@lazy-sol/access-control-upgradeable 1.0.7 → 1.1.1

package/CHANGELOG.md

@@ -0,0 +1,37 @@
+v1.1.0: Contact Size Optimizations
+
+- __Breaking Change:__ Solidity 0.8.4 is now required to compile the contracts (previously was 0.8.2).
+- Replaced "access denied" error with string literal (0.4.22) with the custom error AccessDenied() (0.8.4)
+- Introduced lighter modification of the "AccessControl" RBAC contract – "AccessControlCore" (RBAC-C).
+  The 'core' version of the RBAC contract hides three rarely used external functions from the public ABI,
+  making them internal and thus reducing the overall compiled implementation size.
+
+  | old name             | old modifier | new name              | new modifier |
+  |----------------------|--------------|-----------------------|--------------|
+  | `isFeatureEnabled()` | `public`     | `isFeatureEnabled()`  | `internal`   |
+  | `isSenderInRole()`   | `public`     | `_isSenderInRole()`   | `internal`   |
+  | `isOperatorInRole()` | `public`     | `_isOperatorInRole()` | `internal`   |
+
+- Added `_requireSenderInRole()` and `_requireAccessCondition()` internal functions for a convenient and gas-efficient
+  way of checking the access permissions and throwing the AccessDenied() error.
+- Added the CHANGELOG (this file)
+
+v1.0.7:
+- Exported the RBAC behavior
+
+v1.0.6:
+- Updated the documentation
+
+v1.0.5:
+- Exported RBAC JavaScript constants and functions
+
+v1.0.4:
+- Fixed broken dependencies
+- Upgraded npm libraries
+- Added Sepolia network support
+
+v1.0.3:
+- Allowed lower versions of Hardhat to be used
+
+v1.0.2:
+- Optimized npm dependencies

package/README.md

@@ -68,7 +68,7 @@ features and roles. Usually, smart contracts use different values for all the fe
 next section).
 
 Access manager may revoke its own permissions, including the bit 255. Eventually that allows an access manager to let
-the smart contract “float freely” and be controlled only by the community (via DAO) or by no one at all.
+the smart contract “float freely” and be controlled only by the community (via the DAO) or by no one at all.
 
 ## Comparing with OpenZeppelin
 
@@ -76,7 +76,7 @@ Both our and OpenZeppelin Access Control implementations feature a similar API t
 thing".
 
 Zeppelin implementation is more flexible:
-* it allows setting unlimited number of roles, while current is limited to 256 different roles
+* it allows setting an unlimited number of roles, while current is limited to 256 different roles
 * it allows setting an admin for each role, while current allows having only one global admin
 
 Our implementation is more lightweight:
@@ -120,11 +120,11 @@ npm i -D @lazy-sol/access-control-upgradeable
 Restricted function is a function with a `public` Solidity modifier access to which is restricted
 so that only a pre-configured set of accounts can execute it.
 
-1. Enable role-based access control (RBAC) in a new smart contract
-   by inheriting the RBAC contract from the [AccessControl](./contracts/UpgradeableAccessControl.sol) contract:
+1.  Enable role-based access control (RBAC) in a new smart contract
+    by inheriting the RBAC contract from the [UpgradeableAccessControlCore](./contracts/UpgradeableAccessControlCore.sol) contract:
     ```solidity
     import "@openzeppelin/contracts-upgradeable/token/ERC20/ERC20Upgradeable.sol";
-    import "@lazy-sol/access-control/contracts/UpgradeableAccessControl.sol";
+    import "@lazy-sol/access-control/contracts/UpgradeableAccessControlCore.sol";
     
     /**
      * @title Simple ERC20 Implementation (Upgreadable)
@@ -133,29 +133,29 @@ so that only a pre-configured set of accounts can execute it.
      *
      * @author Lazy So[u]l
      */
-    contract MyUpgradeableERC20Token is ERC20Upgradeable, UpgradeableAccessControl {
+    contract MyUpgradeableERC20Token is ERC20Upgradeable, UpgradeableAccessControlCore {
         
         ...
         
     }
     ```
 
-2. Define an access control role with the unique integer value:
+2.  Define an access control role with the unique integer value:
     ```solidity
         ...
         
         /**
          * @notice Token creator is responsible for creating (minting)
-         tokens to an arbitrary address
+         *      tokens to an arbitrary address
          * @dev Role ROLE_TOKEN_CREATOR allows minting tokens
-         (calling `mint` function)
+         *      (calling `mint` function)
          */
         uint32 public constant ROLE_TOKEN_CREATOR = 0x0001_0000;
         
         ...
     ```
 
-3. Add the `require(isSenderInRole(ROLE_TOKEN_CREATOR), "access denied")"` check into the function body:
+3.  Add the `_requireSenderInRole(ROLE_TOKEN_CREATOR)` check into the function body:
     ```solidity
         ...
         
@@ -164,7 +164,7 @@ so that only a pre-configured set of accounts can execute it.
          */
         function _mint(address _to, uint256 _value) internal virtual override {
             // check if caller has sufficient permissions to mint tokens
-            require(isSenderInRole(ROLE_TOKEN_CREATOR), "access denied");
+            _requireSenderInRole(ROLE_TOKEN_CREATOR);
 
             // delegate to super implementation
             super._mint(_to, _value);
@@ -173,8 +173,8 @@ so that only a pre-configured set of accounts can execute it.
         ...
     ```
 
-   Note: you could also use the `restrictedTo` modifier in the function declaration instead of the `require`
-   in the function body if you don't need a custom error message:
+    Note: it is also possible to use the `restrictedTo` modifier in the function declaration instead of the `require`
+    in the function body if this better suits the coding style:
     ```solidity
         ...
         
