@lazy-sol/access-control 1.0.3

package/artifacts/contracts/OwnableToAccessControlAdapter.sol/OwnableToAccessControlAdapter.json

@@ -0,0 +1,342 @@
+{
+  "_format": "hh-sol-artifact-1",
+  "contractName": "OwnableToAccessControlAdapter",
+  "sourceName": "contracts/OwnableToAccessControlAdapter.sol",
+  "abi": [
+    {
+      "inputs": [
+        {
+          "internalType": "address",
+          "name": "_target",
+          "type": "address"
+        },
+        {
+          "internalType": "address",
+          "name": "_owner",
+          "type": "address"
+        }
+      ],
+      "stateMutability": "nonpayable",
+      "type": "constructor"
+    },
+    {
+      "anonymous": false,
+      "inputs": [
+        {
+          "indexed": false,
+          "internalType": "bytes4",
+          "name": "selector",
+          "type": "bytes4"
+        },
+        {
+          "indexed": false,
+          "internalType": "uint256",
+          "name": "role",
+          "type": "uint256"
+        }
+      ],
+      "name": "AccessRoleUpdated",
+      "type": "event"
+    },
+    {
+      "anonymous": false,
+      "inputs": [
+        {
+          "indexed": false,
+          "internalType": "bytes4",
+          "name": "selector",
+          "type": "bytes4"
+        },
+        {
+          "indexed": false,
+          "internalType": "bytes",
+          "name": "data",
+          "type": "bytes"
+        },
+        {
+          "indexed": false,
+          "internalType": "bytes",
+          "name": "result",
+          "type": "bytes"
+        }
+      ],
+      "name": "ExecutionComplete",
+      "type": "event"
+    },
+    {
+      "anonymous": false,
+      "inputs": [
+        {
+          "indexed": true,
+          "internalType": "address",
+          "name": "operator",
+          "type": "address"
+        },
+        {
+          "indexed": false,
+          "internalType": "uint256",
+          "name": "requested",
+          "type": "uint256"
+        },
+        {
+          "indexed": false,
+          "internalType": "uint256",
+          "name": "assigned",
+          "type": "uint256"
+        }
+      ],
+      "name": "RoleUpdated",
+      "type": "event"
+    },
+    {
+      "stateMutability": "payable",
+      "type": "fallback"
+    },
+    {
+      "inputs": [],
+      "name": "ROLE_ACCESS_MANAGER",
+      "outputs": [
+        {
+          "internalType": "uint256",
+          "name": "",
+          "type": "uint256"
+        }
+      ],
+      "stateMutability": "view",
+      "type": "function"
+    },
+    {
+      "inputs": [],
+      "name": "ROLE_ACCESS_ROLES_MANAGER",
+      "outputs": [
+        {
+          "internalType": "uint256",
+          "name": "",
+          "type": "uint256"
+        }
+      ],
+      "stateMutability": "view",
+      "type": "function"
+    },
+    {
+      "inputs": [
+        {
+          "internalType": "bytes4",
+          "name": "",
+          "type": "bytes4"
+        }
+      ],
+      "name": "accessRoles",
+      "outputs": [
+        {
+          "internalType": "uint256",
+          "name": "",
+          "type": "uint256"
+        }
+      ],
+      "stateMutability": "view",
+      "type": "function"
+    },
+    {
+      "inputs": [
+        {
+          "internalType": "bytes",
+          "name": "data",
+          "type": "bytes"
+        }
+      ],
+      "name": "execute",
+      "outputs": [
+        {
+          "internalType": "bytes",
+          "name": "",
+          "type": "bytes"
+        }
+      ],
+      "stateMutability": "payable",
+      "type": "function"
+    },
+    {
+      "inputs": [],
+      "name": "features",
+      "outputs": [
+        {
+          "internalType": "uint256",
+          "name": "",
+          "type": "uint256"
+        }
+      ],
