AccessControl.sol 7.2 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213
  1. // SPDX-License-Identifier: MIT
  2. pragma solidity ^0.8.0;
  3. import "../utils/Context.sol";
  4. import "../utils/introspection/ERC165.sol";
  5. /**
  6. * @dev External interface of AccessControl declared to support ERC165 detection.
  7. */
  8. interface IAccessControl {
  9. function hasRole(bytes32 role, address account) external view returns (bool);
  10. function getRoleAdmin(bytes32 role) external view returns (bytes32);
  11. function grantRole(bytes32 role, address account) external;
  12. function revokeRole(bytes32 role, address account) external;
  13. function renounceRole(bytes32 role, address account) external;
  14. }
  15. /**
  16. * @dev Contract module that allows children to implement role-based access
  17. * control mechanisms. This is a lightweight version that doesn't allow enumerating role
  18. * members except through off-chain means by accessing the contract event logs. Some
  19. * applications may benefit from on-chain enumerability, for those cases see
  20. * {AccessControlEnumerable}.
  21. *
  22. * Roles are referred to by their `bytes32` identifier. These should be exposed
  23. * in the external API and be unique. The best way to achieve this is by
  24. * using `public constant` hash digests:
  25. *
  26. * ```
  27. * bytes32 public constant MY_ROLE = keccak256("MY_ROLE");
  28. * ```
  29. *
  30. * Roles can be used to represent a set of permissions. To restrict access to a
  31. * function call, use {hasRole}:
  32. *
  33. * ```
  34. * function foo() public {
  35. * require(hasRole(MY_ROLE, msg.sender));
  36. * ...
  37. * }
  38. * ```
  39. *
  40. * Roles can be granted and revoked dynamically via the {grantRole} and
  41. * {revokeRole} functions. Each role has an associated admin role, and only
  42. * accounts that have a role's admin role can call {grantRole} and {revokeRole}.
  43. *
  44. * By default, the admin role for all roles is `DEFAULT_ADMIN_ROLE`, which means
  45. * that only accounts with this role will be able to grant or revoke other
  46. * roles. More complex role relationships can be created by using
  47. * {_setRoleAdmin}.
  48. *
  49. * WARNING: The `DEFAULT_ADMIN_ROLE` is also its own admin: it has permission to
  50. * grant and revoke this role. Extra precautions should be taken to secure
  51. * accounts that have been granted it.
  52. */
  53. abstract contract AccessControl is Context, IAccessControl, ERC165 {
  54. struct RoleData {
  55. mapping (address => bool) members;
  56. bytes32 adminRole;
  57. }
  58. mapping (bytes32 => RoleData) private _roles;
  59. bytes32 public constant DEFAULT_ADMIN_ROLE = 0x00;
  60. /**
  61. * @dev Emitted when `newAdminRole` is set as ``role``'s admin role, replacing `previousAdminRole`
  62. *
  63. * `DEFAULT_ADMIN_ROLE` is the starting admin for all roles, despite
  64. * {RoleAdminChanged} not being emitted signaling this.
  65. *
  66. * _Available since v3.1._
  67. */
  68. event RoleAdminChanged(bytes32 indexed role, bytes32 indexed previousAdminRole, bytes32 indexed newAdminRole);
  69. /**
  70. * @dev Emitted when `account` is granted `role`.
  71. *
  72. * `sender` is the account that originated the contract call, an admin role
  73. * bearer except when using {_setupRole}.
  74. */
  75. event RoleGranted(bytes32 indexed role, address indexed account, address indexed sender);
  76. /**
  77. * @dev Emitted when `account` is revoked `role`.
  78. *
  79. * `sender` is the account that originated the contract call:
  80. * - if using `revokeRole`, it is the admin role bearer
  81. * - if using `renounceRole`, it is the role bearer (i.e. `account`)
  82. */
  83. event RoleRevoked(bytes32 indexed role, address indexed account, address indexed sender);
  84. /**
  85. * @dev See {IERC165-supportsInterface}.