@@ -189,6 +189,31 @@ so that only a pre-configured set of accounts can execute it.
         ...
     ```
 
+### Customizing the Error Message
+
+Modifier `restrictedTo()`, internal functions `_requireSenderInRole()` and `_requireAccessCondition()` throw the
+`AccessDenied` denied error when access check fails.
+
+It is also possible to use your own custom errors or string messages if needed by leveraging a lower level boolean
+functions `_isSenderInRole()` and `_isOperatorInRole()`:
+
+```solidity
+    ...
+    
+    /**
+     * @inheritdoc ERC20Upgradeable
+     */
+    function _mint(address _to, uint256 _value) internal virtual override {
+        // check if caller has sufficient permissions to mint tokens
+        require(_isSenderInRole(ROLE_TOKEN_CREATOR), "access denied");
+
+        // delegate to super implementation
+        super._mint(_to, _value);
+    }
+    
+    ...
+```
+
 Examples:
 [AdvancedERC20](https://raw.githubusercontent.com/lazy-sol/advanced-erc20/master/contracts/token/AdvancedERC20.sol),
 [ERC20v1](https://raw.githubusercontent.com/vgorin/solidity-template/master/contracts/token/upgradeable/ERC20v1.sol),

package/contracts/InitializableAccessControl.sol

@@ -1,10 +1,10 @@
 // SPDX-License-Identifier: MIT
-pragma solidity ^0.8.2;
+pragma solidity >=0.8.4; // custom errors (0.8.4)
 
-import "@openzeppelin/contracts-upgradeable/proxy/utils/Initializable.sol";
+import "./InitializableAccessControlCore.sol";
 
 /**
- * @title Initializable Role-based Access Control (RBAC)
+ * @title Initializable Role-based Access Control (I-RBAC)
  *
  * @notice Access control smart contract provides an API to check
  *      if a specific operation is permitted globally and/or
@@ -60,235 +60,7 @@ import "@openzeppelin/contracts-upgradeable/proxy/utils/Initializable.sol";
  *
  * @author Basil Gorin
  */
-abstract contract InitializableAccessControl is Initializable {
-	/**
-	 * @dev Privileged addresses with defined roles/permissions
-	 * @dev In the context of ERC20/ERC721 tokens these can be permissions to
-	 *      allow minting or burning tokens, transferring on behalf and so on
-	 *
-	 * @dev Maps user address to the permissions bitmask (role), where each bit
-	 *      represents a permission
-	 * @dev Bitmask 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
-	 *      represents all possible permissions
-	 * @dev 'This' address mapping represents global features of the smart contract
-	 *
-	 * @dev We keep the mapping private to prevent direct writes to it from the inheriting
-	 *      contracts, `getRole()` and `updateRole()` functions should be used instead
-	 */
-	mapping(address => uint256) private userRoles;
-
-	/**
-	 * @dev Empty reserved space in storage. The size of the __gap array is calculated so that
-	 *      the amount of storage used by a contract always adds up to the 50.
-	 *      See https://docs.openzeppelin.com/contracts/4.x/upgradeable#storage_gaps
-	 */
-	uint256[49] private __gap;
-
-	/**
-	 * @notice Access manager is responsible for assigning the roles to users,
-	 *      enabling/disabling global features of the smart contract
-	 * @notice Access manager can add, remove and update user roles,
-	 *      remove and update global features
-	 *
-	 * @dev Role ROLE_ACCESS_MANAGER allows modifying user roles and global features
-	 * @dev Role ROLE_ACCESS_MANAGER has single bit at position 255 enabled
-	 */
-	uint256 public constant ROLE_ACCESS_MANAGER = 0x8000000000000000000000000000000000000000000000000000000000000000;
-
-	/**
-	 * @notice Upgrade manager is responsible for smart contract upgrades,
-	 *      see https://docs.openzeppelin.com/contracts/4.x/api/proxy#UUPSUpgradeable
-	 *      see https://docs.openzeppelin.com/contracts/4.x/upgradeable
-	 *
-	 * @dev Role ROLE_UPGRADE_MANAGER allows passing the _authorizeUpgrade() check
-	 * @dev Role ROLE_UPGRADE_MANAGER has single bit at position 254 enabled
-	 */
-	uint256 public constant ROLE_UPGRADE_MANAGER = 0x4000000000000000000000000000000000000000000000000000000000000000;
-
-	/**
-	 * @dev Bitmask representing all the possible permissions (super admin role)
-	 * @dev Has all the bits are enabled (2^256 - 1 value)
-	 */
-	uint256 internal constant FULL_PRIVILEGES_MASK = type(uint256).max; // before 0.8.0: uint256(-1) overflows to 0xFFFF...
-
-	/**
-	 * @dev Fired in updateRole() and updateFeatures()
-	 *
-	 * @param operator address which was granted/revoked permissions
-	 * @param requested permissions requested
-	 * @param assigned permissions effectively set
-	 */
-	event RoleUpdated(address indexed operator, uint256 requested, uint256 assigned);
-
-	/**
-	 * @notice Function modifier making a function defined as public behave as restricted
-	 *      (so that only a pre-configured set of accounts can execute it)
-	 *
-	 * @param role the role transaction executor is required to have;
-	 *      the function throws an "access denied" exception if this condition is not met
-	 */
-	modifier restrictedTo(uint256 role) {
-		// verify the access permission
-		require(isSenderInRole(role), "access denied");
-
-		// execute the rest of the function
-		_;
-	}
-
-	/**
-	 * @dev Creates/deploys the RBAC implementation to be used in a proxy
-	 *
-	 * @dev Note:
-	 *      the implementation is already initialized and
-	 *      `_postConstruct` is not executable on the implementation
-	 *      `_postConstruct` is still available in the context of a proxy
-	 *      and should be executed on the proxy deployment (in the same tx)
-	 */
-	constructor() initializer {}
-
-	/**
-	 * @dev Contract initializer, sets the contract owner to have full privileges
-	 *
-	 * @dev Can be executed only once, reverts when executed second time
-	 *
-	 * @dev IMPORTANT:
-	 *      this function SHOULD be executed during proxy deployment (in the same transaction)
-	 *
-	 * @param _owner smart contract owner having full privileges, can be zero
-	 * @param _features initial features mask of the contract, can be zero
-	 */
-	function _postConstruct(address _owner, uint256 _features) internal virtual onlyInitializing {
-		// grant owner full privileges