+      "stateMutability": "view",
+      "type": "function"
+    },
+    {
+      "inputs": [
+        {
+          "internalType": "address",
+          "name": "operator",
+          "type": "address"
+        }
+      ],
+      "name": "getRole",
+      "outputs": [
+        {
+          "internalType": "uint256",
+          "name": "",
+          "type": "uint256"
+        }
+      ],
+      "stateMutability": "view",
+      "type": "function"
+    },
+    {
+      "inputs": [
+        {
+          "internalType": "uint256",
+          "name": "required",
+          "type": "uint256"
+        }
+      ],
+      "name": "isFeatureEnabled",
+      "outputs": [
+        {
+          "internalType": "bool",
+          "name": "",
+          "type": "bool"
+        }
+      ],
+      "stateMutability": "view",
+      "type": "function"
+    },
+    {
+      "inputs": [
+        {
+          "internalType": "address",
+          "name": "operator",
+          "type": "address"
+        },
+        {
+          "internalType": "uint256",
+          "name": "required",
+          "type": "uint256"
+        }
+      ],
+      "name": "isOperatorInRole",
+      "outputs": [
+        {
+          "internalType": "bool",
+          "name": "",
+          "type": "bool"
+        }
+      ],
+      "stateMutability": "view",
+      "type": "function"
+    },
+    {
+      "inputs": [
+        {
+          "internalType": "uint256",
+          "name": "required",
+          "type": "uint256"
+        }
+      ],
+      "name": "isSenderInRole",
+      "outputs": [
+        {
+          "internalType": "bool",
+          "name": "",
+          "type": "bool"
+        }
+      ],
+      "stateMutability": "view",
+      "type": "function"
+    },
+    {
+      "inputs": [],
+      "name": "target",
+      "outputs": [
+        {
+          "internalType": "address",
+          "name": "",
+          "type": "address"
+        }
+      ],
+      "stateMutability": "view",
+      "type": "function"
+    },
+    {
+      "inputs": [
+        {
+          "internalType": "bytes4",
+          "name": "selector",
+          "type": "bytes4"
+        },
+        {
+          "internalType": "uint256",
+          "name": "role",
+          "type": "uint256"
+        }
+      ],
+      "name": "updateAccessRole",
+      "outputs": [],
+      "stateMutability": "nonpayable",
+      "type": "function"
+    },
+    {
+      "inputs": [
+        {
+          "internalType": "string",
+          "name": "signature",
+          "type": "string"
+        },
+        {
+          "internalType": "uint256",
+          "name": "role",
+          "type": "uint256"
+        }
+      ],
+      "name": "updateAccessRole",
+      "outputs": [],
+      "stateMutability": "nonpayable",
+      "type": "function"
+    },
+    {
+      "inputs": [
+        {
+          "internalType": "uint256",
+          "name": "_mask",
+          "type": "uint256"
+        }
+      ],
+      "name": "updateFeatures",
+      "outputs": [],
+      "stateMutability": "nonpayable",
+      "type": "function"
+    },
+    {
+      "inputs": [
+        {
+          "internalType": "address",
+          "name": "operator",
+          "type": "address"
+        },
+        {
+          "internalType": "uint256",
+          "name": "role",
+          "type": "uint256"
+        }
+      ],
+      "name": "updateRole",
+      "outputs": [],
+      "stateMutability": "nonpayable",
+      "type": "function"
+    },
+    {
+      "stateMutability": "payable",
+      "type": "receive"
+    }
+  ],
