npm - @lazy-sol/access-control - Versions diffs - 1.0.5 → 1.1.0 - Mend

@lazy-sol/access-control 1.0.5 → 1.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (16) hide show

package/CHANGELOG.md +38 -0
package/README.md +77 -0
package/Role-based Access Control (RBAC) Lifecycle.png +0 -0
package/artifacts/contracts/OwnableToAccessControlAdapter.sol/OwnableToAccessControlAdapter.json +7 -64
package/contracts/AccessControl.sol +15 -219
package/contracts/AccessControlCore.sol +353 -0
package/contracts/AdapterFactory.sol +1 -1
package/contracts/OwnableToAccessControlAdapter.sol +7 -5
package/contracts/mocks/AccessControlMock.sol +7 -1
package/hardhat.config.js +38 -9
package/index.js +4 -0
package/package.json +10 -6
package/test/include/rbac.behaviour.js +22 -7
package/test/ownable_to_rbac_adapter.js +1 -1
package/test/ownable_to_rbac_adapter_rbac.js +3 -3
package/test/rbac_modifier.js +1 -1

package/CHANGELOG.md ADDED Viewed

@@ -0,0 +1,38 @@
+v1.1.0: Contact Size Optimizations
+- __Breaking Change:__ Solidity 0.8.4 is now required to compile the contracts
+  (previously was 0.4.22 for the core contract and 0.6.2 for periphery contracts).
+- Replaced "access denied" error with string literal (0.4.22) with the custom error AccessDenied() (0.8.4)
+- Introduced lighter modification of the "AccessControl" RBAC contract – "AccessControlCore" (RBAC-C).
+  The 'core' version of the RBAC contract hides three rarely used external functions from the public ABI,
+  making them internal and thus reducing the overall compiled implementation size.
+  | old name             | old modifier | new name              | new modifier |
+  |----------------------|--------------|-----------------------|--------------|
+  | `isFeatureEnabled()` | `public`     | `isFeatureEnabled()`  | `internal`   |
+  | `isSenderInRole()`   | `public`     | `_isSenderInRole()`   | `internal`   |
+  | `isOperatorInRole()` | `public`     | `_isOperatorInRole()` | `internal`   |
+- Added `_requireSenderInRole()` and `_requireAccessCondition()` internal functions for a convenient and gas-efficient
+  way of checking the access permissions and throwing the AccessDenied() error.
+- Added the CHANGELOG (this file)
+v1.0.7:
+- Exported the RBAC behavior
+v1.0.6:
+- Updated the documentation
+v1.0.5:
+- Exported RBAC JavaScript constants and functions
+v1.0.4:
+- Fixed broken dependencies
+- Upgraded npm libraries
+- Added Sepolia network support
+v1.0.3:
+- Allowed lower versions of Hardhat to be used
+v1.0.2:
+- Optimized npm dependencies

package/README.md CHANGED Viewed

@@ -4,6 +4,83 @@ A shortcut to a modular and easily pluggable dapp architecture.
 Enable the modular plug and play (PnP) architecture for your dapp by incorporating the role-based access control (RBAC)
 into the smart contracts.
+## Technical Overview
+Role-based Access Control (RBAC), or simply Access Control, is the base parent contract to be inherited by other smart
+contracts wishing to enable the RBAC feature. It provides an API to check if a specific operation is permitted globally
+and/or if a particular user has a permission to execute it.
+It deals with two main entities: features and roles. Features are designed to be used to enable/disable public functions
+of the smart contract (used by a wide audience). User roles are designed to control the access to restricted functions
+of the smart contract (used by a limited set of maintainers).
+When designing the RBAC-enabled contract, the best practice is to make all public mutative functions controlled with
+their corresponding feature flags, which can be enabled/disabled during smart contact deployment, setup process, and,
+optionally, during contract operation.
+Restricted access functions must be controlled by their corresponding user roles/permissions and usually can be executed
+by the deployer during smart contract deployment and setup process.
+After deployment is complete and smart contract setup is verified the deployer should enable the feature flags and
+revoke own permissions to control these flags, as well as permissions to execute restricted access functions.
+It is possible that smart contract functionalities are enabled in phases, but the intention is that eventually it is
+also possible to set the smart contract to be uncontrolled by anyone and be fully decentralized.
+It is also possible that the deployer shares its admin permissions with other addresses during the deployment and setup
+process, but eventually all these permissions can be revoked from all the addresses involved.
+Following diagram summarizes stated below:
+![Role-based Access Control (RBAC) Lifecycle](Role-based%20Access%20Control%20%28RBAC%29%20Lifecycle.png)
+Diagram 1. RBAC-enabled smart contract deployment and setup phases. Contract evolves from the fully controlled in the
+initial phases of the setup process to the fully decentralized and uncontrolled in the end.
+It is important to note that it is not necessary, and not recommended to wait until the last “Setup Complete” phase is
+executed to consider the protocol fully operational in the mainnet. In fact, the best practice is to do the launch after
+the deployer permissions are revoked, but there are admin multisig accounts with the full permissions to control the
+protocol. This kind of approach allows reacting to the security issues, which are more likely to happen in the beginning
+of the protocol operation.
+## Special Permissions Mapping
+Special permissions mapping, `userRoles`, stores special permissions of the smart contract administrators and helpers.
+The mapping is a part of AccessControl and is inherited by the smart contracts using it.
+The value stored in the mapping is a 256 bits unsigned integer, each bit of that integer represents a particular
+permission. We call a set of permissions a role. Usually, roles are defined as 32 bits unsigned integer constants, but
+extension to 255 bits is possible.
+Permission with the bit 255 set is a special one. It corresponds to the access manager role `ROLE_ACCESS_MANAGER`
+defined on the Access Control smart contract and allows accounts having that bit set to grant/revoke their permissions
+to other addresses and to enable/disable corresponding features of the smart contract (to update self address “this”
+role – see below).
+Self address “this” mapping is a special one. It represents the deployed smart contract itself and defines features
+enabled on it. Features control what public functions are enabled and how they behave. Usually, features are defined as
+32 bits unsigned integer constants, but extension to 255 bits is possible.
+Access Control is a shared parent for other smart contracts which are free to use any strategy to introduce their
+features and roles. Usually, smart contracts use different values for all the features and roles (see the table in the
+next section).
+Access manager may revoke its own permissions, including the bit 255. Eventually that allows an access manager to let
+the smart contract “float freely” and be controlled only by the community (via DAO) or by no one at all.
+## Comparing with OpenZeppelin
+Both our and OpenZeppelin Access Control implementations feature a similar API to check/know "who is allowed to do this
+thing".