-		__setRole(_owner, FULL_PRIVILEGES_MASK, FULL_PRIVILEGES_MASK);
-		// update initial features bitmask
-		__setRole(address(this), _features, _features);
-	}
-
-	/**
-	 * @dev Highest version that has been initialized.
-	 *      Non-zero value means contract was already initialized.
-	 * @dev see {Initializable}, {reinitializer}.
-	 *
-	 * @return highest version that has been initialized
-	 */
-	function getInitializedVersion() public view returns(uint64) {
-		// delegate to `_getInitializedVersion`
-		return _getInitializedVersion();
-	}
-
-	/**
-	 * @notice Retrieves globally set of features enabled
-	 *
-	 * @dev Effectively reads userRoles role for the contract itself
-	 *
-	 * @return 256-bit bitmask of the features enabled
-	 */
-	function features() public view returns (uint256) {
-		// features are stored in 'this' address mapping of `userRoles`
-		return getRole(address(this));
-	}
-
-	/**
-	 * @notice Updates set of the globally enabled features (`features`),
-	 *      taking into account sender's permissions
-	 *
-	 * @dev Requires transaction sender to have `ROLE_ACCESS_MANAGER` permission
-	 * @dev Function is left for backward compatibility with older versions
-	 *
-	 * @param _mask bitmask representing a set of features to enable/disable
-	 */
-	function updateFeatures(uint256 _mask) public {
-		// delegate call to `updateRole`
-		updateRole(address(this), _mask);
-	}
-
-	/**
-	 * @notice Reads the permissions (role) for a given user from the `userRoles` mapping
-	 *      (privileged addresses with defined roles/permissions)
-	 * @notice In the context of ERC20/ERC721 tokens these can be permissions to
-	 *      allow minting or burning tokens, transferring on behalf and so on
-	 *
-	 * @dev Having a simple getter instead of making the mapping public
-	 *      allows enforcing the encapsulation of the mapping and protects from
-	 *      writing to it directly in the inheriting smart contracts
-	 *
-	 * @param operator address of a user to read permissions for,
-	 *      or self address to read global features of the smart contract
-	 */
-	function getRole(address operator) public view returns(uint256) {
-		// read the value from `userRoles` and return
-		return userRoles[operator];
-	}
-
-	/**
-	 * @notice Updates set of permissions (role) for a given user,
-	 *      taking into account sender's permissions.
-	 *
-	 * @dev Setting role to zero is equivalent to removing an all permissions
-	 * @dev Setting role to `FULL_PRIVILEGES_MASK` is equivalent to
-	 *      copying senders' permissions (role) to the user
-	 * @dev Requires transaction sender to have `ROLE_ACCESS_MANAGER` permission
-	 *
-	 * @param operator address of a user to alter permissions for,
-	 *       or self address to alter global features of the smart contract
-	 * @param role bitmask representing a set of permissions to
-	 *      enable/disable for a user specified
-	 */
-	function updateRole(address operator, uint256 role) public {
-		// caller must have a permission to update user roles
-		require(isSenderInRole(ROLE_ACCESS_MANAGER), "access denied");
-
-		// evaluate the role and reassign it
-		__setRole(operator, role, _evaluateBy(msg.sender, getRole(operator), role));
-	}
-
-	/**
-	 * @notice Determines the permission bitmask an operator can set on the
-	 *      target permission set
-	 * @notice Used to calculate the permission bitmask to be set when requested
-	 *     in `updateRole` and `updateFeatures` functions
-	 *
-	 * @dev Calculated based on:
-	 *      1) operator's own permission set read from userRoles[operator]
-	 *      2) target permission set - what is already set on the target
-	 *      3) desired permission set - what do we want set target to
-	 *
-	 * @dev Corner cases:
-	 *      1) Operator is super admin and its permission set is `FULL_PRIVILEGES_MASK`:
-	 *        `desired` bitset is returned regardless of the `target` permission set value
-	 *        (what operator sets is what they get)
-	 *      2) Operator with no permissions (zero bitset):
-	 *        `target` bitset is returned regardless of the `desired` value
-	 *        (operator has no authority and cannot modify anything)
-	 *
-	 * @dev Example:
-	 *      Consider an operator with the permissions bitmask     00001111
-	 *      is about to modify the target permission set          01010101
-	 *      Operator wants to set that permission set to          00110011
-	 *      Based on their role, an operator has the permissions
-	 *      to update only lowest 4 bits on the target, meaning that
-	 *      high 4 bits of the target set in this example is left
-	 *      unchanged and low 4 bits get changed as desired:      01010011
-	 *
-	 * @param operator address of the contract operator which is about to set the permissions
-	 * @param target input set of permissions to operator is going to modify
-	 * @param desired desired set of permissions operator would like to set
-	 * @return resulting set of permissions given operator will set
-	 */
-	function _evaluateBy(address operator, uint256 target, uint256 desired) internal view returns (uint256) {
-		// read operator's permissions
-		uint256 p = getRole(operator);
-
-		// taking into account operator's permissions,
-		// 1) enable the permissions desired on the `target`
-		target |= p & desired;
-		// 2) disable the permissions desired on the `target`
-		target &= FULL_PRIVILEGES_MASK ^ (p & (FULL_PRIVILEGES_MASK ^ desired));
-
-		// return calculated result
-		return target;
-	}
-
+abstract contract InitializableAccessControl is InitializableAccessControlCore {
 	/**
 	 * @notice Checks if requested set of features is enabled globally on the contract
 	 *
@@ -296,8 +68,8 @@ abstract contract InitializableAccessControl is Initializable {
 	 * @return true if all the features requested are enabled, false otherwise
 	 */
 	function isFeatureEnabled(uint256 required) public view returns (bool) {
-		// delegate call to `__hasRole`, passing `features` property
-		return __hasRole(features(), required);
+		// delegate to internal `_isFeatureEnabled`
+		return _isFeatureEnabled(required);
 	}
 
