-pb#q&J*Q`p+B6la%C
zuVl&0duN<;uOsB3%T9Fp8t{ED108<?)`y_~Hnd9AUX7h-H?jVuU|}My+C=TjH(jKz
zqMVr0re3S$H@t{zI95qa)+Crz*5Zj}Ao%4Z><+W(nOZd?gDnfNBC3>M8WE61$So|P
zVvqH0SNtDTcs<xiU1;=a39$d&&l5EwoIH1db#`S9Kw!YC1jhR)VbCWMptlUUkpfif
zMzi-i8)WL?|C$*Q?iqbS{w<lA9XN(rD)VS<zn>UdzaMDpT=Ty0pDHHNL@Z0w$Y`XO
z2M-_r1S+GaH%pz#Uy0*w$Vdl=X=rQXEzO}d6J^R6zjM1u&c9vYLvLp?W7w(?np9x1
zE_0JSAJCPB%i7p*Wvg)pn5T`8k3-uR?*NT|J`eS#_#54p>!p(mLDvmc-3o0mX*mp_
zN*AeS<>#^-{S%W<*mz^!X$w_2dHWpcJ6^j64qFBft-o}o_Vx80o0>}Du;>kLts;$8
zC`7q$QI(dKYG`Wa8#wl@V4jVWBRGQ@1dr-hstpQL)Tl+aqVpGpbSfN>5i&QMXfiZ>
zaA?T1VGe?rpQ@;+pkrVdd{klI&jVS@I5_iz!=UMpTsa~mBga?1r}a<Xwa$pLotZk<
zsykXwQO37I=aXew7x=}YWiW)^p)|C#g+)an!@j?EcY8C0t)BlK#y{YLtkJ6=D6H-5
zp2*ANf@>RBm1WS;TT*s0f0lY=JBl66Upy)-k4J}lh=P^8(SXk~0xW=T9v*B|gzIhN
z>qsO7dFd~mgxAy4V?&)=5ieYq?zi?ZEoj)&2o)RLy=<bK!vY7J*RP!&i_xU}i*o6o
z?xN*1<rEe1L2HBkCSgiYM3a|4w?Bo7CJL7?Eh;9An1m$1t?h1v92<Xg2(#)bjbL|o
zH_H0}!Og=1dOBynXHu>@hbCRcfT5ji<pmK_U*~T(A$I-*rM$8-BCv{=@=7F)2pdtU
z5==tp!}A*&Xgf{F>gwtQGE{L*8<@Yd{zg;CsL5mvzfDY}P-wos_6PfprFVaeqNE%h
zKZhLtcQld;ZD+>=nqN~>GvROfueSzJD&<KAVm#0W>BE*}XfU|H&(FssBqY=hPCt`d
zH?@s2>I(|;fcW&YM6#V<T#ysvE$@4oRO>#!kUIP8$Nkdh0A(bEVj``-AAyYgwY~jB
zT|I7Bf@%;7aL7Wf4dZ%VqF$eiaC38OV6oy3Z#TER2G+fOCd9Iaoy6aLYbPTN{XRPz
z;U!V|vBf%H!}52L2gH_+j;`bTcQRXB+y9onc^wLm5wi3-Be}U>k_u>2Eg$=k!(l@I
zcCg+flakT2Nej3i0yn+g+}%NYb?ta;R<sv-KjYb}UVFjITQ)VAEWu*)Lz7*-f^A*H
z<25#Ynt~-Qh?$wWx4$1=T2`j@bKp!)3IXh(LC@)%WGW$+j(tGz(6#bGw&K0j=Np@B
zt}@t$R`z(>?(g5SnwsQ49U8Wng8d|{B+lyRcEDvR3+`O{zfmrmvFrL6acVP%yG98X
zo&+VBg@px@i)%o?dG(`T;n*$S5*rnyiR#=wW}}GsAcfyQpE|>a{=$Hjg=-*_K;UtD
z<sX7(ZJc+Q;#xP8uk`jnF@a^|TWw*55if6@@}%7lOBaGo9Ia-e?`RPQc^w^EWfhe}
zHWHTvDA+r}Xf5Yqpr;QU-88%QC9F_>#z-)AXwSRY?<M%E84!g*1GC?E>OPefw^iI+
z)AXz#PfEjlwTes|_{sB?4(O@fg0AJ^g8gP}ex9Ucf*@_^J(s_5jJV}c)s$`Myn|Kd