+Zeppelin implementation is more flexible:
+* it allows setting unlimited number of roles, while current is limited to 256 different roles
+* it allows setting an admin for each role, while current allows having only one global admin
+Our implementation is more lightweight:
+* it uses only 1 bit per role, while Zeppelin uses 256 bits
+* it allows setting up to 256 roles at once, in a single transaction, while Zeppelin allows setting only one role in a
+  single transaction
 ## Installation
 ```
 npm i -D @lazy-sol/access-control

package/Role-based Access Control (RBAC) Lifecycle.png ADDED Viewed

Binary file

package/artifacts/contracts/OwnableToAccessControlAdapter.sol/OwnableToAccessControlAdapter.json CHANGED Viewed

@@ -19,6 +19,11 @@
       "stateMutability": "nonpayable",
       "type": "constructor"
     },
+    {
+      "inputs": [],
+      "name": "AccessDenied",
+      "type": "error"
+    },
     {
       "anonymous": false,
       "inputs": [
@@ -188,68 +193,6 @@
       "stateMutability": "view",
       "type": "function"
     },
-    {
-      "inputs": [
-        {
-          "internalType": "uint256",
-          "name": "required",
-          "type": "uint256"
-        }
-      ],
-      "name": "isFeatureEnabled",
-      "outputs": [
-        {
-          "internalType": "bool",
-          "name": "",
-          "type": "bool"
-        }
-      ],
-      "stateMutability": "view",
-      "type": "function"
-    },
-    {
-      "inputs": [
-        {
-          "internalType": "address",
-          "name": "operator",
-          "type": "address"
-        },
-        {
-          "internalType": "uint256",
-          "name": "required",
-          "type": "uint256"
-        }
-      ],
-      "name": "isOperatorInRole",
-      "outputs": [
-        {
-          "internalType": "bool",
-          "name": "",
-          "type": "bool"
-        }
-      ],
-      "stateMutability": "view",
-      "type": "function"
-    },
-    {
-      "inputs": [
-        {
-          "internalType": "uint256",
-          "name": "required",
-          "type": "uint256"
-        }
-      ],
-      "name": "isSenderInRole",
-      "outputs": [
-        {
-          "internalType": "bool",
-          "name": "",
-          "type": "bool"
-        }
-      ],
-      "stateMutability": "view",
-      "type": "function"
-    },
     {
       "inputs": [],
       "name": "target",
@@ -335,8 +278,8 @@
       "type": "receive"
     }
   ],
-  "bytecode": "0x608060405234801561001057600080fd5b50604051610b40380380610b4083398101604081905261002f9161012f565b80600061003f82600019806100bb565b61004a3082806100bb565b50506001600160a01b0382166100955760405162461bcd60e51b815260206004820152600c60248201526b7a65726f206164647265737360a01b604482015260640160405180910390fd5b50600180546001600160a01b0319166001600160a01b0392909216919091179055610162565b6001600160a01b0383166000818152602081815260409182902084905581518581529081018490527fe9be537308880e0f56b7d7cfd7abf85f14c4934486d138f848b92a0cbaf659b4910160405180910390a2505050565b80516001600160a01b038116811461012a57600080fd5b919050565b6000806040838503121561014257600080fd5b61014b83610113565b915061015960208401610113565b90509250929050565b6109cf806101716000396000f3fe6080604052600436106100e15760003560e01c8063725f36261161007f578063c688d69311610059578063c688d693146102bc578063d4b83992146102dc578063d5bb7f6714610314578063fcc2c0781461033457610100565b8063725f362614610254578063ae5b102e14610284578063ae682e2e146102a457610100565b806334e48c9e116100bb57806334e48c9e146101c657806344276733146101de578063491d2611146102145780635defb40d1461023457610100565b806309c5eabe146101405780630e82fe25146101695780632b521416146101a457610100565b36610100576100fe60405180602001604052806000815250610354565b005b6100fe6000368080601f01602080910402602001604051908101604052809392919081815260200183838082843760009201919091525061035492505050565b61015361014e366004610742565b610354565b60405161016091906107e3565b60405180910390f35b34801561017557600080fd5b50610196610184366004610813565b60026020526000908152604090205481565b604051908152602001610160565b3480156101b057600080fd5b5030600090815260208190526040902054610196565b3480156101d257600080fd5b50610196600160fd1b81565b3480156101ea57600080fd5b506101966101f9366004610845565b6001600160a01b031660009081526020819052604090205490565b34801561022057600080fd5b506100fe61022f366004610860565b6104de565b34801561024057600080fd5b506100fe61024f36600461088a565b610560565b34801561026057600080fd5b5061027461026f3660046108e3565b610575565b6040519015158152602001610160565b34801561029057600080fd5b506100fe61029f3660046108fc565b610597565b3480156102b057600080fd5b50610196600160ff1b81565b3480156102c857600080fd5b506102746102d73660046108fc565b61061c565b3480156102e857600080fd5b506001546102fc906001600160a01b031681565b6040516001600160a01b039091168152602001610160565b34801561032057600080fd5b506100fe61032f3660046108e3565b610645565b34801561034057600080fd5b5061027461034f3660046108e3565b610652565b6020810151815160609190156103f0576001600160e01b03198116600090815260026020526040812054908190036103c95760405162461bcd60e51b81526020600482015260136024820152721858d8d95cdcc81c9bdb19481b9bdd081cd95d606a1b60448201526064015b60405180910390fd5b6103d281610652565b6103ee5760405162461bcd60e51b81526004016103c090610918565b505b60015460405160009182916001600160a01b0390911690349061041490889061093f565b60006040518083038185875af1925050503d8060008114610451576040519150601f19603f3d011682016040523d82523d6000602084013e610456565b606091505b50915091508161049b5760405162461bcd60e51b815260206004820152601060248201526f195e1958dd5d1a5bdb8819985a5b195960821b60448201526064016103c0565b7f57a62eca76fc623c92f161d2a4b851851ece707135ce2af1eec256d660571b6d8386836040516104ce9392919061095b565b60405180910390a1949350505050565b6104eb600160fd1b610652565b6105075760405162461bcd60e51b81526004016103c090610918565b6001600160e01b03198216600081815260026020908152604091829020849055815192835282018390527fdb8ed917742b49e83acd1322bcaa8f18b1e5f78a70784c43ea14db7ab50e628d910160405180910390a15050565b6105718280519060200120826104de565b5050565b30600090815260208190526040812054610591905b8316831490565b92915050565b6105a4600160ff1b610652565b6105c05760405162461bcd60e51b81526004016103c090610918565b6105718282610617336105e8876001600160a01b031660009081526020819052604090205490565b6001600160a01b0391909116600090815260208190526040902054600019808818821618908716919091171690565b61065e565b6001600160a01b03821660009081526020819052604081205461063e9061058a565b9392505050565b61064f3082610597565b50565b6000610591338361061c565b6001600160a01b0383166000818152602081815260409182902084905581518581529081018490527fe9be537308880e0f56b7d7cfd7abf85f14c4934486d138f848b92a0cbaf659b4910160405180910390a2505050565b634e487b7160e01b600052604160045260246000fd5b600067ffffffffffffffff808411156106e7576106e76106b6565b604051601f8501601f19908116603f0116810190828211818310171561070f5761070f6106b6565b8160405280935085815286868601111561072857600080fd5b858560208301376000602087830101525050509392505050565b60006020828403121561075457600080fd5b813567ffffffffffffffff81111561076b57600080fd5b8201601f8101