 	/**
@@ -307,8 +79,8 @@ abstract contract InitializableAccessControl is Initializable {
 	 * @return true if all the permissions requested are enabled, false otherwise
 	 */
 	function isSenderInRole(uint256 required) public view returns (bool) {
-		// delegate call to `isOperatorInRole`, passing transaction sender
-		return isOperatorInRole(msg.sender, required);
+		// delegate to internal `_isSenderInRole`
+		return _isSenderInRole(required);
 	}
 
 	/**
@@ -319,42 +91,7 @@ abstract contract InitializableAccessControl is Initializable {
 	 * @return true if all the permissions requested are enabled, false otherwise
 	 */
 	function isOperatorInRole(address operator, uint256 required) public view returns (bool) {
-		// delegate call to `__hasRole`, passing operator's permissions (role)
-		return __hasRole(getRole(operator), required);
-	}
-
-	/**
-	 * @dev Sets the `assignedRole` role to the operator, logs both `requestedRole` and `actualRole`
-	 *
-	 * @dev Unsafe:
-	 *      provides direct write access to `userRoles` mapping without any security checks,
-	 *      doesn't verify the executor (msg.sender) permissions,
-	 *      must be kept private at all times
-	 *
-	 * @param operator address of a user to alter permissions for,
-	 *       or self address to alter global features of the smart contract
-	 * @param requestedRole bitmask representing a set of permissions requested
-	 *      to be enabled/disabled for a user specified, used only to be logged into event
-	 * @param assignedRole bitmask representing a set of permissions to
-	 *      enable/disable for a user specified, used to update the mapping and to be logged into event
-	 */
-	function __setRole(address operator, uint256 requestedRole, uint256 assignedRole) private {
-		// assign the role to the operator
-		userRoles[operator] = assignedRole;
-
-		// fire an event
-		emit RoleUpdated(operator, requestedRole, assignedRole);
-	}
-
-	/**
-	 * @dev Checks if role `actual` contains all the permissions required `required`
-	 *
-	 * @param actual existent role
-	 * @param required required role
-	 * @return true if actual has required role (all permissions), false otherwise
-	 */
-	function __hasRole(uint256 actual, uint256 required) private pure returns (bool) {
-		// check the bitmask for the role required and return the result
-		return actual & required == required;
+		// delegate to internal `_isOperatorInRole`
+		return _isOperatorInRole(operator, required);
 	}
 }