z$<h)Fm>6>}#q^n{4vN@+Os$m7KV+`}c%4)4pv@06af4-x5#wj!KKb%caK{A&Y#Rfs
z-po?Dcb1({W=6FKIUirH&(yg=*6aLCekcKwyfK^JN5{wcA3nhO(o}SK#!CINhI`-I
z1)6&n7O&ZmyFMuNwvEic#IiOAwNkR=u5it{B9n2sAJV5pNhar=j5`*N!Na;c7g!l$
z3aYBqUkqqTJ=Re-;)s!EOeij=7SQZ3Hq}ZRds%IM*PtM$wV<GYik+VfZene%bm(n6
z`r@rc^TVw7EN{|O7rORMlw)zt(Z#enc3joE#IIk!M)L8gk^go9E9AxiP9o#OqmvV>
z@;rlc*NRK7i3y5BETSKuumEN`Xu_8<BQ)z0!-JuC8x}?$qo8SEko}oUWNI(4h*VHO
zAi!Egy!f(o9aHs2dhSE6ki(be*&w&+WLOB<(b3T_Hide(NvVvLQV{BN|2?UJFaY*@
z9CXA5B_*8i5Bf6sn~d`R>GP1Ri=OK<SGIb#BCTo3qI#UBUg+dkR+2ilUwIg%XFV;l
z+>Q$@I^ko8>H6)4rjiG5{VBM>B|%`&&s^)jS|-_95&yc=GqjNo{zFkw%%HHhS~e=s
zD#sfS+-?*t|J!+ozP6KvtOl!R)@@-z24}`9{QaVLD^9VCSR2b`b!KC#o;Ki<+wXB6
zx3&O0LOWcg4&rv4QG0)4yb}7BFSEg~=IR5<g6yi=XozU}zReXL{rA%c`$IQAs<ObZ
zep*ITZ0C(~W*`?XH^l1t7&+qigAfY9tVJ5DH!~jY>#ZRj8kg}dS7_V&^%#Do==#`u
zpy6{ox?jWuR(;pg+f@mT>#HGWHAJRRDDDv~@(IDw&R>9643kK<aUZ^OhBu;1e6t#{
zxKehVgz`HT;A`FMivG<tq0OcrXwHUX_<$j<uk%m>#HN`!1vBJHnC+RM&yIh8{gG2q
zA%e*U3|N0XSRa~oX-3EAneep)@{h2vvd3Xvy$7og(sayr@95+e6~Xvi1tUqnIxoIH
zVWo*OwYElb#uyW{Imam6f2<eMTQj#)z8+N&ZY?tSPo%&2eVNU=4=?rlO<*9Twaxco
zEVE=Jh?_x>rGbjR!Y3`#gPqkv57dB6K^wRGxc9B(t|aYDGS=m$&S!NmCtrMMaUg(c
zc2qC=2Z`EEFMW-me5B)24AqF*bV5Dr-M5ig(l-WPS%CgaPzs6p_gnCIvTJ=Y<6!gT
zVt@AfYCzjjsMEGi=rDQHo0yc;HqoRNnNFeWZgcm?f;cp(6CNylj36DoL(?TS7eU#+
z7&mfr#y))+CJOXQKUMZ7QIdS9@#-}7y2K1{8)cCt0~-X0O!O?Qx#E4Og+;A2SjalQ
zs7r?qn0H044=sDN$SRG$arw~n=+T_DNdSrarmu)V6@|?1-ZB#hRn`uilTGPJ@fqEy
zGt(f0B+^JDP&f=r{#Y_wi#AVDf-y!RIXU^0jXsFpf>=Ji*TeqSY!H~AMbJdCGLhC)
zn7Rx+sXw6uYj;WRYrLd^5IZq@6JI1C^YkgnedZEYy<&4(z%Q$5yv#B<pkvWZft^C&
z;+zNo+VJNluxaDF!`gW+F0=MxsCQ~~#CYKa;ULfj5hTa8a6;d*(<eeQ7-ZQgz2et^
zf|7URfj;x*#HiF0wuBCOTEpbeD&kkENqolCm2#cQGHCeEC<&I3j+P6?sX?BPp4~46
zx-S~EJ>oo{AH8n$<d4loB?vL3RqXwK_COrQ6xRoWGOdFnWy(hhzrG8k;2k}8Zj&>a
zhb4Y3PWdr269&?V%uI$xMcUrMzl=;w<_nm*qr=c3Rl@i5wWB;e-`t7D&c-mcQl7x!
