Skip to main content

Access Control Temporal Grant Module

Grant roles with expiry using diamond storage

Key Features
  • Internal functions designed for use within custom facets.
  • Manages role grants with expiry timestamps.
  • Utilizes the diamond storage pattern (EIP-8042) for shared state.
  • Emits RoleGrantedWithExpiry event upon successful role granting.
Module Usage

This module provides internal functions for use in your custom facets. Import it to access shared logic and storage.

Overview

This module provides functions to grant roles with an expiry timestamp, utilizing shared diamond storage for role management. Facets can integrate this module to enforce temporal access control, ensuring roles are automatically revoked after their expiry. Changes made via this module are immediately visible to all facets operating on the same diamond storage.

Storage

AccessControlStorage

Storage struct for AccessControl (reused struct definition). Must match the struct definition in AccessControlDataFacet. storage-location: erc8042:compose.accesscontrol

Definition
struct AccessControlStorage {
  mapping(address account => mapping(bytes32 role => bool hasRole)) hasRole;
  mapping(bytes32 role => bytes32 adminRole) adminRole;
}

AccessControlTemporalStorage

Storage struct for AccessControlTemporal. storage-location: erc8042:compose.accesscontrol.temporal

Definition
struct AccessControlTemporalStorage {
  mapping(address account => mapping(bytes32 role => uint256 expiryTimestamp)) roleExpiry;
}

State Variables

PropertyTypeDescription
ACCESS_CONTROL_STORAGE_POSITIONbytes32Diamond storage slot position for this module (Value: keccak256("compose.accesscontrol"))
TEMPORAL_STORAGE_POSITIONbytes32Diamond storage slot position for this module (Value: keccak256("compose.accesscontrol.temporal"))

Functions

getAccessControlStorage

Returns the storage for AccessControl.

function getAccessControlStorage() pure returns (AccessControlStorage storage s);

Returns:

PropertyTypeDescription
sAccessControlStorageThe AccessControl storage struct.

getStorage

Returns the storage for AccessControlTemporal.

function getStorage() pure returns (AccessControlTemporalStorage storage s);

Returns:

PropertyTypeDescription
sAccessControlTemporalStorageThe AccessControlTemporal storage struct.

grantRoleWithExpiry

Grants a role to an account with an expiry timestamp. Only the admin of the role can grant it with expiry. Emits a {RoleGrantedWithExpiry} event. Reverts with AccessControlUnauthorizedAccount If the caller is not the admin of the role.

function grantRoleWithExpiry(bytes32 _role, address _account, uint256 _expiresAt) ;

Parameters:

PropertyTypeDescription
_rolebytes32The role to grant.
_accountaddressThe account to grant the role to.
_expiresAtuint256The timestamp when the role should expire (must be in the future).

Events

Errors

Best Practices

Best Practice
  • Ensure the caller has the necessary administrative role before invoking grantRoleWithExpiry.
  • Verify the _expiresAt timestamp is in the future to prevent immediate expiration.
  • Integrate with role expiration checks in other facets to ensure timely revocation enforcement.

Integration Notes

Shared Storage

This module interacts with diamond storage at the ACCESS_CONTROL_STORAGE_POSITION, which is identified by keccak256("compose.accesscontrol"). It reads from and writes to the AccessControlTemporalStorage struct within this shared storage. Changes to roles and their expiry times are immediately reflected and visible to all facets accessing the same diamond storage.

Was this helpful?
Last updated:

Newsletter

Get notified about releases, feature announcements, and technical deep-dives on building smart contracts with Compose.

No spam. Unsubscribe anytime.
This site is powered by Netlify