package/contracts/InitializableAccessControlCore.sol

@@ -0,0 +1,404 @@
+// SPDX-License-Identifier: MIT
+pragma solidity >=0.8.4; // custom errors (0.8.4)
+
+import "@openzeppelin/contracts-upgradeable/proxy/utils/Initializable.sol";
+
+/**
+ * @title Initializable Role-based Access Control Core (I-RBAC-C)
+ *
+ * @notice Access control smart contract provides an API to check
+ *      if a specific operation is permitted globally and/or
+ *      if a particular user has a permission to execute it.
+ *
+ * @notice This contract is inherited by other contracts requiring the role-based access control (RBAC)
+ *      protection for the restricted access functions
+ *
+ * @notice It deals with two main entities: features and roles.
+ *
+ * @notice Features are designed to be used to enable/disable public functions
+ *      of the smart contract (used by a wide audience).
+ * @notice User roles are designed to control the access to restricted functions
+ *      of the smart contract (used by a limited set of maintainers).
+ *
+ * @notice Terms "role", "permissions" and "set of permissions" have equal meaning
+ *      in the documentation text and may be used interchangeably.
+ * @notice Terms "permission", "single permission" implies only one permission bit set.
+ *
+ * @notice Access manager is a special role which allows to grant/revoke other roles.
+ *      Access managers can only grant/revoke permissions which they have themselves.
+ *      As an example, access manager with no other roles set can only grant/revoke its own
+ *      access manager permission and nothing else.
+ *
+ * @notice Access manager permission should be treated carefully, as a super admin permission:
+ *      Access manager with even no other permission can interfere with another account by
+ *      granting own access manager permission to it and effectively creating more powerful
+ *      permission set than its own.
+ *
+ * @dev Both current and OpenZeppelin AccessControl implementations feature a similar API
+ *      to check/know "who is allowed to do this thing".
+ * @dev Zeppelin implementation is more flexible:
+ *      - it allows setting unlimited number of roles, while current is limited to 256 different roles
+ *      - it allows setting an admin for each role, while current allows having only one global admin
+ * @dev Current implementation is more lightweight:
+ *      - it uses only 1 bit per role, while Zeppelin uses 256 bits
+ *      - it allows setting up to 256 roles at once, in a single transaction, while Zeppelin allows
+ *        setting only one role in a single transaction
+ *
+ * @dev This smart contract is designed to be inherited by other
+ *      smart contracts which require access control management capabilities.
+ *
+ * @dev Access manager permission has a bit 255 set.
+ *      This bit must not be used by inheriting contracts for any other permissions/features.
+ *
+ * @dev This is an initializable version of the RBAC, based on Zeppelin implementation,
+ *      it can be used for EIP-1167 minimal proxies, for ERC1967 proxies, etc.
+ *      see https://docs.openzeppelin.com/contracts/4.x/api/proxy#Clones
+ *      see https://docs.openzeppelin.com/contracts/4.x/upgradeable
+ *      see https://docs.openzeppelin.com/contracts/4.x/api/proxy#UUPSUpgradeable
+ *      see https://forum.openzeppelin.com/t/uups-proxies-tutorial-solidity-javascript/7786
+ *      see https://eips.ethereum.org/EIPS/eip-1167
+ *
+ * @dev The 'core' version of the RBAC contract hides three rarely used external functions from the public ABI,
+ *      making them internal and thus reducing the overall compiled implementation size.
+ *      isFeatureEnabled() public -> _isFeatureEnabled() internal
+ *      isSenderInRole() public -> _isSenderInRole() internal
+ *      isOperatorInRole() public -> _isOperatorInRole() internal
+ *
+ * @custom:since 1.1.0
+ *
+ * @author Basil Gorin
+ */
+abstract contract InitializableAccessControlCore is Initializable {
+	/**
+	 * @dev Privileged addresses with defined roles/permissions
+	 * @dev In the context of ERC20/ERC721 tokens these can be permissions to
+	 *      allow minting or burning tokens, transferring on behalf and so on
+	 *
+	 * @dev Maps user address to the permissions bitmask (role), where each bit
+	 *      represents a permission
+	 * @dev Bitmask 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+	 *      represents all possible permissions
+	 * @dev 'This' address mapping represents global features of the smart contract
+	 *
+	 * @dev We keep the mapping private to prevent direct writes to it from the inheriting
+	 *      contracts, `getRole()` and `updateRole()` functions should be used instead
+	 */
+	mapping(address => uint256) private userRoles;
+
+	/**
+	 * @dev Empty reserved space in storage. The size of the __gap array is calculated so that
+	 *      the amount of storage used by a contract always adds up to the 50.
+	 *      See https://docs.openzeppelin.com/contracts/4.x/upgradeable#storage_gaps
+	 */
+	uint256[49] private __gap;
+
+	/**
+	 * @notice Access manager is responsible for assigning the roles to users,
+	 *      enabling/disabling global features of the smart contract
+	 * @notice Access manager can add, remove and update user roles,
+	 *      remove and update global features
+	 *
+	 * @dev Role ROLE_ACCESS_MANAGER allows modifying user roles and global features
+	 * @dev Role ROLE_ACCESS_MANAGER has single bit at position 255 enabled
+	 */
+	uint256 public constant ROLE_ACCESS_MANAGER = 0x8000000000000000000000000000000000000000000000000000000000000000;
+
+	/**
+	 * @notice Upgrade manager is responsible for smart contract upgrades,
+	 *      see https://docs.openzeppelin.com/contracts/4.x/api/proxy#UUPSUpgradeable
+	 *      see https://docs.openzeppelin.com/contracts/4.x/upgradeable
+	 *
+	 * @dev Role ROLE_UPGRADE_MANAGER allows passing the _authorizeUpgrade() check
+	 * @dev Role ROLE_UPGRADE_MANAGER has single bit at position 254 enabled
+	 */
+	uint256 public constant ROLE_UPGRADE_MANAGER = 0x4000000000000000000000000000000000000000000000000000000000000000;
+
+	/**
+	 * @dev Bitmask representing all the possible permissions (super admin role)
+	 * @dev Has all the bits are enabled (2^256 - 1 value)
+	 */
+	uint256 internal constant FULL_PRIVILEGES_MASK = type(uint256).max; // before 0.8.0: uint256(-1) overflows to 0xFFFF...
+
+	/**
+	 * @notice Thrown when a function is executed by an account that does not have
+	 *      the required access permission(s) (role)
+	 *
+	 * @dev This error is used to enforce role-based access control (RBAC) restrictions
+	 */
+	error AccessDenied();
+
+	/**
+	 * @dev Fired in updateRole() and updateFeatures()
+	 *
+	 * @param operator address which was granted/revoked permissions
+	 * @param requested permissions requested
+	 * @param assigned permissions effectively set
+	 */
+	event RoleUpdated(address indexed operator, uint256 requested, uint256 assigned);
+
+	/**
+	 * @notice Function modifier making a function defined as public behave as restricted
+	 *      (so that only a pre-configured set of accounts can execute it)
+	 *
+	 * @param role the role transaction executor is required to have;
+	 *      the function throws an "access denied" exception if this condition is not met
+	 */
+	modifier restrictedTo(uint256 role) {
+		// verify the access permission
+		_requireSenderInRole(role);
+
+		// execute the rest of the function
+		_;
+	}
+
+	/**
+	 * @dev Creates/deploys the RBAC implementation to be used in a proxy
+	 *
+	 * @dev Note:
+	 *      the implementation is already initialized and
+	 *      `_postConstruct` is not executable on the implementation
+	 *      `_postConstruct` is still available in the context of a proxy
+	 *      and should be executed on the proxy deployment (in the same tx)
+	 */
+	constructor() initializer {}
+
+	/**
+	 * @dev Contract initializer, sets the contract owner to have full privileges
+	 *
+	 * @dev Can be executed only once, reverts when executed second time
+	 *
+	 * @dev IMPORTANT:
+	 *      this function SHOULD be executed during proxy deployment (in the same transaction)
+	 *
+	 * @param _owner smart contract owner having full privileges, can be zero
+	 * @param _features initial features mask of the contract, can be zero
+	 */
+	function _postConstruct(address _owner, uint256 _features) internal virtual onlyInitializing {
+		// grant owner full privileges
+		__setRole(_owner, FULL_PRIVILEGES_MASK, FULL_PRIVILEGES_MASK);
+		// update initial features bitmask
+		__setRole(address(this), _features, _features);
+	}
+
+	/**
+	 * @dev Highest version that has been initialized.
+	 *      Non-zero value means contract was already initialized.
+	 * @dev see {Initializable}, {reinitializer}.
+	 *
+	 * @return highest version that has been initialized
+	 */
+	function getInitializedVersion() public view returns(uint64) {