zZWB`UGcw=Y2=}~wzrfLx=uet<;m3~=8I~ZRuzvMQUQdr+yTV|ATf1Uuomr__nDf=X
zZ3WYJtHp_ri(}SQAPjv+Y+0=<GD??Na(2AG`s>fH4krOP@S&=zZ-t1jW1o@}z;xk8
z(Nz1co&El^HK^NrhVHa-_;&88vTU>_J33=%{if;BEY*J#1n59=07jrGQ#IP>@u#3A
z;!q+E1Rj3ZJ+!4bq9F8PXJ@yMgZL;>&gYA0%_Kbi8?S=XGM~dnQZQ!yBSgcZhY96H
zrWnU;k)qy`rX&&xlDyA%(a1Hhi5CWkmg(`Gb%m(HKi-7Z!LKGRP_B8@`7&hdDy5n=
z`OIxqxiVfX@OX1p(mQu>0Ai*v_cTMiw4qRt3~N<X{IYiJ3k=4u-u*nJEBnJ<OdI8P
zXmK`OYkO5a{YDhI3PL|H4m=p>Bvr9oBy0)r>w3p~V0SCm=An6@3n)>@z!|o-$HvDK
z|3D2ZMJkLE5loMKl6R^ez@Zz%S$&mbeoqH5`Bb){Ei21q&VP)hWS2tjShfFtGE+$z
zzCR$P#uktu+#!w)cX!<osOkId_HzAT-HD2N`M+v2l+zwdW%GgZbQMuhfE*hHjKXKg
z45hphqVETPDbX6wpTlZqza0gFaRGh`3L~0id)F6#%@9;w(e%PjzuD7@inuToA!B?F
zCMLJc!u{3N)s?lB-!11!GxXsCak8zQomO)gmn02f-5~OkMYnm~#jVwwYNw@LAv!KN
z-n`q1|AXw*TW>lWN1XU%K-r=s{|j?)Akf@q#3b#{6cZCuJ~gCxuMXRmI$nGtnH+-h
z+GEi!*X=AP<|fG`1>MBdTb?28JYc=fGvAi2I<$B(rs$;eoJCyR6_bc~p!XR@O-+sD
z=eH`-ye})I5ic1eL~TDmtfJ|8`0VJ*Yr=hNCd)G1p2MMz4C3^Mj?7;!w|Ly%JqmuW
zlIEW^Ft%z?*|fpXda>Jr^1noFZEwFgVV%|*XhH@acv8rdGxeEX{M$(vG{Zw+x(ei@
zmfXb22}8-?Fi`vo-YVrTH*C?a8%M=Hv9MqVH7H^J$KsD?>!SFZ;ZsvnHr_gn=7acz
z#W?0eCdVhVMWN12VV^$>WlQ?f;P^{(&pYTops|btm6aj>_Uz+hqpGwB)vWp0Cf5y<
zft8-je~nn?W11plq}N)4A{l8I7$!ks_x$PXW-2XaRFswX_BnF{R#6YIwMhAgd5F9X
zGmwdadS6(a^fjHtXg8=l?Rc0Sm%hk6E9!5cLVloEy4eh(=FwgP`)~I^5~pBEWo+F6
zSf2ncyMurJN91#cJTy_u8Y}@%!bq1RkGC~-bV@SXRd4F{R-*V<h953|jk-C&|3)z%
ze&_30-6q1)a0(!xXqA+_t(WC`HA_yYaW@>`bS+6;W5vZ(&+I<9$;-V|eNfLa5n-6%
z2(}&uGRF;p9<Q%jdNy1%e7XTzyu7EEQT(5LrnvX~T%K!IuDyHY`ZneVJu#k_1T)xA
z*yxB?y4!pOJ$DTZzBm|8OIQq+AtV25aJ+X5EJjAu><tfuiNClI2BSoMgqLnU-5t95
zEnZ(^g~1RgD=UMB({c;$HujG&%DqGF;5jI~roRT+(rOoS$6f6SsURIuAVkAeIVc~{