841361077c57600080fd5b61078b848235602084016106cc565b949350505050565b60005b838110156107ae578181015183820152602001610796565b50506000910152565b600081518084526107cf816020860160208601610793565b601f01601f19169290920160200192915050565b60208152600061063e60208301846107b7565b80356001600160e01b03198116811461080e57600080fd5b919050565b60006020828403121561082557600080fd5b61063e826107f6565b80356001600160a01b038116811461080e57600080fd5b60006020828403121561085757600080fd5b61063e8261082e565b6000806040838503121561087357600080fd5b61087c836107f6565b946020939093013593505050565b6000806040838503121561089d57600080fd5b823567ffffffffffffffff8111156108b457600080fd5b8301601f810185136108c557600080fd5b6108d4858235602084016106cc565b95602094909401359450505050565b6000602082840312156108f557600080fd5b5035919050565b6000806040838503121561090f57600080fd5b61087c8361082e565b6020808252600d908201526c1858d8d95cdcc819195b9a5959609a1b604082015260600190565b60008251610951818460208701610793565b9190910192915050565b63ffffffff60e01b8416815260606020820152600061097d60608301856107b7565b828103604084015261098f81856107b7565b969550505050505056fea26469706673582212206993ad950cca82a01e8e72c0503e3a006930148e125b67ad2894063853f6078264736f6c63430008150033",
-  "deployedBytecode": "0x6080604052600436106100e15760003560e01c8063725f36261161007f578063c688d69311610059578063c688d693146102bc578063d4b83992146102dc578063d5bb7f6714610314578063fcc2c0781461033457610100565b8063725f362614610254578063ae5b102e14610284578063ae682e2e146102a457610100565b806334e48c9e116100bb57806334e48c9e146101c657806344276733146101de578063491d2611146102145780635defb40d1461023457610100565b806309c5eabe146101405780630e82fe25146101695780632b521416146101a457610100565b36610100576100fe60405180602001604052806000815250610354565b005b6100fe6000368080601f01602080910402602001604051908101604052809392919081815260200183838082843760009201919091525061035492505050565b61015361014e366004610742565b610354565b60405161016091906107e3565b60405180910390f35b34801561017557600080fd5b50610196610184366004610813565b60026020526000908152604090205481565b604051908152602001610160565b3480156101b057600080fd5b5030600090815260208190526040902054610196565b3480156101d257600080fd5b50610196600160fd1b81565b3480156101ea57600080fd5b506101966101f9366004610845565b6001600160a01b031660009081526020819052604090205490565b34801561022057600080fd5b506100fe61022f366004610860565b6104de565b34801561024057600080fd5b506100fe61024f36600461088a565b610560565b34801561026057600080fd5b5061027461026f3660046108e3565b610575565b6040519015158152602001610160565b34801561029057600080fd5b506100fe61029f3660046108fc565b610597565b3480156102b057600080fd5b50610196600160ff1b81565b3480156102c857600080fd5b506102746102d73660046108fc565b61061c565b3480156102e857600080fd5b506001546102fc906001600160a01b031681565b6040516001600160a01b039091168152602001610160565b34801561032057600080fd5b506100fe61032f3660046108e3565b610645565b34801561034057600080fd5b5061027461034f3660046108e3565b610652565b6020810151815160609190156103f0576001600160e01b03198116600090815260026020526040812054908190036103c95760405162461bcd60e51b81526020600482015260136024820152721858d8d95cdcc81c9bdb19481b9bdd081cd95d606a1b60448201526064015b60405180910390fd5b6103d281610652565b6103ee5760405162461bcd60e51b81526004016103c090610918565b505b60015460405160009182916001600160a01b0390911690349061041490889061093f565b60006040518083038185875af1925050503d8060008114610451576040519150601f19603f3d011682016040523d82523d6000602084013e610456565b606091505b50915091508161049b5760405162461bcd60e51b815260206004820152601060248201526f195e1958dd5d1a5bdb8819985a5b195960821b60448201526064016103c0565b7f57a62eca76fc623c92f161d2a4b851851ece707135ce2af1eec256d660571b6d8386836040516104ce9392919061095b565b60405180910390a1949350505050565b6104eb600160fd1b610652565b6105075760405162461bcd60e51b81526004016103c090610918565b6001600160e01b03198216600081815260026020908152604091829020849055815192835282018390527fdb8ed917742b49e83acd1322bcaa8f18b1e5f78a70784c43ea14db7ab50e628d910160405180910390a15050565b6105718280519060200120826104de565b5050565b30600090815260208190526040812054610591905b8316831490565b92915050565b6105a4600160ff1b610652565b6105c05760405162461bcd60e51b81526004016103c090610918565b6105718282610617336105e8876001600160a01b031660009081526020819052604090205490565b6001600160a01b0391909116600090815260208190526040902054600019808818821618908716919091171690565b61065e565b6001600160a01b03821660009081526020819052604081205461063e9061058a565b9392505050565b61064f3082610597565b50565b6000610591338361061c565b6001600160a01b0383166000818152602081815260409182902084905581518581529081018490527fe9be537308880e0f56b7d7cfd7abf85f14c4934486d138f848b92a0cbaf659b4910160405180910390a2505050565b634e487b7160e01b600052604160045260246000fd5b600067ffffffffffffffff808411156106e7576106e76106b6565b604051601f8501601f19908116603f0116810190828211818310171561070f5761070f6106b6565b8160405280935085815286868601111561072857600080fd5b858560208301376000602087830101525050509392505050565b60006020828403121561075457600080fd5b813567ffffffffffffffff81111561076b57600080fd5b8201601f8101841361077c57600080fd5b61078b848235602084016106cc565b949350505050565b60005b838110156107ae578181015183820152602001610796565b50506000910152565b600081518084526107cf816020860160208601610793565b601f01601f19169290920160200192915050565b60208152600061063e60208301846107b7565b80356001600160e01b03198116811461080e57600080fd5b919050565b60006020828403121561082557600080fd5b61063e826107f6565b80356001600160a01b038116811461080e57600080fd5b60006020828403121561085757600080fd5b61063e8261082e565b6000806040838503121561087357600080fd5b61087c836107f6565b946020939093013593505050565b6000806040838503121561089d57600080fd5b823567ffffffffffffffff8111156108b457600080fd5b8301601f810185136108c557600080fd5b6108d4858235602084016106cc565b95602094909401359450505050565b6000602082840312156108f557600080fd5b5035919050565b6000806040838503121561090f57600080fd5b61087c8361082e565b6020808252600d908201526c1858d8d95cdcc819195b9a5959609a1b604082015260600190565b60008251610951818460208701610793565b9190910192915050565b63ffffffff60e01b8416815260606020820152600061097d60608301856107b7565b828103604084015261098f81856107b7565b969550505050505056fea26469706673582212206993ad950cca82a01e8e72c0503e3a006930148e125b67ad2894063853f6078264736f6c63430008150033",
