Keyboard shortcuts

Press or to navigate between chapters

Press S or / to search in the book

Press ? to show this help

Press Esc to hide this help

AccessControlUpgradeable

Inherits: Initializable, ContextUpgradeable, IAccessControl, ERC165Upgradeable

*Contract module that allows children to implement role-based access control mechanisms. This is a lightweight version that doesn't allow enumerating role members except through off-chain means by accessing the contract event logs. Some applications may benefit from on-chain enumerability, for those cases see {AccessControlEnumerable}. Roles are referred to by their bytes32 identifier. These should be exposed in the external API and be unique. The best way to achieve this is by using public constant hash digests:

bytes32 public constant MY_ROLE = keccak256("MY_ROLE");

Roles can be used to represent a set of permissions. To restrict access to a function call, use {hasRole}:

function foo() public {
require(hasRole(MY_ROLE, msg.sender));
...
}

Roles can be granted and revoked dynamically via the {grantRole} and {revokeRole} functions. Each role has an associated admin role, and only accounts that have a role's admin role can call {grantRole} and {revokeRole}. By default, the admin role for all roles is DEFAULT_ADMIN_ROLE, which means that only accounts with this role will be able to grant or revoke other roles. More complex role relationships can be created by using {_setRoleAdmin}. WARNING: The DEFAULT_ADMIN_ROLE is also its own admin: it has permission to grant and revoke this role. Extra precautions should be taken to secure accounts that have been granted it. We recommend using {AccessControlDefaultAdminRules} to enforce additional security measures for this role.*

State Variables

DEFAULT_ADMIN_ROLE

bytes32 public constant DEFAULT_ADMIN_ROLE = 0x00;

AccessControlStorageLocation

bytes32 private constant AccessControlStorageLocation =
    0x02dd7bc7dec4dceedda775e58dd541e08a116c6c53815c0bd028192f7b626800;

Functions

_getAccessControlStorage

function _getAccessControlStorage() private pure returns (AccessControlStorage storage $);

onlyRole

Modifier that checks that an account has a specific role. Reverts with an {AccessControlUnauthorizedAccount} error including the required role.

modifier onlyRole(bytes32 role);

__AccessControl_init

function __AccessControl_init() internal onlyInitializing;

__AccessControl_init_unchained

function __AccessControl_init_unchained() internal onlyInitializing;

supportsInterface

Query if a contract implements an interface

Interface identification is specified in ERC-165. This function uses less than 30,000 gas.

function supportsInterface(bytes4 interfaceId) public view virtual override returns (bool);

Parameters

NameTypeDescription
interfaceIdbytes4

Returns

NameTypeDescription
<none>booltrue if the contract implements interfaceID and interfaceID is not 0xffffffff, false otherwise

hasRole

Returns true if account has been granted role.

function hasRole(bytes32 role, address account) public view virtual returns (bool);

_checkRole

Reverts with an {AccessControlUnauthorizedAccount} error if _msgSender() is missing role. Overriding this function changes the behavior of the {onlyRole} modifier.

function _checkRole(bytes32 role) internal view virtual;

_checkRole

Reverts with an {AccessControlUnauthorizedAccount} error if account is missing role.

function _checkRole(bytes32 role, address account) internal view virtual;

getRoleAdmin

Returns the admin role that controls role. See grantRole and {revokeRole}. To change a role's admin, use {_setRoleAdmin}.

function getRoleAdmin(bytes32 role) public view virtual returns (bytes32);

grantRole

*Grants role to account. If account had not been already granted role, emits a {RoleGranted} event. Requirements:

  • the caller must have role's admin role. May emit a {RoleGranted} event.*
function grantRole(bytes32 role, address account) public virtual onlyRole(getRoleAdmin(role));

revokeRole

*Revokes role from account. If account had been granted role, emits a {RoleRevoked} event. Requirements:

  • the caller must have role's admin role. May emit a {RoleRevoked} event.*
function revokeRole(bytes32 role, address account) public virtual onlyRole(getRoleAdmin(role));

renounceRole

*Revokes role from the calling account. Roles are often managed via grantRole and {revokeRole}: this function's purpose is to provide a mechanism for accounts to lose their privileges if they are compromised (such as when a trusted device is misplaced). If the calling account had been revoked role, emits a {RoleRevoked} event. Requirements:

  • the caller must be callerConfirmation. May emit a {RoleRevoked} event.*
function renounceRole(bytes32 role, address callerConfirmation) public virtual;

_setRoleAdmin

Sets adminRole as role's admin role. Emits a {RoleAdminChanged} event.

function _setRoleAdmin(bytes32 role, bytes32 adminRole) internal virtual;

_grantRole

Attempts to grant role to account and returns a boolean indicating if role was granted. Internal function without access restriction. May emit a {RoleGranted} event.

function _grantRole(bytes32 role, address account) internal virtual returns (bool);

_revokeRole

Attempts to revoke role from account and returns a boolean indicating if role was revoked. Internal function without access restriction. May emit a {RoleRevoked} event.

function _revokeRole(bytes32 role, address account) internal virtual returns (bool);

Structs

RoleData

struct RoleData {
    mapping(address account => bool) hasRole;
    bytes32 adminRole;
}

AccessControlStorage

Note: storage-location: erc7201:openzeppelin.storage.AccessControl

struct AccessControlStorage {
    mapping(bytes32 role => RoleData) _roles;
}