+  "bytecode": "0x608060405234801561001057600080fd5b50604051610b40380380610b4083398101604081905261002f9161012f565b80600061003f82600019806100bb565b61004a3082806100bb565b50506001600160a01b0382166100955760405162461bcd60e51b815260206004820152600c60248201526b7a65726f206164647265737360a01b604482015260640160405180910390fd5b50600180546001600160a01b0319166001600160a01b0392909216919091179055610162565b6001600160a01b0383166000818152602081815260409182902084905581518581529081018490527fe9be537308880e0f56b7d7cfd7abf85f14c4934486d138f848b92a0cbaf659b4910160405180910390a2505050565b80516001600160a01b038116811461012a57600080fd5b919050565b6000806040838503121561014257600080fd5b61014b83610113565b915061015960208401610113565b90509250929050565b6109cf806101716000396000f3fe6080604052600436106100e15760003560e01c8063725f36261161007f578063c688d69311610059578063c688d693146102bc578063d4b83992146102dc578063d5bb7f6714610314578063fcc2c0781461033457610100565b8063725f362614610254578063ae5b102e14610284578063ae682e2e146102a457610100565b806334e48c9e116100bb57806334e48c9e146101c657806344276733146101de578063491d2611146102145780635defb40d1461023457610100565b806309c5eabe146101405780630e82fe25146101695780632b521416146101a457610100565b36610100576100fe60405180602001604052806000815250610354565b005b6100fe6000368080601f01602080910402602001604051908101604052809392919081815260200183838082843760009201919091525061035492505050565b61015361014e366004610742565b610354565b60405161016091906107e3565b60405180910390f35b34801561017557600080fd5b50610196610184366004610813565b60026020526000908152604090205481565b604051908152602001610160565b3480156101b057600080fd5b5030600090815260208190526040902054610196565b3480156101d257600080fd5b50610196600160fd1b81565b3480156101ea57600080fd5b506101966101f9366004610845565b6001600160a01b031660009081526020819052604090205490565b34801561022057600080fd5b506100fe61022f366004610860565b6104de565b34801561024057600080fd5b506100fe61024f36600461088a565b610560565b34801561026057600080fd5b5061027461026f3660046108e3565b610575565b6040519015158152602001610160565b34801561029057600080fd5b506100fe61029f3660046108fc565b610597565b3480156102b057600080fd5b50610196600160ff1b81565b3480156102c857600080fd5b506102746102d73660046108fc565b61061c565b3480156102e857600080fd5b506001546102fc906001600160a01b031681565b6040516001600160a01b039091168152602001610160565b34801561032057600080fd5b506100fe61032f3660046108e3565b610645565b34801561034057600080fd5b5061027461034f3660046108e3565b610652565b6020810151815160609190156103f0576001600160e01b03198116600090815260026020526040812054908190036103c95760405162461bcd60e51b81526020600482015260136024820152721858d8d95cdcc81c9bdb19481b9bdd081cd95d606a1b60448201526064015b60405180910390fd5b6103d281610652565b6103ee5760405162461bcd60e51b81526004016103c090610918565b505b60015460405160009182916001600160a01b0390911690349061041490889061093f565b60006040518083038185875af1925050503d8060008114610451576040519150601f19603f3d011682016040523d82523d6000602084013e610456565b606091505b50915091508161049b5760405162461bcd60e51b815260206004820152601060248201526f195e1958dd5d1a5bdb8819985a5b195960821b60448201526064016103c0565b7f57a62eca76fc623c92f161d2a4b851851ece707135ce2af1eec256d660571b6d8386836040516104ce9392919061095b565b60405180910390a1949350505050565b6104eb600160fd1b610652565b6105075760405162461bcd60e51b81526004016103c090610918565b6001600160e01b03198216600081815260026020908152604091829020849055815192835282018390527fdb8ed917742b49e83acd1322bcaa8f18b1e5f78a70784c43ea14db7ab50e628d910160405180910390a15050565b6105718280519060200120826104de565b5050565b30600090815260208190526040812054610591905b8316831490565b92915050565b6105a4600160ff1b610652565b6105c05760405162461bcd60e51b81526004016103c090610918565b6105718282610617336105e8876001600160a01b031660009081526020819052604090205490565b6001600160a01b0391909116600090815260208190526040902054600019808818821618908716919091171690565b61065e565b6001600160a01b03821660009081526020819052604081205461063e9061058a565b9392505050565b61064f3082610597565b50565b6000610591338361061c565b6001600160a01b0383166000818152602081815260