+		// delegate to `_getInitializedVersion`
+		return _getInitializedVersion();
+	}
+
+	/**
+	 * @notice Retrieves globally set of features enabled
+	 *
+	 * @dev Effectively reads userRoles role for the contract itself
+	 *
+	 * @return 256-bit bitmask of the features enabled
+	 */
+	function features() public view returns (uint256) {
+		// features are stored in 'this' address mapping of `userRoles`
+		return getRole(address(this));
+	}
+
+	/**
+	 * @notice Updates set of the globally enabled features (`features`),
+	 *      taking into account sender's permissions
+	 *
+	 * @dev Requires transaction sender to have `ROLE_ACCESS_MANAGER` permission
+	 * @dev Function is left for backward compatibility with older versions
+	 *
+	 * @param _mask bitmask representing a set of features to enable/disable
+	 */
+	function updateFeatures(uint256 _mask) public {
+		// delegate call to `updateRole`
+		updateRole(address(this), _mask);
+	}
+
+	/**
+	 * @notice Reads the permissions (role) for a given user from the `userRoles` mapping
+	 *      (privileged addresses with defined roles/permissions)
+	 * @notice In the context of ERC20/ERC721 tokens these can be permissions to
+	 *      allow minting or burning tokens, transferring on behalf and so on
+	 *
+	 * @dev Having a simple getter instead of making the mapping public
+	 *      allows enforcing the encapsulation of the mapping and protects from
+	 *      writing to it directly in the inheriting smart contracts
+	 *
+	 * @param operator address of a user to read permissions for,
+	 *      or self address to read global features of the smart contract
+	 */
+	function getRole(address operator) public view returns(uint256) {
+		// read the value from `userRoles` and return
+		return userRoles[operator];
+	}
+
+	/**
+	 * @notice Updates set of permissions (role) for a given user,
+	 *      taking into account sender's permissions.
+	 *
+	 * @dev Setting role to zero is equivalent to removing an all permissions
+	 * @dev Setting role to `FULL_PRIVILEGES_MASK` is equivalent to
+	 *      copying senders' permissions (role) to the user
+	 * @dev Requires transaction sender to have `ROLE_ACCESS_MANAGER` permission
+	 *
+	 * @param operator address of a user to alter permissions for,
+	 *       or self address to alter global features of the smart contract
+	 * @param role bitmask representing a set of permissions to
+	 *      enable/disable for a user specified
+	 */
+	function updateRole(address operator, uint256 role) public {
+		// caller must have a permission to update user roles
+		_requireSenderInRole(ROLE_ACCESS_MANAGER);
+
+		// evaluate the role and reassign it
+		__setRole(operator, role, _evaluateBy(msg.sender, getRole(operator), role));
+	}
+
+	/**
+	 * @notice Determines the permission bitmask an operator can set on the
+	 *      target permission set
+	 * @notice Used to calculate the permission bitmask to be set when requested
+	 *     in `updateRole` and `updateFeatures` functions
+	 *
+	 * @dev Calculated based on:
+	 *      1) operator's own permission set read from userRoles[operator]
+	 *      2) target permission set - what is already set on the target
+	 *      3) desired permission set - what do we want set target to
+	 *
+	 * @dev Corner cases:
+	 *      1) Operator is super admin and its permission set is `FULL_PRIVILEGES_MASK`:
+	 *        `desired` bitset is returned regardless of the `target` permission set value
+	 *        (what operator sets is what they get)
+	 *      2) Operator with no permissions (zero bitset):
+	 *        `target` bitset is returned regardless of the `desired` value
+	 *        (operator has no authority and cannot modify anything)
+	 *
+	 * @dev Example:
+	 *      Consider an operator with the permissions bitmask     00001111
+	 *      is about to modify the target permission set          01010101
+	 *      Operator wants to set that permission set to          00110011
+	 *      Based on their role, an operator has the permissions
+	 *      to update only lowest 4 bits on the target, meaning that
+	 *      high 4 bits of the target set in this example is left
+	 *      unchanged and low 4 bits get changed as desired:      01010011
+	 *
+	 * @param operator address of the contract operator which is about to set the permissions
+	 * @param target input set of permissions to operator is going to modify
+	 * @param desired desired set of permissions operator would like to set
+	 * @return resulting set of permissions given operator will set
+	 */
+	function _evaluateBy(address operator, uint256 target, uint256 desired) internal view returns (uint256) {
+		// read operator's permissions
+		uint256 p = getRole(operator);
+
+		// taking into account operator's permissions,
+		// 1) enable the permissions desired on the `target`
+		target |= p & desired;
+		// 2) disable the permissions desired on the `target`
+		target &= FULL_PRIVILEGES_MASK ^ (p & (FULL_PRIVILEGES_MASK ^ desired));
+
+		// return calculated result
+		return target;
+	}
+
+	/**
+	 * @notice Ensures that the transaction sender has the required access permission(s) (role)
+	 *
+	 * @dev Reverts with an `AccessDenied` error if the sender does not have the required role
+	 *
+	 * @param required the set of permissions (role) that the transaction sender is required to have
+	 */
+	function _requireSenderInRole(uint256 required) internal view {
+		// check if the transaction has the required permission(s),
+		// reverting with the "access denied" error if not
+		_requireAccessCondition(_isSenderInRole(required));
+	}
+
+	/**
+	 * @notice Ensures that a specific condition is met
+	 *
+	 * @dev Reverts with an `AccessDenied` error if the condition is not met
+	 *
+	 * @param condition the condition that needs to be true for the function to proceed
+	 */
+	function _requireAccessCondition(bool condition) internal pure {
+		// check if the condition holds
+		if(!condition) {
+			// revert with the "access denied" error if not
+			revert AccessDenied();
+		}
+	}
+
+	/**
+	 * @notice Checks if requested set of features is enabled globally on the contract
+	 *
+	 * @param required set of features to check against
+	 * @return true if all the features requested are enabled, false otherwise
+	 */
+	function _isFeatureEnabled(uint256 required) internal view returns (bool) {
+		// delegate call to `__hasRole`, passing `features` property
+		return __hasRole(features(), required);
+	}
+
+	/**
+	 * @notice Checks if transaction sender `msg.sender` has all the permissions required
+	 *
+	 * @param required set of permissions (role) to check against
+	 * @return true if all the permissions requested are enabled, false otherwise
+	 */
+	function _isSenderInRole(uint256 required) internal view returns (bool) {
+		// delegate call to `isOperatorInRole`, passing transaction sender
+		return _isOperatorInRole(msg.sender, required);
+	}
+
+	/**
+	 * @notice Checks if operator has all the permissions (role) required
+	 *
+	 * @param operator address of the user to check role for
+	 * @param required set of permissions (role) to check
+	 * @return true if all the permissions requested are enabled, false otherwise
+	 */
+	function _isOperatorInRole(address operator, uint256 required) internal view returns (bool) {
+		// delegate call to `__hasRole`, passing operator's permissions (role)
+		return __hasRole(getRole(operator), required);
+	}
+
+	/**
+	 * @dev Sets the `assignedRole` role to the operator, logs both `requestedRole` and `actualRole`
+	 *
+	 * @dev Unsafe:
+	 *      provides direct write access to `userRoles` mapping without any security checks,
+	 *      doesn't verify the executor (msg.sender) permissions,
+	 *      must be kept private at all times
+	 *
+	 * @param operator address of a user to alter permissions for,
+	 *       or self address to alter global features of the smart contract
+	 * @param requestedRole bitmask representing a set of permissions requested
+	 *      to be enabled/disabled for a user specified, used only to be logged into event
+	 * @param assignedRole bitmask representing a set of permissions to
+	 *      enable/disable for a user specified, used to update the mapping and to be logged into event
+	 */
+	function __setRole(address operator, uint256 requestedRole, uint256 assignedRole) private {
+		// assign the role to the operator
+		userRoles[operator] = assignedRole;
+
+		// fire an event
+		emit RoleUpdated(operator, requestedRole, assignedRole);
+	}
+
+	/**
+	 * @dev Checks if role `actual` contains all the permissions required `required`
+	 *
+	 * @param actual existent role
+	 * @param required required role
+	 * @return true if actual has required role (all permissions), false otherwise
+	 */
+	function __hasRole(uint256 actual, uint256 required) private pure returns (bool) {
+		// check the bitmask for the role required and return the result
+		return actual & required == required;
+	}
+}