z5ZxLN%m%Z*Sg;qYCf3<$dE6~&w_!EBx%yl4YC~LH{FCFNRBc_I>2eS*sE*o<YSPrx
z{M(reV{~jKue#Y6ZOnqJia{fQc!UxV4m)l389OmzR6A3|2!i<P{r82jKw+zq4%@ny
znopi6g!1Vx9Bml#a~KdL2lp2C)qSTKIh43vgycQHfQb_I!kQY&p;X@Bz|{^SXsW1K
zP&Ag1CW_r6u5-4=s(W>R$@pexaqr*meB)VhmIg@h{uzkk$9~qh#cHhw#>O%)b@+(|
z^IQgqzuj~Sk(J;swEM-3TrJAPCq9k^^^`q{IItKBRXYe}e0Tdr=Huf7da3$l4<V=<
zfr<*%iOB1EY}w3tF2Cwl7a2OS&~Y-lu<s)T^9=OFU8(CeN|63BiMxf*)5gesGU<eZ
z9DigzL3+quZ1o2T<KAZbCGJx&lrl*e#}Dpv24bZO$B<Yoc5hbeP0y?@P%|Tvw||e%
zV#e^q0D2R_Oq_c+=x5vP&hg4k+df{o7$aNZCM>PdpwWDop%^}n;dD#K4s#DYA8SHZ
z&1!riV4W4R7R#C))JH1~axJ)RYnM$$lIR%6fIVA@zV{XVyx}C+a-Dt8Y9M)^KU0+H
zR4IUb2CJ{Hg>CuaXtD50jB(_Tcx=Z$^W<wsNa}nUDpNk$q{>Yu2u5kubqmwp%drJ6
z?Fo40g!Qd<-l=TQxqHEOuPX0;^z7iX?Ke^a%XT<13TA^5`4Xcw6D@Ur&VT&CUe0d}
z1GjOVF1^L@>O)l@?bD~$wzgf(nxX1OGD8fEV?TdJcZc2KoUe|oP1#=$$7ee|xbY)A
zDZq+cuTpc(fFdj^=!;{k03C69lMQ(|>uhRfRu%+!k&<F<Z7l=VnwB^RA&^APMi=Tn
zNc}%IJL~xB4OP6bJNwAw)~Ma2=UP0dhr%X=kco(it+@F<#$xrIJ8@|{Buh<)h`xg?
z_U}pe=3#zmDfdqE4`Hyn<!?&CfCp#GTeXo8;AYd1Opd&cXER8cBSOF3iFJ#XPgQVp
zZSiQf7V^Dt?ITs8aMF~e1hq0P@^oB)#byh|6q_7F1B%ST%WL~J?ySn>YOi-3|1QKB
z<?_cUy)V3go%%^l)lRa=dmY_XQG3Z{Q?52d$qG}vIe|EZbYEtrR$rh(iS)O#dU-(>
z?n?eq1XP>p-IM$Z^C;2L3itnbJZAip*Zo0aw2bs8@(s^~*8T9go!%dHcAz2lM;`yp
zD=7&xjFV$S&5uDaiScyD?B-i1ze`+CoRtz`Wn+Zl&#<i<Zx(`=7k~{%`w&<EbG}U<
z0%E^8lyw>s4&}MO{@N!ufrzjG$B79)Y2d3tBk&)TxUTw@<TSeYlROCt(gU?O((-qu
zs>QS0TEL_?njX|<LXnSC4TlId(D4W|GQ?L@$3Ue@N8p=l9-sC<=z(lPk;^sT(v2*k
zc~vp#Hp`mXjzhml2NMCh^h5)sqsan+jJ_l<a4w|G&ac02hrz8#6|kFraA~rta0}!q
zB4BE{QWY7MtxHn_xB);Avf#Lf<GG<A?Q3JVyc1p8^H}$8(Gn=_&F1!m8$sKyeue+L
z5&392wm+wO;_oXoTEJ=wxVXk}dt<d~CgUUMW_PPTe(c<7n18#mVaX)vK}-PzZq7<b