+  "bytecode": "0x608060405234801561001057600080fd5b50604051610a23380380610a2383398101604081905261002f9161012f565b80600061003f82600019806100bb565b61004a3082806100bb565b50506001600160a01b0382166100955760405162461bcd60e51b815260206004820152600c60248201526b7a65726f206164647265737360a01b604482015260640160405180910390fd5b50600180546001600160a01b0319166001600160a01b0392909216919091179055610162565b6001600160a01b0383166000818152602081815260409182902084905581518581529081018490527fe9be537308880e0f56b7d7cfd7abf85f14c4934486d138f848b92a0cbaf659b4910160405180910390a2505050565b80516001600160a01b038116811461012a57600080fd5b919050565b6000806040838503121561014257600080fd5b61014b83610113565b915061015960208401610113565b90509250929050565b6108b2806101716000396000f3fe6080604052600436106100a05760003560e01c8063491d261111610064578063491d2611146101d35780635defb40d146101f3578063ae5b102e14610213578063ae682e2e14610233578063d4b839921461024b578063d5bb7f6714610283576100bf565b806309c5eabe146100ff5780630e82fe25146101285780632b5214161461016357806334e48c9e14610185578063442767331461019d576100bf565b366100bf576100bd604051806020016040528060008152506102a3565b005b6100bd6000368080601f0160208091040260200160405190810160405280939291908181526020018383808284376000920191909152506102a392505050565b61011261010d36600461064c565b6102a3565b60405161011f91906106ed565b60405180910390f35b34801561013457600080fd5b5061015561014336600461071d565b60026020526000908152604090205481565b60405190815260200161011f565b34801561016f57600080fd5b5030600090815260208190526040902054610155565b34801561019157600080fd5b50610155600160fd1b81565b3480156101a957600080fd5b506101556101b836600461074f565b6001600160a01b031660009081526020819052604090205490565b3480156101df57600080fd5b506100bd6101ee36600461076a565b610411565b3480156101ff57600080fd5b506100bd61020e366004610794565b610477565b34801561021f57600080fd5b506100bd61022e3660046107ed565b61048c565b34801561023f57600080fd5b50610155600160ff1b81565b34801561025757600080fd5b5060015461026b906001600160a01b031681565b6040516001600160a01b03909116815260200161011f565b34801561028f57600080fd5b506100bd61029e366004610809565b6104f5565b602081015181516060919015610323576001600160e01b03198116600090815260026020526040812054908190036103185760405162461bcd60e51b81526020600482015260136024820152721858d8d95cdcc81c9bdb19481b9bdd081cd95d606a1b60448201526064015b60405180910390fd5b61032181610502565b505b60015460405160009182916001600160a01b03909116903490610347908890610822565b60006040518083038185875af1925050503d8060008114610384576040519150601f19603f3d011682016040523d82523d6000602084013e610389565b606091505b5091509150816103ce5760405162461bcd60e51b815260206004820152601060248201526f195e1958dd5d1a5bdb8819985a5b195960821b604482015260640161030f565b7f57a62eca76fc623c92f161d2a4b851851ece707135ce2af1eec256d660571b6d8386836040516104019392919061083e565b60405180910390a1949350505050565b61041e600160fd1b610502565b6001600160e01b03198216600081815260026020908152604091829020849055815192835282018390527fdb8ed917742b49e83acd1322bcaa8f18b1e5f78a70784c43ea14db7ab50e628d910160405180910390a15050565b610488828051906020012082610411565b5050565b610499600160ff1b610502565b61048882826104f0336104c1876001600160a01b031660009081526020819052604090205490565b6001600160a01b0391909116600090815260208190526040902054600019808818821618908716919091171690565b610513565b6104ff308261048c565b50565b6104ff61050e8261056b565b61057d565b6001600160a01b0383166000818152602081815260409182902084905581518581529081018490527fe9be537308880e0f56b7d7cfd7abf85f14c4934486d138f848b92a0cbaf659b4910160405180910390a2505050565b6000610577338361059b565b92915050565b806104ff57604051634ca8886760e01b815260040160405180910390fd5b6001600160a01b038216600090815260208190526040812054821682145b9392505050565b634e487b7160e01b600052604160045260246000fd5b600067ffffffffffffffff808411156105f1576105f16105c0565b604051601f8501601f19908116603f01168101908282118183101715610619576106196105c0565b8160405280935085815286868601111561063257600080fd5b858560208301376000602087830101525050509392505050565b60006020828403121561065e57600080fd5b813567ffffffffffffffff81111561067557600080fd5b8201601f8101841361068657600080fd5b610695848235602084016105d6565b949350505050565b60005b838110156106b85781810151838201526020016106a0565b50506000910152565b600081518084526106d981602086016020860161069d565b601f01601f19169290920160200192915050565b6020815260006105b960208301846106c1565b80356001600160e01b03198116811461071857600080fd5b919050565b60006020828403121561072f57600080fd5b6105b982610700565b80356001600160a01b038116811461071857600080fd5b60006020828403121561076157600080fd5b6105b982610738565b6000806040838503121561077d57600080fd5b61078683610700565b946020939093013593505050565b600080604083850312156107a757600080fd5b823567ffffffffffffffff8111156107be57600080fd5b8301601f810185136107cf57600080fd5b6107de858235602084016105d6565b95602094909401359450505050565b6000806040838503121561080057600080fd5b61078683610738565b60006020828403121561081b57600080fd5b5035919050565b6000825161083481846020870161069d565b9190910192915050565b63ffffffff60e01b8416815260606020820152600061086060608301856106c1565b828103604084015261087281856106c1565b969550505050505056fea2646970667358221220e3c74e6e9d12e9f897ad014f9a9508e19f07aa6158ea118e7b0f262e5ef3629764736f6c63430008150033",
+  "deployedBytecode": "0x6080604052600436106100a05760003560e01c8063491d261111610064578063491d2611146101d35780635defb40d146101f3578063ae5b102e14610213578063ae682e2e14610233578063d4b839921461024b578063d5bb7f6714610283576100bf565b806309c5eabe146100ff5780630e82fe25146101285780632b5214161461016357806334e48c9e14610185578063442767331461019d576100bf565b366100bf576100bd604051806020016040528060008152506102a3565b005b6100bd6000368080601f0160208091040260200160405190810160405280939291908181526020018383808284376000920191909152506102a392505050565b61011261010d36600461064c565b6102a3565b60405161011f91906106ed565b60405180910390f35b34801561013457600080fd5b5061015561014336600461071d565b60026020526000908152604090205481565b60405190815260200161011f565b34801561016f57600080fd5b5030600090815260208190526040902054610155565b34801561019157600080fd5b50610155600160fd1b81565b3480156101a957600080fd5b506101556101b836600461074f565b6001600160a01b031660009081526020819052604090205490565b3480156101df57600080fd5b506100bd6101ee36600461076a565b610411565b3480156101ff57600080fd5b506100bd61020e366004610794565b610477565b34801561021f57600080fd5b506100bd61022e3660046107ed565b61048c565b34801561023f57600080fd5b50610155600160ff1b81565b34801561025757600080fd5b5060015461026b906001600160a01b031681565b6040516001600160a01b03909116815260200161011f565b34801561028f57600080fd5b506100bd61029e366004610809565b6104f5565b602081015181516060919015610323576001600160e01b03198116600090815260026020526040812054908190036103185760405162461bcd60e51b81526020600482015260136024820152721858d8d95cdcc81c9bdb19481b9bdd081cd95d606a1b60448201526064015b60405180910390fd5b61032181610502565b505b60015460405160009182916001600160a01b03909116903490610347908890610822565b60006040518083038185875af1925050503d8060008114610384576040519150601f19603f3d011682016040523d82523d6000602084013e610389565b606091505b5091509150816103ce5760405162461bcd60e51b815260206004820152601060248201526f195e1958dd5d1a5bdb8819985a5b195960821b604482015260640161030f565b7f57a62eca76fc623c92f161d2a4b851851ece707135ce2af1eec256d660571b6d8386836040516104019392919061083e565b60405180910390a1949350505050565b61041e600160fd1b610502565b6001600160e01b03198216600081815260026020908152604091829020849055815192835282018390527fdb8ed917742b49e83acd1322bcaa8f18b1e5f78a70784c43ea14db7ab50e628d910160405180910390a15050565b610488828051906020012082610411565b5050565b610499600160ff1b610502565b61048882826104f0336104c1876001600160a01b031660009081526020819052604090205490565b6001600160a01b0391909116600090815260208190526040902054600019808818821618908716919091171690565b610513565b6104ff308261048c565b50565b6104ff61050