409182902084905581518581529081018490527fe9be537308880e0f56b7d7cfd7abf85f14c4934486d138f848b92a0cbaf659b4910160405180910390a2505050565b634e487b7160e01b600052604160045260246000fd5b600067ffffffffffffffff808411156106e7576106e76106b6565b604051601f8501601f19908116603f0116810190828211818310171561070f5761070f6106b6565b8160405280935085815286868601111561072857600080fd5b858560208301376000602087830101525050509392505050565b60006020828403121561075457600080fd5b813567ffffffffffffffff81111561076b57600080fd5b8201601f8101841361077c57600080fd5b61078b848235602084016106cc565b949350505050565b60005b838110156107ae578181015183820152602001610796565b50506000910152565b600081518084526107cf816020860160208601610793565b601f01601f19169290920160200192915050565b60208152600061063e60208301846107b7565b80356001600160e01b03198116811461080e57600080fd5b919050565b60006020828403121561082557600080fd5b61063e826107f6565b80356001600160a01b038116811461080e57600080fd5b60006020828403121561085757600080fd5b61063e8261082e565b6000806040838503121561087357600080fd5b61087c836107f6565b946020939093013593505050565b6000806040838503121561089d57600080fd5b823567ffffffffffffffff8111156108b457600080fd5b8301601f810185136108c557600080fd5b6108d4858235602084016106cc565b95602094909401359450505050565b6000602082840312156108f557600080fd5b5035919050565b6000806040838503121561090f57600080fd5b61087c8361082e565b6020808252600d908201526c1858d8d95cdcc819195b9a5959609a1b604082015260600190565b60008251610951818460208701610793565b9190910192915050565b63ffffffff60e01b8416815260606020820152600061097d60608301856107b7565b828103604084015261098f81856107b7565b969550505050505056fea26469706673582212206993ad950cca82a01e8e72c0503e3a006930148e125b67ad2894063853f6078264736f6c63430008150033",
+  "deployedBytecode": "0x6080604052600436106100e15760003560e01c8063725f36261161007f578063c688d69311610059578063c688d693146102bc578063d4b83992146102dc578063d5bb7f6714610314578063fcc2c0781461033457610100565b8063725f362614610254578063ae5b102e14610284578063ae682e2e146102a457610100565b806334e48c9e116100bb57806334e48c9e146101c657806344276733146101de578063491d2611146102145780635defb40d1461023457610100565b806309c5eabe146101405780630e82fe25146101695780632b521416146101a457610100565b36610100576100fe60405180602001604052806000815250610354565b005b6100fe6000368080601f01602080910402602001604051908101604052809392919081815260200183838082843760009201919091525061035492505050565b61015361014e366004610742565b610354565b60405161016091906107e3565b60405180910390f35b34801561017557600080fd5b50610196610184366004610813565b60026020526000908152604090205481565b604051908152602001610160565b3480156101b057600080fd5b5030600090815260208190526040902054610196565b3480156101d257600080fd5b50610196600160fd1b81565b3480156101ea57600080fd5b506101966101f9366004610845565b6001600160a01b031660009081526020819052604090205490565b34801561022057600080fd5b506100fe61022f366004610860565b6104de565b34801561024057600080fd5b506100fe61024f36600461088a565b610560565b34801561026057600080fd5b5061027461026f3660046108e3565b610575565b6040519015158152602001610160565b34801561029057600080fd5b506100fe61029f3660046108fc565b610597565b3480156102b057600080fd5b50610196600160ff1b81565b3480156102c857600080fd5b506102746102d73660046108fc565b61061c565b3480156102e857600080fd5b506001546102fc906001600160a01b031681565b6040516001600160a01b039091168152602001610160565b34801561032057600080fd5b506100fe61032f3660046108e3565b610645565b34801561034057600080fd5b5061027461034f3660046108e3565b610652565b6020810151815160609190156103f0576001600160e01b03198116600090815260026020526040812054908190036103c95760405162461bcd60e51b81526020600482015260136024820152721858d8d95cdcc81c9bdb19481b9bdd081cd95d606a1b60448201526064015b60405180910390fd5b6103d281610652565b6103ee5760405162461bcd60e51b81526004016103c090610918565b505b60015460405160009182916001600160a01b0390911690349061041490889