zNJbVTFaq(8ZLx|A*G$H3ugT2aVziDEGa66FVt@hr1|D{RWN6yuqlglM!rp^YG;UpG
zrnm?ek079l3VoOU^p%f^A9Yzn8IVX?^rB4LbgJ|PONhzM_0{P?S(V$OI=u5IBjfT#
z0ntLLnhg5$0fAHJaG6HCx4X7;RmvMtE}8C>@vq?Uz(nBFK5Pq7*xj#u*R&i|?7+6#
z+|r_n#SW&LXhtheZdah{ZVoqwyT{D>MC3nkFF#N)xLi{p7J1jXlmVeb;cP5?e(=f#
zuT7fv<Q3o5LspCx-RPkzLw{VsDE>jSbjS781v?7{)-X3*?>tq?)Yd)~|1{BDS(pqC
zC}~H#WXlkUW*H5CDOo<)#x7%RY)A;ShGhI5s*#cRDA8YgqG(HeKDx+#(ZQ?386dv!
zlXCO)w91~Vw4AmOcATuV653fa9R$fyK8<JV*@W33SMHM;w!OmUXar{O;_8j>ul%rG
z-<zwGD)!Y{+(T{%ob~79zpXX%zulyiy1_UHWvu@YqxKAK3e9GO6Os4R0Naujn>wfS
zihugoZyr38Im?Zuh6@RcF~t1anQu7>#lPpb#}4cOA!EM11`%f*07RqOVkmX{p~KJ9
z^zP;K#|)$`^Rb{rnH<AdQ^(;gQMcF>GH{~>1(fawV0*Z#)}M`m8-?ZJV<+e}s9wE#
z)l&az?w^5{)`S(%MRzxdNqrs1n*-=jS^_jqE*5XDrA0+VE`5^*p3CuM<&dZEeCjoz
zR;uu_H9ZPZV|fQq`Cyw4nscrVwi!fE6ciMmX$!_hN7uF;jjKG)d2@aC4ropY)8<!P
zAOHj?oPbjQ%hh|vE_1IMB)43eQpeLi&)R>etW=xJvni)8eHi`H$%#zn^WJ<U7gogJ
z?A^!2J~rI78JH|Ml2EldmKY5K8;Zx(FGcBdM<5oe#G+nd6dObqz@Af%%M*aBE_pn8
zXQo2`Bw*IwvP3#1Ev<%YocpBodO9+Rw~`5*CY3{L;qf1PxV!r%NI+#Q1f8GU7$~#U
zAA9$4&g-k=8BYi*3i@0^UX}nTQVyOf)8T(}G^Ti?Vqvk~bJRR#EAQ?u`dClPxk@{;
zxvO?%jSX`2{8|^z0*C5DR1Z^>5NLc-rqk|u&&4Z6fD_m&JfSI1Bvb?b<*n&sfl0^t
z=HnmRl`XrFvMKB%9}>PaA`m-fK6a0(8=qPkWS5bb4=v?XcWi&hRY?O5HdulRi4?fN
zlsJ*N-0Qw+Yic@s0(2uy%F@ib;GjXt01F<S%GT3P{Ck&Y*^gWuie`o_g+ZNDNIV|F
z)zEe|Ij*4$H1(<RLz0($;AD3VsUJwI@liw^?fh(V?VC`Sz7h`*Q<VYlhbHJ?&h+!W
zAJC)U;Lx_QRaSNFYbyi|7+MeNTgA+Znh}qFzf>mx5XbRo6+n|pP(&nodMoap^z{~q
ziEeaUT@Mxe3vJSfI6?uLND(CNr=#^W<1b}jzW58bIfyWTDle$mmS(|x-0|2UlX+9k
zQ<WB5+u#`K#~J$81)#?BuTOKLk|+S>^EX7Nw}?EzVoBfT(-LT|=9N@^hcn-_p&sqG
z&*oVs2JSU+N4ZD`FhCAWaS;>|wH2G*Id|?pa#@>tyxX`+4HyIArWDvVrX)2WAOQff