package/contracts/UpgradeableAccessControl.sol

@@ -1,11 +1,11 @@
 // SPDX-License-Identifier: MIT
-pragma solidity ^0.8.2;
+pragma solidity >=0.8.4;
 
 import "./InitializableAccessControl.sol";
-import "@openzeppelin/contracts-upgradeable/proxy/utils/UUPSUpgradeable.sol";
+import "./UpgradeableAccessControlCore.sol";
 
 /**
- * @title Upgradeable Role-based Access Control (RBAC) // ERC1967Proxy
+ * @title Upgradeable Role-based Access Control (U-RBAC) // ERC1967Proxy
  *
  * @notice Access control smart contract provides an API to check
  *      if a specific operation is permitted globally and/or
@@ -58,23 +58,6 @@ import "@openzeppelin/contracts-upgradeable/proxy/utils/UUPSUpgradeable.sol";
  *
  * @author Basil Gorin
  */
-abstract contract UpgradeableAccessControl is InitializableAccessControl, UUPSUpgradeable {
-	/**
-	 * @notice Returns an address of the implementation smart contract,
-	 *      see ERC1967Upgrade._getImplementation()
-	 *
-	 * @return the current implementation address
-	 */
-	function getImplementation() public view virtual returns (address) {
-		// delegate to `ERC1967Upgrade._getImplementation()`
-		return _getImplementation();
-	}
-
-	/**
-	 * @inheritdoc UUPSUpgradeable
-	 */
-	function _authorizeUpgrade(address) internal virtual override {
-		// caller must have a permission to upgrade the contract
-		require(isSenderInRole(ROLE_UPGRADE_MANAGER), "access denied");
-	}
+abstract contract UpgradeableAccessControl is InitializableAccessControl, UpgradeableAccessControlCore {
+	
 }

package/contracts/UpgradeableAccessControlCore.sol

@@ -0,0 +1,88 @@
+// SPDX-License-Identifier: MIT
+pragma solidity >=0.8.4;
+
+import "./InitializableAccessControlCore.sol";
+import "@openzeppelin/contracts-upgradeable/proxy/utils/UUPSUpgradeable.sol";
+
+/**
+ * @title Upgradeable Role-based Access Control Core (U-RBAC-C) // ERC1967Proxy
+ *
+ * @notice Access control smart contract provides an API to check
+ *      if a specific operation is permitted globally and/or
+ *      if a particular user has a permission to execute it.
+ *
+ * @notice This contract is inherited by other contracts requiring the role-based access control (RBAC)
+ *      protection for the restricted access functions
+ *
+ * @notice It deals with two main entities: features and roles.
+ *
+ * @notice Features are designed to be used to enable/disable public functions
+ *      of the smart contract (used by a wide audience).
+ * @notice User roles are designed to control the access to restricted functions
+ *      of the smart contract (used by a limited set of maintainers).
+ *
+ * @notice Terms "role", "permissions" and "set of permissions" have equal meaning
+ *      in the documentation text and may be used interchangeably.
+ * @notice Terms "permission", "single permission" implies only one permission bit set.
+ *
+ * @notice Access manager is a special role which allows to grant/revoke other roles.
+ *      Access managers can only grant/revoke permissions which they have themselves.
+ *      As an example, access manager with no other roles set can only grant/revoke its own
+ *      access manager permission and nothing else.
+ *
+ * @notice Access manager permission should be treated carefully, as a super admin permission:
+ *      Access manager with even no other permission can interfere with another account by
+ *      granting own access manager permission to it and effectively creating more powerful
+ *      permission set than its own.
+ *
+ * @dev Both current and OpenZeppelin AccessControl implementations feature a similar API
+ *      to check/know "who is allowed to do this thing".
+ * @dev Zeppelin implementation is more flexible:
+ *      - it allows setting unlimited number of roles, while current is limited to 256 different roles
+ *      - it allows setting an admin for each role, while current allows having only one global admin
+ * @dev Current implementation is more lightweight:
+ *      - it uses only 1 bit per role, while Zeppelin uses 256 bits
+ *      - it allows setting up to 256 roles at once, in a single transaction, while Zeppelin allows
+ *        setting only one role in a single transaction
+ *
+ * @dev This smart contract is designed to be inherited by other
+ *      smart contracts which require access control management capabilities.
+ *
+ * @dev Access manager permission has a bit 255 set.
+ *      This bit must not be used by inheriting contracts for any other permissions/features.
+ *
+ * @dev This is an upgradeable version of the RBAC, based on Zeppelin implementation for ERC1967,
+ *      see https://docs.openzeppelin.com/contracts/4.x/upgradeable
+ *      see https://docs.openzeppelin.com/contracts/4.x/api/proxy#UUPSUpgradeable
+ *      see https://forum.openzeppelin.com/t/uups-proxies-tutorial-solidity-javascript/7786
+ *
+ * @dev The 'core' version of the RBAC contract hides three rarely used external functions from the public ABI,
+ *      making them internal and thus reducing the overall compiled implementation size.
+ *      isFeatureEnabled() public -> _isFeatureEnabled() internal
+ *      isSenderInRole() public -> _isSenderInRole() internal
+ *      isOperatorInRole() public -> _isOperatorInRole() internal
+ *
+ * @custom:since 1.1.0
+ *
+ * @author Basil Gorin
+ */
+abstract contract UpgradeableAccessControlCore is InitializableAccessControlCore, UUPSUpgradeable {
+	/**
+	 * @notice Returns an address of the implementation smart contract,
+	 *      see ERC1967Upgrade._getImplementation()
+	 *
+	 * @return the current implementation address
+	 */
+	function getImplementation() public view virtual returns (address) {
+		// delegate to `ERC1967Upgrade._getImplementation()`
+		return _getImplementation();
+	}
+
+	/**
+	 * @inheritdoc UUPSUpgradeable
+	 */
+	function _authorizeUpgrade(address) internal virtual override {
+		// caller must have a permission to upgrade the contract
+		_requireSenderInRole(ROLE_UPGRADE_MANAGER);
+	}
+}

package/contracts/mocks/UpgradeableAccessControlMocks.sol

@@ -1,5 +1,5 @@
 // SPDX-License-Identifier: MIT
-pragma solidity ^0.8.2;
+pragma solidity >=0.8.4;
 
 import "../UpgradeableAccessControl.sol";
 
@@ -10,6 +10,12 @@ contract UpgradeableAccessControlMock is UpgradeableAccessControl {
 	function restricted() public restrictedTo(RESTRICTED_ROLE) {
 		emit Restricted();
 	}
+	function requireSenderInRole(uint256 required) public view {
+		_requireSenderInRole(required);
+	}
+	function requireAccessCondition(bool condition) public pure {
+		_requireAccessCondition(condition);
+	}
 }
 
 contract UpgradeableAccessControl1 is UpgradeableAccessControlMock {

package/hardhat.config.js

@@ -50,7 +50,7 @@ module.exports = {
 		// https://hardhat.org/guides/compile-contracts.html
 		compilers: [
 			{
-				version: "0.8.2",
+				version: "0.8.4",
 				settings: {
 					optimizer: {
 						enabled: true,