061093f565b60006040518083038185875af1925050503d8060008114610451576040519150601f19603f3d011682016040523d82523d6000602084013e610456565b606091505b50915091508161049b5760405162461bcd60e51b815260206004820152601060248201526f195e1958dd5d1a5bdb8819985a5b195960821b60448201526064016103c0565b7f57a62eca76fc623c92f161d2a4b851851ece707135ce2af1eec256d660571b6d8386836040516104ce9392919061095b565b60405180910390a1949350505050565b6104eb600160fd1b610652565b6105075760405162461bcd60e51b81526004016103c090610918565b6001600160e01b03198216600081815260026020908152604091829020849055815192835282018390527fdb8ed917742b49e83acd1322bcaa8f18b1e5f78a70784c43ea14db7ab50e628d910160405180910390a15050565b6105718280519060200120826104de565b5050565b30600090815260208190526040812054610591905b8316831490565b92915050565b6105a4600160ff1b610652565b6105c05760405162461bcd60e51b81526004016103c090610918565b6105718282610617336105e8876001600160a01b031660009081526020819052604090205490565b6001600160a01b0391909116600090815260208190526040902054600019808818821618908716919091171690565b61065e565b6001600160a01b03821660009081526020819052604081205461063e9061058a565b9392505050565b61064f3082610597565b50565b6000610591338361061c565b6001600160a01b0383166000818152602081815260409182902084905581518581529081018490527fe9be537308880e0f56b7d7cfd7abf85f14c4934486d138f848b92a0cbaf659b4910160405180910390a2505050565b634e487b7160e01b600052604160045260246000fd5b600067ffffffffffffffff808411156106e7576106e76106b6565b604051601f8501601f19908116603f0116810190828211818310171561070f5761070f6106b6565b8160405280935085815286868601111561072857600080fd5b858560208301376000602087830101525050509392505050565b60006020828403121561075457600080fd5b813567ffffffffffffffff81111561076b57600080fd5b8201601f8101841361077c57600080fd5b61078b848235602084016106cc565b949350505050565b60005b838110156107ae578181015183820152602001610796565b50506000910152565b600081518084526107cf816020860160208601610793565b601f01601f19169290920160200192915050565b60208152600061063e60208301846107b7565b80356001600160e01b03198116811461080e57600080fd5b919050565b60006020828403121561082557600080fd5b61063e826107f6565b80356001600160a01b038116811461080e57600080fd5b60006020828403121561085757600080fd5b61063e8261082e565b6000806040838503121561087357600080fd5b61087c836107f6565b946020939093013593505050565b6000806040838503121561089d57600080fd5b823567ffffffffffffffff8111156108b457600080fd5b8301601f810185136108c557600080fd5b6108d4858235602084016106cc565b95602094909401359450505050565b6000602082840312156108f557600080fd5b5035919050565b6000806040838503121561090f57600080fd5b61087c8361082e565b6020808252600d908201526c1858d8d95cdcc819195b9a5959609a1b604082015260600190565b60008251610951818460208701610793565b9190910192915050565b63ffffffff60e01b8416815260606020820152600061097d60608301856107b7565b828103604084015261098f81856107b7565b969550505050505056fea26469706673582212206993ad950cca82a01e8e72c0503e3a006930148e125b67ad2894063853f6078264736f6c63430008150033",
+  "linkReferences": {},
+  "deployedLinkReferences": {}
+}

package/contracts/AccessControl.sol

@@ -0,0 +1,305 @@
+// SPDX-License-Identifier: MIT
+pragma solidity >=0.4.22; // require with message (0.4.22), pure/view modifiers (0.4.16), hardhat (0.4.11)
+
+/**
+ * @title Role-based Access Control (RBAC)
+ *
+ * @notice Access control smart contract provides an API to check
+ *      if a specific operation is permitted globally and/or
+ *      if a particular user has a permission to execute it.
+ *
+ * @notice This contract is inherited by other contracts requiring the role-based access control (RBAC)
+ *      protection for the restricted access functions
+ *
+ * @notice It deals with two main entities: features and roles.
+ *
+ * @notice Features are designed to be used to enable/disable public functions
+ *      of the smart contract (used by a wide audience).