e8261056b565b61057d565b6001600160a01b0383166000818152602081815260409182902084905581518581529081018490527fe9be537308880e0f56b7d7cfd7abf85f14c4934486d138f848b92a0cbaf659b4910160405180910390a2505050565b6000610577338361059b565b92915050565b806104ff57604051634ca8886760e01b815260040160405180910390fd5b6001600160a01b038216600090815260208190526040812054821682145b9392505050565b634e487b7160e01b600052604160045260246000fd5b600067ffffffffffffffff808411156105f1576105f16105c0565b604051601f8501601f19908116603f01168101908282118183101715610619576106196105c0565b8160405280935085815286868601111561063257600080fd5b858560208301376000602087830101525050509392505050565b60006020828403121561065e57600080fd5b813567ffffffffffffffff81111561067557600080fd5b8201601f8101841361068657600080fd5b610695848235602084016105d6565b949350505050565b60005b838110156106b85781810151838201526020016106a0565b50506000910152565b600081518084526106d981602086016020860161069d565b601f01601f19169290920160200192915050565b6020815260006105b960208301846106c1565b80356001600160e01b03198116811461071857600080fd5b919050565b60006020828403121561072f57600080fd5b6105b982610700565b80356001600160a01b038116811461071857600080fd5b60006020828403121561076157600080fd5b6105b982610738565b6000806040838503121561077d57600080fd5b61078683610700565b946020939093013593505050565b600080604083850312156107a757600080fd5b823567ffffffffffffffff8111156107be57600080fd5b8301601f810185136107cf57600080fd5b6107de858235602084016105d6565b95602094909401359450505050565b6000806040838503121561080057600080fd5b61078683610738565b60006020828403121561081b57600080fd5b5035919050565b6000825161083481846020870161069d565b9190910192915050565b63ffffffff60e01b8416815260606020820152600061086060608301856106c1565b828103604084015261087281856106c1565b969550505050505056fea2646970667358221220e3c74e6e9d12e9f897ad014f9a9508e19f07aa6158ea118e7b0f262e5ef3629764736f6c63430008150033",
   "linkReferences": {},
   "deployedLinkReferences": {}
 }

package/contracts/AccessControl.sol CHANGED Viewed

@@ -1,5 +1,11 @@
 // SPDX-License-Identifier: MIT
-pragma solidity >=0.4.22; // require with message (0.4.22), pure/view modifiers (0.4.16), hardhat (0.4.11)
+// custom errors (0.8.4)
+// require with message (0.4.22)
+// pure/view modifiers (0.4.16)
+// hardhat (0.4.11)
+pragma solidity >=0.8.4;
+import {AccessControlCore} from "./AccessControlCore.sol";
 /**
  * @title Role-based Access Control (RBAC)
@@ -50,189 +56,14 @@ pragma solidity >=0.4.22; // require with message (0.4.22), pure/view modifiers
  *
  * @author Basil Gorin
  */
-abstract contract AccessControl {
-	/**
-	 * @dev Privileged addresses with defined roles/permissions
-	 * @dev In the context of ERC20/ERC721 tokens these can be permissions to
-	 *      allow minting or burning tokens, transferring on behalf and so on
-	 *
-	 * @dev Maps user address to the permissions bitmask (role), where each bit
-	 *      represents a permission
-	 * @dev Bitmask 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
-	 *      represents all possible permissions
-	 * @dev 'This' address mapping represents global features of the smart contract
-	 *
-	 * @dev We keep the mapping private to prevent direct writes to it from the inheriting
-	 *      contracts, `getRole()` and `updateRole()` functions should be used instead
-	 */
-	mapping(address => uint256) private userRoles;
-	/**
-	 * @notice Access manager is responsible for assigning the roles to users,
-	 *      enabling/disabling global features of the smart contract
-	 * @notice Access manager can add, remove and update user roles,
-	 *      remove and update global features
-	 *
-	 * @dev Role ROLE_ACCESS_MANAGER allows modifying user roles and global features
-	 * @dev Role ROLE_ACCESS_MANAGER has single bit at position 255 enabled
-	 */
-	uint256 public constant ROLE_ACCESS_MANAGER = 0x8000000000000000000000000000000000000000000000000000000000000000;
-	/**
-	 * @dev Bitmask representing all the possible permissions (super admin role)
-	 * @dev Has all the bits are enabled (2^256 - 1 value)
-	 */
-	uint256 internal constant FULL_PRIVILEGES_MASK = 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF;
-	/**
-	 * @dev Fired in updateRole() and updateFeatures()
-	 *
-	 * @param operator address which was granted/revoked permissions
-	 * @param requested permissions requested
-	 * @param assigned permissions effectively set
-	 */
-	event RoleUpdated(address indexed operator, uint256 requested, uint256 assigned);
-	/**
-	 * @notice Function modifier making a function defined as public behave as restricted
-	 *      (so that only a pre-configured set of accounts can execute it)
-	 *
-	 * @param role the role transaction executor is required to have;
-	 *      the function throws an "access denied" exception if this condition is not met
-	 */
-	modifier restrictedTo(uint256 role) {
-		// verify the access permission
-		require(isSenderInRole(role), "access denied");
-		// execute the rest of the function
-		_;
-	}
+contract AccessControl is AccessControlCore {
 	/**
 	 * @notice Creates an access control instance, setting the contract owner to have full privileges
 	 *
 	 * @param _owner smart contract owner having full privileges, can be zero
 	 * @param _features initial features mask of the contract, can be zero
 	 */
-	constructor(address _owner, uint256 _features) internal { // visibility modifier is required to be compilable with 0.6.x
-		// grant owner full privileges
-		__setRole(_owner, FULL_PRIVILEGES_MASK, FULL_PRIVILEGES_MASK);
-		// update initial features bitmask
-		__setRole(address(this), _features, _features);
-	}
-	/**
-	 * @notice Retrieves globally set of features enabled
-	 *
-	 * @dev Effectively reads userRoles role for the contract itself
-	 *
-	 * @return 256-bit bitmask of the features enabled
-	 */
-	function features() public view returns (uint256) {
-		// features are stored in 'this' address mapping of `userRoles`
-		return getRole(address(this));
-	}
-	/**
-	 * @notice Updates set of the globally enabled features (`features`),
-	 *      taking into account sender's permissions
-	 *
-	 * @dev Requires transaction sender to have `ROLE_ACCESS_MANAGER` permission
-	 * @dev Function is left for backward compatibility with older versions
-	 *
-	 * @param _mask bitmask representing a set of features to enable/disable
-	 */
-	function updateFeatures(uint256 _mask) public {
-		// delegate call to `updateRole`
-		updateRole(address(this), _mask);
-	}
-	/**
-	 * @notice Reads the permissions (role) for a given user from the `userRoles` mapping
-	 *      (privileged addresses with defined roles/permissions)
-	 * @notice In the context of ERC20/ERC721 tokens these can be permissions to
-	 *      allow minting or burning tokens, transferring on behalf and so on
-	 *
-	 * @dev Having a simple getter instead of making the mapping public
-	 *      allows enforcing the encapsulation of the mapping and protects from
-	 *      writing to it directly in the inheriting smart contracts
-	 *
-	 * @param operator address of a user to read permissions for,
