Skip to main content

Access Control Temporal Data Facet

Manages time-bound role assignments and checks for expired roles

Key Features
  • Manages temporal role assignments and checks for expiry.
  • Exposes getRoleExpiry, isRoleExpired, and requireValidRole for role validation.
  • Operates on shared diamond storage via internal getStorage and getAccessControlStorage functions.
  • Exports its selectors for diamond registration.

Overview

This facet provides functionality for managing time-bound access control roles within a Compose diamond. It exposes external view functions to check role expiry and internal functions to access its specific storage layout. This facet integrates with other access control facets by operating on shared diamond storage.

Storage

AccessControlStorage

Definition
struct AccessControlStorage {
  mapping(address account => mapping(bytes32 role => bool hasRole)) hasRole;
  mapping(bytes32 role => bytes32 adminRole) adminRole;
}

AccessControlTemporalStorage

Definition
struct AccessControlTemporalStorage {
  mapping(address account => mapping(bytes32 role => uint256 expiryTimestamp)) roleExpiry;
}

State Variables

PropertyTypeDescription
ACCESS_CONTROL_STORAGE_POSITIONbytes32Diamond storage slot position for this module (Value: keccak256("compose.accesscontrol"))
TEMPORAL_STORAGE_POSITIONbytes32Diamond storage slot position for this module (Value: keccak256("compose.accesscontrol.temporal"))

Functions

getRoleExpiry

Returns the expiry timestamp for a role assignment.

function getRoleExpiry(bytes32 _role, address _account) external view returns (uint256);

Parameters:

PropertyTypeDescription
_rolebytes32The role to check.
_accountaddressThe account to check.

Returns:

PropertyTypeDescription
-uint256The expiry timestamp, or 0 if no expiry is set.

isRoleExpired

Checks if a role assignment has expired.

function isRoleExpired(bytes32 _role, address _account) external view returns (bool);

Parameters:

PropertyTypeDescription
_rolebytes32The role to check.
_accountaddressThe account to check.

Returns:

PropertyTypeDescription
-boolTrue if the role has expired or doesn't exist, false if still valid.

requireValidRole

Checks if an account has a valid (non-expired) role. - Reverts with AccessControlUnauthorizedAccount If the account does not have the role. - Reverts with AccessControlRoleExpired If the role has expired.

function requireValidRole(bytes32 _role, address _account) external view;

Parameters:

PropertyTypeDescription
_rolebytes32The role to check.
_accountaddressThe account to check the role for.

exportSelectors

Exports the selectors that are exposed by the facet.

function exportSelectors() external pure returns (bytes memory);

Returns:

PropertyTypeDescription
-bytesSelectors that are exported by the facet.

Events

Errors

Best Practices

Best Practice
  • Ensure the AccessControlTemporalDataFacet is correctly initialized with its storage slot.
  • When granting roles with expiry, ensure the _expiresAt timestamp is set appropriately.
  • Verify that requireValidRole is called before sensitive operations that depend on time-bound roles.

Security Considerations

Security

This facet exposes requireValidRole, which reverts with AccessControlUnauthorizedAccount if the account lacks the role, or AccessControlRoleExpired if the role has expired. Input validation for role names and account addresses is handled by the underlying logic. No reentrancy concerns are present as all exposed functions are view or pure.

Was this helpful?
Last updated:

Newsletter

Get notified about releases, feature announcements, and technical deep-dives on building smart contracts with Compose.

No spam. Unsubscribe anytime.
This site is powered by Netlify