+ * @notice User roles are designed to control the access to restricted functions
+ *      of the smart contract (used by a limited set of maintainers).
+ *
+ * @notice Terms "role", "permissions" and "set of permissions" have equal meaning
+ *      in the documentation text and may be used interchangeably.
+ * @notice Terms "permission", "single permission" implies only one permission bit set.
+ *
+ * @notice Access manager is a special role which allows to grant/revoke other roles.
+ *      Access managers can only grant/revoke permissions which they have themselves.
+ *      As an example, access manager with no other roles set can only grant/revoke its own
+ *      access manager permission and nothing else.
+ *
+ * @notice Access manager permission should be treated carefully, as a super admin permission:
+ *      Access manager with even no other permission can interfere with another account by
+ *      granting own access manager permission to it and effectively creating more powerful
+ *      permission set than its own.
+ *
+ * @dev Both current and OpenZeppelin AccessControl implementations feature a similar API
+ *      to check/know "who is allowed to do this thing".
+ * @dev Zeppelin implementation is more flexible:
+ *      - it allows setting unlimited number of roles, while current is limited to 256 different roles
+ *      - it allows setting an admin for each role, while current allows having only one global admin
+ * @dev Current implementation is more lightweight:
+ *      - it uses only 1 bit per role, while Zeppelin uses 256 bits
+ *      - it allows setting up to 256 roles at once, in a single transaction, while Zeppelin allows
+ *        setting only one role in a single transaction
+ *
+ * @dev This smart contract is designed to be inherited by other
+ *      smart contracts which require access control management capabilities.
+ *
+ * @dev Access manager permission has a bit 255 set.
+ *      This bit must not be used by inheriting contracts for any other permissions/features.
+ *
+ * @author Basil Gorin
+ */
+abstract contract AccessControl {
+	/**
+	 * @dev Privileged addresses with defined roles/permissions
+	 * @dev In the context of ERC20/ERC721 tokens these can be permissions to
+	 *      allow minting or burning tokens, transferring on behalf and so on
+	 *
+	 * @dev Maps user address to the permissions bitmask (role), where each bit
+	 *      represents a permission
+	 * @dev Bitmask 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+	 *      represents all possible permissions
+	 * @dev 'This' address mapping represents global features of the smart contract
+	 *
+	 * @dev We keep the mapping private to prevent direct writes to it from the inheriting
+	 *      contracts, `getRole()` and `updateRole()` functions should be used instead
+	 */
+	mapping(address => uint256) private userRoles;
+
+	/**
+	 * @notice Access manager is responsible for assigning the roles to users,
+	 *      enabling/disabling global features of the smart contract
+	 * @notice Access manager can add, remove and update user roles,
+	 *      remove and update global features
+	 *
+	 * @dev Role ROLE_ACCESS_MANAGER allows modifying user roles and global features
+	 * @dev Role ROLE_ACCESS_MANAGER has single bit at position 255 enabled
+	 */
+	uint256 public constant ROLE_ACCESS_MANAGER = 0x8000000000000000000000000000000000000000000000000000000000000000;
+
+	/**
+	 * @dev Bitmask representing all the possible permissions (super admin role)
+	 * @dev Has all the bits are enabled (2^256 - 1 value)
+	 */
+	uint256 internal constant FULL_PRIVILEGES_MASK = 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF;
+
+	/**
+	 * @dev Fired in updateRole() and updateFeatures()
+	 *
+	 * @param operator address which was granted/revoked permissions
+	 * @param requested permissions requested
+	 * @param assigned permissions effectively set
+	 */
+	event RoleUpdated(address indexed operator, uint256 requested, uint256 assigned);
+
+	/**
+	 * @notice Function modifier making a function defined as public behave as restricted
+	 *      (so that only a pre-configured set of accounts can execute it)
+	 *
+	 * @param role the role transaction executor is required to have;
+	 *      the function throws an "access denied" exception if this condition is not met