-	 *      or self address to read global features of the smart contract
-	 */
-	function getRole(address operator) public view returns(uint256) {
-		// read the value from `userRoles` and return
-		return userRoles[operator];
-	}
-	/**
-	 * @notice Updates set of permissions (role) for a given user,
-	 *      taking into account sender's permissions.
-	 *
-	 * @dev Setting role to zero is equivalent to removing an all permissions
-	 * @dev Setting role to `FULL_PRIVILEGES_MASK` is equivalent to
-	 *      copying senders' permissions (role) to the user
-	 * @dev Requires transaction sender to have `ROLE_ACCESS_MANAGER` permission
-	 *
-	 * @param operator address of a user to alter permissions for,
-	 *       or self address to alter global features of the smart contract
-	 * @param role bitmask representing a set of permissions to
-	 *      enable/disable for a user specified
-	 */
-	function updateRole(address operator, uint256 role) public {
-		// caller must have a permission to update user roles
-		require(isSenderInRole(ROLE_ACCESS_MANAGER), "access denied");
-		// evaluate the role and reassign it
-		__setRole(operator, role, _evaluateBy(msg.sender, getRole(operator), role));
-	}
-	/**
-	 * @notice Determines the permission bitmask an operator can set on the
-	 *      target permission set
-	 * @notice Used to calculate the permission bitmask to be set when requested
-	 *     in `updateRole` and `updateFeatures` functions
-	 *
-	 * @dev Calculated based on:
-	 *      1) operator's own permission set read from userRoles[operator]
-	 *      2) target permission set - what is already set on the target
-	 *      3) desired permission set - what do we want set target to
-	 *
-	 * @dev Corner cases:
-	 *      1) Operator is super admin and its permission set is `FULL_PRIVILEGES_MASK`:
-	 *        `desired` bitset is returned regardless of the `target` permission set value
-	 *        (what operator sets is what they get)
-	 *      2) Operator with no permissions (zero bitset):
-	 *        `target` bitset is returned regardless of the `desired` value
-	 *        (operator has no authority and cannot modify anything)
-	 *
-	 * @dev Example:
-	 *      Consider an operator with the permissions bitmask     00001111
-	 *      is about to modify the target permission set          01010101
-	 *      Operator wants to set that permission set to          00110011
-	 *      Based on their role, an operator has the permissions
-	 *      to update only lowest 4 bits on the target, meaning that
-	 *      high 4 bits of the target set in this example is left
-	 *      unchanged and low 4 bits get changed as desired:      01010011
-	 *
-	 * @param operator address of the contract operator which is about to set the permissions
-	 * @param target input set of permissions to operator is going to modify
-	 * @param desired desired set of permissions operator would like to set
-	 * @return resulting set of permissions given operator will set
-	 */
-	function _evaluateBy(address operator, uint256 target, uint256 desired) internal view returns (uint256) {
-		// read operator's permissions
-		uint256 p = getRole(operator);
-		// taking into account operator's permissions,
-		// 1) enable the permissions desired on the `target`
-		target |= p & desired;
-		// 2) disable the permissions desired on the `target`
-		target &= FULL_PRIVILEGES_MASK ^ (p & (FULL_PRIVILEGES_MASK ^ desired));
-		// return calculated result
-		return target;
-	}
+	constructor(address _owner, uint256 _features) AccessControlCore(_owner, _features) {} // visibility modifier is required to be compilable with 0.6.x
 	/**
 	 * @notice Checks if requested set of features is enabled globally on the contract
@@ -241,8 +72,8 @@ abstract contract AccessControl {
 	 * @return true if all the features requested are enabled, false otherwise
 	 */
 	function isFeatureEnabled(uint256 required) public view returns (bool) {
-		// delegate call to `__hasRole`, passing `features` property
-		return __hasRole(features(), required);
+		// delegate to internal `_isFeatureEnabled`
+		return _isFeatureEnabled(required);
 	}
 	/**
@@ -252,8 +83,8 @@ abstract contract AccessControl {
 	 * @return true if all the permissions requested are enabled, false otherwise
 	 */
 	function isSenderInRole(uint256 required) public view returns (bool) {
-		// delegate call to `isOperatorInRole`, passing transaction sender
-		return isOperatorInRole(msg.sender, required);
+		// delegate to internal `_isSenderInRole`
+		return _isSenderInRole(required);
 	}
 	/**
@@ -264,42 +95,7 @@ abstract contract AccessControl {
 	 * @return true if all the permissions requested are enabled, false otherwise
 	 */
 	function isOperatorInRole(address operator, uint256 required) public view returns (bool) {
-		// delegate call to `__hasRole`, passing operator's permissions (role)
-		return __hasRole(getRole(operator), required);
-	}
-	/**
-	 * @dev Sets the `assignedRole` role to the operator, logs both `requestedRole` and `actualRole`
-	 *
-	 * @dev Unsafe:
-	 *      provides direct write access to `userRoles` mapping without any security checks,
-	 *      doesn't verify the executor (msg.sender) permissions,
-	 *      must be kept private at all times
-	 *
-	 * @param operator address of a user to alter permissions for,
-	 *       or self address to alter global features of the smart contract
-	 * @param requestedRole bitmask representing a set of permissions requested
-	 *      to be enabled/disabled for a user specified, used only to be logged into event
-	 * @param assignedRole bitmask representing a set of permissions to
-	 *      enable/disable for a user specified, used to update the mapping and to be logged into event
-	 */
-	function __setRole(address operator, uint256 requestedRole, uint256 assignedRole) private {
-		// assign the role to the operator
-		userRoles[operator] = assignedRole;
-		// fire an event
-		emit RoleUpdated(operator, requestedRole, assignedRole);
-	}
-	/**
-	 * @dev Checks if role `actual` contains all the permissions required `required`
-	 *
-	 * @param actual existent role
-	 * @param required required role
-	 * @return true if actual has required role (all permissions), false otherwise
-	 */
-	function __hasRole(uint256 actual, uint256 required) private pure returns (bool) {
-		// check the bitmask for the role required and return the result
-		return actual & required == required;
+		// delegate to internal `_isOperatorInRole`
+		return _isOperatorInRole(operator, required);
 	}
 }

package/contracts/AccessControlCore.sol ADDED Viewed

@@ -0,0 +1,353 @@
+// SPDX-License-Identifier: MIT
+// custom errors (0.8.4)
+// require with message (0.4.22)
+// pure/view modifiers (0.4.16)
+// hardhat (0.4.11)
+pragma solidity >=0.8.4;
+/**
+ * @title Role-based Access Control Core (RBAC-C)
+ *
+ * @notice Access control smart contract provides an API to check
+ *      if a specific operation is permitted globally and/or
+ *      if a particular user has a permission to execute it.