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@lazy-sol/access-control-upgradeable",
-  "version": "1.0.7",
+  "version": "1.1.1",
   "description": "Enable the modular plug and play (PnP) architecture for your dapp by incorporating the role-based access control (RBAC) into the smart contracts",
   "main": "index.js",
   "scripts": {
@@ -22,20 +22,22 @@
   "author": "Basil Gorin",
   "license": "MIT",
   "dependencies": {
-    "@lazy-sol/a-missing-gem": "^1.0.9",
-    "@nomiclabs/hardhat-truffle5": "^2.0.7",
-    "@openzeppelin/contracts-upgradeable": "^4.9.6",
-    "hardhat": "^2.22.7",
-    "hardhat-deploy": "^0.11.45"
+    "@openzeppelin/contracts-upgradeable": "4.9.6"
   },
   "devDependencies": {
+    "@lazy-sol/a-missing-gem": "^1.0.10",
     "@lazy-sol/zeppelin-test-helpers": "^1.0.5",
-    "@openzeppelin/contracts": "^4.9.6",
+    "@nomiclabs/hardhat-truffle5": "^2.0.7",
+    "@openzeppelin/contracts": "4.9.6",
+    "hardhat": "^2.22.13",
     "hardhat-dependency-injector": "^1.0.1",
     "hardhat-gas-reporter": "^1.0.10",
-    "solidity-coverage": "^0.8.12"
+    "solidity-coverage": "^0.8.13"
   },
   "overrides": {
+    "axios": ">=1.7.5",
+    "micromatch": "^4.0.8",
+    "tar": "^6.2.1",
     "tough-cookie": "^4.1.3",
     "yargs-parser": "^5.0.1",
     "ws": "^8.0.0"

package/test/include/rbac.behaviour.js

@@ -41,6 +41,18 @@ function behavesLikeRBAC(deployment_fn, a0, a1, a2) {
 	const by = a1;
 	const to = a2;
 
+	describe("requireAccessCondition(condition) pure function", function() {
+		let access_control;
+		beforeEach(async function() {
+			access_control = await deployment_fn.call(this, a0, ZERO_ADDRESS, 0);
+		});
+		it("throws if condition is false", async function() {
+			await expectRevert(access_control.requireAccessCondition(false, {from: a0}), "AccessDenied()");
+		});
+		it("succeeds if condition is true", async function() {
+			await access_control.requireAccessCondition(true, {from: a0});
+		});
+	});
 	describe("deployment and initial state", function() {
 		function deploy_and_check(owner, features) {
 			let access_control;
@@ -82,7 +94,7 @@ function behavesLikeRBAC(deployment_fn, a0, a1, a2) {
 			deploy_and_check(a1, random_bn256());
 		});
 	});
-	describe("when deployed with not initial features", function() {
+	describe("when deployed with no initial features", function() {
 		let access_control;
 		beforeEach(async function() {
 			access_control = await deployment_fn.call(this, a0);
@@ -93,7 +105,7 @@ function behavesLikeRBAC(deployment_fn, a0, a1, a2) {
 				beforeEach(async function() {
 					await access_control.updateRole(by, ROLE_ACCESS_MANAGER, {from: a0});
 				});
-				describe("when ACCESS_MANAGER has full set of permissions", function() {
+				describe("when ACCESS_MANAGER has the full set of permissions", function() {
 					beforeEach(async function() {
 						await access_control.updateRole(by, MAX_UINT256, {from: a0});
 					});
@@ -272,6 +284,7 @@ function behavesLikeRBAC(deployment_fn, a0, a1, a2) {
 					it("operator becomes an ACCESS_MANAGER", async function() {
 						expect(await access_control.isOperatorInRole(to, ROLE_ACCESS_MANAGER), "operator").to.be.true;
 						expect(await access_control.isSenderInRole(ROLE_ACCESS_MANAGER, {from: to}), "sender").to.be.true;
+						await access_control.requireSenderInRole(ROLE_ACCESS_MANAGER, {from: to});
 					});
 				});
 				describe("when ACCESS_MANAGER revokes ACCESS_MANAGER permission from itself", function() {
@@ -281,15 +294,16 @@ function behavesLikeRBAC(deployment_fn, a0, a1, a2) {
 					it("operator ceases to be an ACCESS_MANAGER", async function() {
 						expect(await access_control.isOperatorInRole(by, ROLE_ACCESS_MANAGER), "operator").to.be.false;
 						expect(await access_control.isSenderInRole(ROLE_ACCESS_MANAGER, {from: by}), "sender").to.be.false;
+						await expectRevert(access_control.requireSenderInRole(ROLE_ACCESS_MANAGER, {from: to}), "AccessDenied()");
 					});
 				});
 			});
 			describe("otherwise (no ACCESS_MANAGER permission)", function() {
 				it("updateFeatures reverts", async function() {
-					await expectRevert(access_control.updateFeatures(1, {from: by}), "access denied");
+					await expectRevert(access_control.updateFeatures(1, {from: by}), "AccessDenied()");
 				});
 				it("updateRole reverts", async function() {
-					await expectRevert(access_control.updateRole(to, 1, {from: by}), "access denied");
+					await expectRevert(access_control.updateRole(to, 1, {from: by}), "AccessDenied()");
 				});
 			});
 		}

package/test/rbac_modifier.js

@@ -44,7 +44,7 @@ contract('AccessControlUpgradeable (U-RBAC) "restrictedTo" Modifier tests', func
 			access_control = await deploy_access_control(a0);
 		});
 		it("function protected with restrictedTo modifier fails when run not by an admin", async function() {
-			await expectRevert(access_control.restricted({from: a1}), "access denied");
+			await expectRevert(access_control.restricted({from: a1}), "AccessDenied()");
 		});
 		describe("function protected with restrictedTo modifier succeeds when run by admin", async function() {
 			let receipt;

package/test/rbac_upgradeable.js

@@ -101,13 +101,10 @@ contract("UpgradeableAccessControl (U-RBAC) Core tests", function(accounts) {
 				const init_data = ac.contract.methods.postConstruct(ZERO_ADDRESS, 0).encodeABI();
 
 				// and upgrade the implementation
-				await expectRevert(
-					ac.upgradeToAndCall(impl2.address, init_data, {from: by}),
-					"access denied"
-				);
+				await expectRevert(ac.upgradeToAndCall(impl2.address, init_data, {from: by}), "AccessDenied()");
 			});
 			it("implementation upgrade without initialization reverts", async function() {
-				await expectRevert(ac.upgradeTo(impl2.address, {from: by}), "access denied");
+				await expectRevert(ac.upgradeTo(impl2.address, {from: by}), "AccessDenied()");
 			});
 			it("direct initialization of the implementation (bypassing proxy) fails", async function() {
 				await expectRevert(impl1.postConstruct(ZERO_ADDRESS, 0, {from: by}), "Initializable: contract is already initialized");