+	 */
+	modifier restrictedTo(uint256 role) {
+		// verify the access permission
+		require(isSenderInRole(role), "access denied");
+
+		// execute the rest of the function
+		_;
+	}
+
+	/**
+	 * @notice Creates an access control instance, setting the contract owner to have full privileges
+	 *
+	 * @param _owner smart contract owner having full privileges, can be zero
+	 * @param _features initial features mask of the contract, can be zero
+	 */
+	constructor(address _owner, uint256 _features) internal { // visibility modifier is required to be compilable with 0.6.x
+		// grant owner full privileges
+		__setRole(_owner, FULL_PRIVILEGES_MASK, FULL_PRIVILEGES_MASK);
+		// update initial features bitmask
+		__setRole(address(this), _features, _features);
+	}
+
+	/**
+	 * @notice Retrieves globally set of features enabled
+	 *
+	 * @dev Effectively reads userRoles role for the contract itself
+	 *
+	 * @return 256-bit bitmask of the features enabled
+	 */
+	function features() public view returns (uint256) {
+		// features are stored in 'this' address mapping of `userRoles`
+		return getRole(address(this));
+	}
+
+	/**
+	 * @notice Updates set of the globally enabled features (`features`),
+	 *      taking into account sender's permissions
+	 *
+	 * @dev Requires transaction sender to have `ROLE_ACCESS_MANAGER` permission
+	 * @dev Function is left for backward compatibility with older versions
+	 *
+	 * @param _mask bitmask representing a set of features to enable/disable
+	 */
+	function updateFeatures(uint256 _mask) public {
+		// delegate call to `updateRole`
+		updateRole(address(this), _mask);
+	}
+
+	/**
+	 * @notice Reads the permissions (role) for a given user from the `userRoles` mapping
+	 *      (privileged addresses with defined roles/permissions)
+	 * @notice In the context of ERC20/ERC721 tokens these can be permissions to
+	 *      allow minting or burning tokens, transferring on behalf and so on
+	 *
+	 * @dev Having a simple getter instead of making the mapping public
+	 *      allows enforcing the encapsulation of the mapping and protects from
+	 *      writing to it directly in the inheriting smart contracts
+	 *
+	 * @param operator address of a user to read permissions for,
+	 *      or self address to read global features of the smart contract
+	 */
+	function getRole(address operator) public view returns(uint256) {
+		// read the value from `userRoles` and return
+		return userRoles[operator];
+	}
+
+	/**
+	 * @notice Updates set of permissions (role) for a given user,
+	 *      taking into account sender's permissions.
+	 *
+	 * @dev Setting role to zero is equivalent to removing an all permissions
+	 * @dev Setting role to `FULL_PRIVILEGES_MASK` is equivalent to
+	 *      copying senders' permissions (role) to the user
+	 * @dev Requires transaction sender to have `ROLE_ACCESS_MANAGER` permission
+	 *
+	 * @param operator address of a user to alter permissions for,
+	 *       or self address to alter global features of the smart contract
+	 * @param role bitmask representing a set of permissions to
+	 *      enable/disable for a user specified
+	 */
+	function updateRole(address operator, uint256 role) public {
+		// caller must have a permission to update user roles
+		require(isSenderInRole(ROLE_ACCESS_MANAGER), "access denied");
+
+		// evaluate the role and reassign it
+		__setRole(operator, role, _evaluateBy(msg.sender, getRole(operator), role));
+	}
+
+	/**
+	 * @notice Determines the permission bitmask an operator can set on the
+	 *      target permission set
+	 * @notice Used to calculate the permission bitmask to be set when requested
+	 *     in `updateRole` and `updateFeatures` functions
+	 *
+	 * @dev Calculated based on:
+	 *      1) operator's own permission set read from userRoles[operator]
+	 *      2) target permission set - what is already set on the target
+	 *      3) desired permission set - what do we want set target to
+	 *
+	 * @dev Corner cases:
+	 *      1) Operator is super admin and its permission set is `FULL_PRIVILEGES_MASK`:
+	 *        `desired` bitset is returned regardless of the `target` permission set value
+	 *        (what operator sets is what they get)
+	 *      2) Operator with no permissions (zero bitset):
+	 *        `target` bitset is returned regardless of the `desired` value