+ *
+ * @notice This contract is inherited by other contracts requiring the role-based access control (RBAC)
+ *      protection for the restricted access functions
+ *
+ * @notice It deals with two main entities: features and roles.
+ *
+ * @notice Features are designed to be used to enable/disable public functions
+ *      of the smart contract (used by a wide audience).
+ * @notice User roles are designed to control the access to restricted functions
+ *      of the smart contract (used by a limited set of maintainers).
+ *
+ * @notice Terms "role", "permissions" and "set of permissions" have equal meaning
+ *      in the documentation text and may be used interchangeably.
+ * @notice Terms "permission", "single permission" implies only one permission bit set.
+ *
+ * @notice Access manager is a special role which allows to grant/revoke other roles.
+ *      Access managers can only grant/revoke permissions which they have themselves.
+ *      As an example, access manager with no other roles set can only grant/revoke its own
+ *      access manager permission and nothing else.
+ *
+ * @notice Access manager permission should be treated carefully, as a super admin permission:
+ *      Access manager with even no other permission can interfere with another account by
+ *      granting own access manager permission to it and effectively creating more powerful
+ *      permission set than its own.
+ *
+ * @dev Both current and OpenZeppelin AccessControl implementations feature a similar API
+ *      to check/know "who is allowed to do this thing".
+ * @dev Zeppelin implementation is more flexible:
+ *      - it allows setting unlimited number of roles, while current is limited to 256 different roles
+ *      - it allows setting an admin for each role, while current allows having only one global admin
+ * @dev Current implementation is more lightweight:
+ *      - it uses only 1 bit per role, while Zeppelin uses 256 bits
+ *      - it allows setting up to 256 roles at once, in a single transaction, while Zeppelin allows
+ *        setting only one role in a single transaction
+ *
+ * @dev This smart contract is designed to be inherited by other
+ *      smart contracts which require access control management capabilities.
+ *
+ * @dev Access manager permission has a bit 255 set.
+ *      This bit must not be used by inheriting contracts for any other permissions/features.
+ *
+ * @dev The 'core' version of the RBAC contract hides three rarely used external functions from the public ABI,
+ *      making them internal and thus reducing the overall compiled implementation size.
+ *      isFeatureEnabled() public -> _isFeatureEnabled() internal
+ *      isSenderInRole() public -> _isSenderInRole() internal
+ *      isOperatorInRole() public -> _isOperatorInRole() internal
+ *
+ * @custom:since 1.1.0
+ *
+ * @author Basil Gorin
+ */
+abstract contract AccessControlCore {
+	/**
+	 * @dev Privileged addresses with defined roles/permissions
+	 * @dev In the context of ERC20/ERC721 tokens these can be permissions to
+	 *      allow minting or burning tokens, transferring on behalf and so on
+	 *
+	 * @dev Maps user address to the permissions bitmask (role), where each bit
+	 *      represents a permission
+	 * @dev Bitmask 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+	 *      represents all possible permissions
+	 * @dev 'This' address mapping represents global features of the smart contract
+	 *
+	 * @dev We keep the mapping private to prevent direct writes to it from the inheriting
+	 *      contracts, `getRole()` and `updateRole()` functions should be used instead
+	 */
+	mapping(address => uint256) private userRoles;
+	/**
+	 * @notice Access manager is responsible for assigning the roles to users,
+	 *      enabling/disabling global features of the smart contract
+	 * @notice Access manager can add, remove and update user roles,
+	 *      remove and update global features
+	 *
+	 * @dev Role ROLE_ACCESS_MANAGER allows modifying user roles and global features
+	 * @dev Role ROLE_ACCESS_MANAGER has single bit at position 255 enabled
+	 */
+	uint256 public constant ROLE_ACCESS_MANAGER = 0x8000000000000000000000000000000000000000000000000000000000000000;
+	/**
+	 * @dev Bitmask representing all the possible permissions (super admin role)
+	 * @dev Has all the bits are enabled (2^256 - 1 value)
+	 */
+	uint256 internal constant FULL_PRIVILEGES_MASK = 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF;
+	/**
+	 * @notice Thrown when a function is executed by an account that does not have
+	 *      the required access permission(s) (role)
+	 *
+	 * @dev This error is used to enforce role-based access control (RBAC) restrictions
+	 */
+	error AccessDenied();
+	/**
+	 * @dev Fired in updateRole() and updateFeatures()
+	 *
+	 * @param operator address which was granted/revoked permissions
+	 * @param requested permissions requested
+	 * @param assigned permissions effectively set
+	 */
+	event RoleUpdated(address indexed operator, uint256 requested, uint256 assigned);
+	/**
+	 * @notice Function modifier making a function defined as public behave as restricted
+	 *      (so that only a pre-configured set of accounts can execute it)
+	 *
+	 * @param role the role transaction executor is required to have;
+	 *      the function throws an "access denied" exception if this condition is not met
+	 */
+	modifier restrictedTo(uint256 role) {
+		// verify the access permission
+		_requireSenderInRole(role);
+		// execute the rest of the function
+		_;
+	}
+	/**
+	 * @notice Creates an access control instance, setting the contract owner to have full privileges
+	 *
+	 * @param _owner smart contract owner having full privileges, can be zero
+	 * @param _features initial features mask of the contract, can be zero
+	 */
+	constructor(address _owner, uint256 _features) { // visibility modifier is required to be compilable with 0.6.x
+		// grant owner full privileges
+		__setRole(_owner, FULL_PRIVILEGES_MASK, FULL_PRIVILEGES_MASK);
+		// update initial features bitmask
+		__setRole(address(this), _features, _features);
+	}
+	/**
+	 * @notice Retrieves globally set of features enabled
+	 *
+	 * @dev Effectively reads userRoles role for the contract itself
+	 *
+	 * @return 256-bit bitmask of the features enabled
+	 */
+	function features() public view returns (uint256) {
+		// features are stored in 'this' address mapping of `userRoles`
+		return getRole(address(this));
+	}
+	/**
+	 * @notice Updates set of the globally enabled features (`features`),