z0qyHu&-S@i^MS-+j--!pr4fPBj~_8({~e1bfcl0wI1kaoN>mJL6KUPQm5N7lB(ui1
zE-o%kq)&djzWJ}ob<-GfDlkB;F31j-VHKvQUGQ3sp`CwyGJk_i!y^sD0fqC@$9|jO
zOqN!r!8-p==F@ZVP=U$qSpY(gQ0)59P1&t@y?5rvg<}E+GB}2<F#{*|k0E{$&_`~)
zkzDcsi#!7r<a8lPUCMj?{CK;e|9#-xj>6NYPp4f2YFQrQtot5mn3wu_qprZ=>Ig-$
zbW26Ws~IgY>}^5w`vTB(G`PTZaDiGBo5o(tp)qli|NeV(<Rzgqw(Ze!7hEGKKx((>
z@H_=R8V39rt5J5YB2Ky?4eJJ#b`_iBe2ot~6%7mLt5t8Vwi^Jy7|jWXqa3amOIoRb
zOr}WVFP--DsS`1WpN%~)t3R!arKF^Q$e12KEqU36AWwnCBICpH4XCsfnyrHr>$I$4
z!DpKX$OKLWarN7nv@!uIA+~RNO)l$$w}p(;b>mx8pwYvu;dD_unryX_N<mojSrG!`
zgkqx4t<XLL6ZUppvjeV9PJ6dG>hT8*Tj>BTrTTL&!?O+%Rv;b?B??gSzdp?6Uug9{
zd@V08Z$BdI?fpoCS$)t4mg4rT8Q_I}h`0d-vYZ^|dOB*Q^S|xqTV*<bTMtKO;_Z)R
zRSOJrd5TFO0aO%#%-sNa{`SiQ^$$1^@oUd&^lB{MKZ>vIg?@fVFSmMpaw0qtTRbx}
z({Pg?#{2`sc9)M5N$*N|4;^t$+Q<Wh^yJ?FzJ*$wiB{j;CMy+?m1MbsJo0ubR==f9
z>P?#mo<zt1E6=Ilm*nbmYmpxfAj7*m*Wh@=7|;!%(-pviW`nuCktLveet9^$*y^>v
zGVC@I*lBVrOU-%2y!7%)fAKjpEFsgQc4{amtiHb95KQEwvf<(3T<9-Zm$xIew#P22
zc2Ix|App^>v6(3L_MCU0d3W##AB<Fxl*nmny6_RsCu%1a)so}}uCXSzwY70Y@uTxK
z=5nu(N*2HDbrIcL)t_*{*84mvmV_Y9<vxHJJ;0gUdNjyW)jDb|@|j*qR8;gsMa5Ir
z02fHv=%xyN9VLv_ZLL4y|F*p$S^^T47m{aok5{rmM{$s7^Xu2!_fo1$IG6kkG_Tgx
zFfjPm3;g>0M~3D00EWoKZqsJYT(#@w$Y_H7G22M~ApVFTRHMI_3be)Lkn#0F*V8Pq
zc}`Cjy$bE;FJ6H7p=0y#R>`}-m4(0F>%@P|?7fx{=R^uFdISRnZ2W_xQhD{YuR3t<
z{6yxu=4~JkeA;|(J6_nv#>Nvs&FuLA&PW^he@t(UwFFE8)|a!R{`E`K`i^ZnyE4$k
z;(749Ix|oi$c3QbEJ3b~D_kQsPz~fIUKym($a_7dJ?o+40*OLl^{=&oq$<#Q(yyrp
z{J-FAniyAw9tPbe&IhQ|a`DqFTVQGQ&Gq3!C2==4x{6EJwiPZ8zub-iXoUtkJiG{}
zPaR&}_fn8_z~(=;5lD-aPWD3z8PZS@AaUiomF!G8I}Mf>e~0g#BelA-5#`cj;O5>N
Xviia!U7SGha1wx#SCgwmn*{w2TRX*I

literal 0
HcmV?d00001