+	 *        (operator has no authority and cannot modify anything)
+	 *
+	 * @dev Example:
+	 *      Consider an operator with the permissions bitmask     00001111
+	 *      is about to modify the target permission set          01010101
+	 *      Operator wants to set that permission set to          00110011
+	 *      Based on their role, an operator has the permissions
+	 *      to update only lowest 4 bits on the target, meaning that
+	 *      high 4 bits of the target set in this example is left
+	 *      unchanged and low 4 bits get changed as desired:      01010011
+	 *
+	 * @param operator address of the contract operator which is about to set the permissions
+	 * @param target input set of permissions to operator is going to modify
+	 * @param desired desired set of permissions operator would like to set
+	 * @return resulting set of permissions given operator will set
+	 */
+	function _evaluateBy(address operator, uint256 target, uint256 desired) internal view returns (uint256) {
+		// read operator's permissions
+		uint256 p = getRole(operator);
+
+		// taking into account operator's permissions,
+		// 1) enable the permissions desired on the `target`
+		target |= p & desired;
+		// 2) disable the permissions desired on the `target`
+		target &= FULL_PRIVILEGES_MASK ^ (p & (FULL_PRIVILEGES_MASK ^ desired));
+
+		// return calculated result
+		return target;
+	}
+
+	/**
+	 * @notice Checks if requested set of features is enabled globally on the contract
+	 *
+	 * @param required set of features to check against
+	 * @return true if all the features requested are enabled, false otherwise
+	 */
+	function isFeatureEnabled(uint256 required) public view returns (bool) {
+		// delegate call to `__hasRole`, passing `features` property
+		return __hasRole(features(), required);
+	}
+
+	/**
+	 * @notice Checks if transaction sender `msg.sender` has all the permissions required
+	 *
+	 * @param required set of permissions (role) to check against
+	 * @return true if all the permissions requested are enabled, false otherwise
+	 */
+	function isSenderInRole(uint256 required) public view returns (bool) {
+		// delegate call to `isOperatorInRole`, passing transaction sender
+		return isOperatorInRole(msg.sender, required);
+	}
+
+	/**
+	 * @notice Checks if operator has all the permissions (role) required
+	 *
+	 * @param operator address of the user to check role for
+	 * @param required set of permissions (role) to check
+	 * @return true if all the permissions requested are enabled, false otherwise
+	 */
+	function isOperatorInRole(address operator, uint256 required) public view returns (bool) {
+		// delegate call to `__hasRole`, passing operator's permissions (role)
+		return __hasRole(getRole(operator), required);
+	}
+
+	/**
+	 * @dev Sets the `assignedRole` role to the operator, logs both `requestedRole` and `actualRole`
+	 *
+	 * @dev Unsafe:
+	 *      provides direct write access to `userRoles` mapping without any security checks,
+	 *      doesn't verify the executor (msg.sender) permissions,
+	 *      must be kept private at all times
+	 *
+	 * @param operator address of a user to alter permissions for,
+	 *       or self address to alter global features of the smart contract
+	 * @param requestedRole bitmask representing a set of permissions requested
+	 *      to be enabled/disabled for a user specified, used only to be logged into event
+	 * @param assignedRole bitmask representing a set of permissions to
+	 *      enable/disable for a user specified, used to update the mapping and to be logged into event
+	 */
+	function __setRole(address operator, uint256 requestedRole, uint256 assignedRole) private {
+		// assign the role to the operator
+		userRoles[operator] = assignedRole;
+
+		// fire an event
+		emit RoleUpdated(operator, requestedRole, assignedRole);
+	}
+
+	/**
+	 * @dev Checks if role `actual` contains all the permissions required `required`
+	 *
+	 * @param actual existent role
+	 * @param required required role
+	 * @return true if actual has required role (all permissions), false otherwise
+	 */
+	function __hasRole(uint256 actual, uint256 required) private pure returns (bool) {
+		// check the bitmask for the role required and return the result
+		return actual & required == required;
+	}
+}