Access Control Temporal Data Module

Manages temporal role assignments and their expiry

Key Features

• Provides internal functions for temporal role management.
• Leverages diamond storage for temporal role data.
• Reverts with specific errors for expired roles or unauthorized accounts.
• No external dependencies; designed for direct integration into facets.

Module Usage

This module provides internal functions for use in your custom facets. Import it to access shared logic and storage.

Overview

This module provides internal functions to manage temporal role assignments, including their expiry. Facets can import this module to check and enforce role validity using shared diamond storage. Changes to role expiry are immediately visible to all facets accessing the same storage.

Storage

AccessControlStorage

Storage struct for AccessControl (reused struct definition). Must match the struct definition in AccessControlDataFacet. storage-location: erc8042:compose.accesscontrol

Definition

struct AccessControlStorage {
  mapping(address account => mapping(bytes32 role => bool hasRole)) hasRole;
  mapping(bytes32 role => bytes32 adminRole) adminRole;
}

---

AccessControlTemporalStorage

Storage struct for AccessControlTemporal. storage-location: erc8042:compose.accesscontrol.temporal

Definition

struct AccessControlTemporalStorage {
  mapping(address account => mapping(bytes32 role => uint256 expiryTimestamp)) roleExpiry;
}

State Variables

Property	Type	Description
ACCESS_CONTROL_STORAGE_POSITION	bytes32	Diamond storage slot position for this module (Value: keccak256("compose.accesscontrol"))
TEMPORAL_STORAGE_POSITION	bytes32	Diamond storage slot position for this module (Value: keccak256("compose.accesscontrol.temporal"))

Functions

getAccessControlStorage

Returns the storage for AccessControl.

function getAccessControlStorage() pure returns (AccessControlStorage storage s);

Returns:

Property	Type	Description
s	AccessControlStorage	The AccessControl storage struct.

---

getRoleExpiry

Returns the expiry timestamp for a role assignment.

function getRoleExpiry(bytes32 _role, address _account) view returns (uint256);

Parameters:

Property	Type	Description
_role	bytes32	The role to check.
_account	address	The account to check.

Returns:

Property	Type	Description
-	uint256	The expiry timestamp, or 0 if no expiry is set.

---

getStorage

Returns the storage for AccessControlTemporal.

function getStorage() pure returns (AccessControlTemporalStorage storage s);

Returns:

Property	Type	Description
s	AccessControlTemporalStorage	The AccessControlTemporal storage struct.

---

isRoleExpired

Checks if a role assignment has expired.

function isRoleExpired(bytes32 _role, address _account) view returns (bool);

Parameters:

Property	Type	Description
_role	bytes32	The role to check.
_account	address	The account to check.

Returns:

Property	Type	Description
-	bool	True if the role has expired or doesn't exist, false if still valid.

---

requireValidRole

Checks if an account has a valid (non-expired) role. Notes: - Reverts with AccessControlUnauthorizedAccount If the account does not have the role. - Reverts with AccessControlRoleExpired If the role has expired.

function requireValidRole(bytes32 _role, address _account) view;

Parameters:

Property	Type	Description
_role	bytes32	The role to check.
_account	address	The account to check the role for.

Events

Event emitted when a role is granted with an expiry timestamp.

Signature:

event RoleGrantedWithExpiry(
bytes32 indexed _role, address indexed _account, uint256 _expiresAt, address indexed _sender
);

Parameters:

Property	Type	Description
_role	bytes32	The role that was granted.
_account	address	The account that was granted the role.
_expiresAt	uint256	The timestamp when the role expires.
_sender	address	The account that granted the role.

Event emitted when a temporal role is revoked.

Signature:

event TemporalRoleRevoked(bytes32 indexed _role, address indexed _account, address indexed _sender);

Parameters:

Property	Type	Description
_role	bytes32	The role that was revoked.
_account	address	The account from which the role was revoked.
_sender	address	The account that revoked the role.

Errors

Thrown when a role has expired.

Signature:

error AccessControlRoleExpired(bytes32 _role, address _account);

Thrown when the account does not have a specific role.

Signature:

error AccessControlUnauthorizedAccount(address _account, bytes32 _role);

Best Practices

Best Practice

• Ensure temporal role expiry checks are performed before critical operations.
• Handle AccessControlRoleExpired and AccessControlUnauthorizedAccount errors explicitly when calling requireValidRole.
• Verify that the AccessControlTemporalDataMod is initialized with correct storage slot and that related modules are compatible.

Integration Notes

Shared Storage

This module interacts with diamond storage at the ACCESS_CONTROL_STORAGE_POSITION, identified by keccak256("compose.accesscontrol"), to store and retrieve temporal role assignment data. The AccessControlTemporalStorage struct is managed implicitly through this slot. Changes made via functions like getRoleExpiry or checks performed by isRoleExpired and requireValidRole directly access and reflect the state within the diamond's shared storage, making them immediately visible to any other facet that reads from the same storage position.

Was this helpful?

Last updated:March 13, 2026