  86. */
  87. function supportsInterface(bytes4 interfaceId) public view virtual override returns (bool) {
  88. return interfaceId == type(IAccessControl).interfaceId
  89. || super.supportsInterface(interfaceId);
  90. }
  91. /**
  92. * @dev Returns `true` if `account` has been granted `role`.
  93. */
  94. function hasRole(bytes32 role, address account) public view override returns (bool) {
  95. return _roles[role].members[account];
  96. }
  97. /**
  98. * @dev Returns the admin role that controls `role`. See {grantRole} and
  99. * {revokeRole}.
  100. *
  101. * To change a role's admin, use {_setRoleAdmin}.
  102. */
  103. function getRoleAdmin(bytes32 role) public view override returns (bytes32) {
  104. return _roles[role].adminRole;
  105. }
  106. /**
  107. * @dev Grants `role` to `account`.
  108. *
  109. * If `account` had not been already granted `role`, emits a {RoleGranted}
  110. * event.
  111. *
  112. * Requirements:
  113. *
  114. * - the caller must have ``role``'s admin role.
  115. */
  116. function grantRole(bytes32 role, address account) public virtual override {
  117. require(hasRole(getRoleAdmin(role), _msgSender()), "AccessControl: sender must be an admin to grant");
  118. _grantRole(role, account);
  119. }
  120. /**
  121. * @dev Revokes `role` from `account`.
  122. *
  123. * If `account` had been granted `role`, emits a {RoleRevoked} event.
  124. *
  125. * Requirements:
  126. *
  127. * - the caller must have ``role``'s admin role.
  128. */
  129. function revokeRole(bytes32 role, address account) public virtual override {
  130. require(hasRole(getRoleAdmin(role), _msgSender()), "AccessControl: sender must be an admin to revoke");
  131. _revokeRole(role, account);
  132. }
  133. /**
  134. * @dev Revokes `role` from the calling account.
  135. *
  136. * Roles are often managed via {grantRole} and {revokeRole}: this function's
  137. * purpose is to provide a mechanism for accounts to lose their privileges
  138. * if they are compromised (such as when a trusted device is misplaced).
  139. *
  140. * If the calling account had been granted `role`, emits a {RoleRevoked}
  141. * event.
  142. *
  143. * Requirements:
  144. *
  145. * - the caller must be `account`.
  146. */
  147. function renounceRole(bytes32 role, address account) public virtual override {
  148. require(account == _msgSender(), "AccessControl: can only renounce roles for self");
  149. _revokeRole(role, account);
  150. }
  151. /**
  152. * @dev Grants `role` to `account`.
  153. *
  154. * If `account` had not been already granted `role`, emits a {RoleGranted}
  155. * event. Note that unlike {grantRole}, this function doesn't perform any
  156. * checks on the calling account.
  157. *
  158. * [WARNING]
  159. * ====
  160. * This function should only be called from the constructor when setting
  161. * up the initial roles for the system.
  162. *
  163. * Using this function in any other way is effectively circumventing the admin
  164. * system imposed by {AccessControl}.
  165. * ====
  166. */
  167. function _setupRole(bytes32 role, address account) internal virtual {
  168. _grantRole(role, account);
  169. }
  170. /**
  171. * @dev Sets `adminRole` as ``role``'s admin role.
  172. *
  173. * Emits a {RoleAdminChanged} event.
  174. */
  175. function _setRoleAdmin(bytes32 role, bytes32 adminRole) internal virtual {
  176. emit RoleAdminChanged(role, getRoleAdmin(role), adminRole);
  177. _roles[role].adminRole = adminRole;
  178. }
  179. function _grantRole(bytes32 role, address account) private {
  180. if (!hasRole(role, account)) {
  181. _roles[role].members[account] = true;
  182. emit RoleGranted(role, account, _msgSender());
  183. }
  184. }
  185. function _revokeRole(bytes32 role, address account) private {
  186. if (hasRole(role, account)) {
  187. _roles[role].members[account] = false;
  188. emit RoleRevoked(role, account, _msgSender());
  189. }
  190. }
  191. }