+	 *      taking into account sender's permissions
+	 *
+	 * @dev Requires transaction sender to have `ROLE_ACCESS_MANAGER` permission
+	 * @dev Function is left for backward compatibility with older versions
+	 *
+	 * @param _mask bitmask representing a set of features to enable/disable
+	 */
+	function updateFeatures(uint256 _mask) public {
+		// delegate call to `updateRole`
+		updateRole(address(this), _mask);
+	}
+	/**
+	 * @notice Reads the permissions (role) for a given user from the `userRoles` mapping
+	 *      (privileged addresses with defined roles/permissions)
+	 * @notice In the context of ERC20/ERC721 tokens these can be permissions to
+	 *      allow minting or burning tokens, transferring on behalf and so on
+	 *
+	 * @dev Having a simple getter instead of making the mapping public
+	 *      allows enforcing the encapsulation of the mapping and protects from
+	 *      writing to it directly in the inheriting smart contracts
+	 *
+	 * @param operator address of a user to read permissions for,
+	 *      or self address to read global features of the smart contract
+	 */
+	function getRole(address operator) public view returns(uint256) {
+		// read the value from `userRoles` and return
+		return userRoles[operator];
+	}
+	/**
+	 * @notice Updates set of permissions (role) for a given user,
+	 *      taking into account sender's permissions.
+	 *
+	 * @dev Setting role to zero is equivalent to removing an all permissions
+	 * @dev Setting role to `FULL_PRIVILEGES_MASK` is equivalent to
+	 *      copying senders' permissions (role) to the user
+	 * @dev Requires transaction sender to have `ROLE_ACCESS_MANAGER` permission
+	 *
+	 * @param operator address of a user to alter permissions for,
+	 *       or self address to alter global features of the smart contract
+	 * @param role bitmask representing a set of permissions to
+	 *      enable/disable for a user specified
+	 */
+	function updateRole(address operator, uint256 role) public {
+		// caller must have a permission to update user roles
+		_requireSenderInRole(ROLE_ACCESS_MANAGER);
+		// evaluate the role and reassign it
+		__setRole(operator, role, _evaluateBy(msg.sender, getRole(operator), role));
+	}
+	/**
+	 * @notice Determines the permission bitmask an operator can set on the
+	 *      target permission set
+	 * @notice Used to calculate the permission bitmask to be set when requested
+	 *     in `updateRole` and `updateFeatures` functions
+	 *
+	 * @dev Calculated based on:
+	 *      1) operator's own permission set read from userRoles[operator]
+	 *      2) target permission set - what is already set on the target
+	 *      3) desired permission set - what do we want set target to
+	 *
+	 * @dev Corner cases:
+	 *      1) Operator is super admin and its permission set is `FULL_PRIVILEGES_MASK`:
+	 *        `desired` bitset is returned regardless of the `target` permission set value
+	 *        (what operator sets is what they get)
+	 *      2) Operator with no permissions (zero bitset):
+	 *        `target` bitset is returned regardless of the `desired` value
+	 *        (operator has no authority and cannot modify anything)
+	 *
+	 * @dev Example:
+	 *      Consider an operator with the permissions bitmask     00001111
+	 *      is about to modify the target permission set          01010101
+	 *      Operator wants to set that permission set to          00110011
+	 *      Based on their role, an operator has the permissions
+	 *      to update only lowest 4 bits on the target, meaning that
+	 *      high 4 bits of the target set in this example is left
+	 *      unchanged and low 4 bits get changed as desired:      01010011
+	 *
+	 * @param operator address of the contract operator which is about to set the permissions
+	 * @param target input set of permissions to operator is going to modify
+	 * @param desired desired set of permissions operator would like to set
+	 * @return resulting set of permissions given operator will set
+	 */
+	function _evaluateBy(address operator, uint256 target, uint256 desired) internal view returns (uint256) {
+		// read operator's permissions
+		uint256 p = getRole(operator);
+		// taking into account operator's permissions,
+		// 1) enable the permissions desired on the `target`
+		target |= p & desired;
+		// 2) disable the permissions desired on the `target`
+		target &= FULL_PRIVILEGES_MASK ^ (p & (FULL_PRIVILEGES_MASK ^ desired));
+		// return calculated result
+		return target;
+	}
+	/**
+	 * @notice Ensures that the transaction sender has the required access permission(s) (role)
+	 *
+	 * @dev Reverts with an `AccessDenied` error if the sender does not have the required role
+	 *
+	 * @param required the set of permissions (role) that the transaction sender is required to have
+	 */
+	function _requireSenderInRole(uint256 required) internal view {
+		// check if the transaction has the required permission(s),
+		// reverting with the "access denied" error if not
+		_requireAccessCondition(_isSenderInRole(required));
+	}
+	/**
+	 * @notice Ensures that a specific condition is met
+	 *
+	 * @dev Reverts with an `AccessDenied` error if the condition is not met
+	 *
+	 * @param condition the condition that needs to be true for the function to proceed
+	 */
+	function _requireAccessCondition(bool condition) internal pure {
+		// check if the condition holds
+		if(!condition) {
+			// revert with the "access denied" error if not
+			revert AccessDenied();
+		}
+	}
+	/**
+	 * @notice Checks if requested set of features is enabled globally on the contract
+	 *
+	 * @param required set of features to check against
+	 * @return true if all the features requested are enabled, false otherwise
+	 */
+	function _isFeatureEnabled(uint256 required) internal view returns (bool) {
+		// delegate call to `__hasRole`, passing `features` property
+		return __hasRole(features(), required);
+	}
+	/**
+	 * @notice Checks if transaction sender `msg.sender` has all the permissions required
+	 *
+	 * @param required set of permissions (role) to check against
+	 * @return true if all the permissions requested are enabled, false otherwise
+	 */
+	function _isSenderInRole(uint256 required) internal view returns (bool) {
+		// delegate call to `isOperatorInRole`, passing transaction sender
+		return _isOperatorInRole(msg.sender, required);
+	}
+	/**
+	 * @notice Checks if operator has all the permissions (role) required
+	 *
+	 * @param operator address of the user to check role for
+	 * @param required set of permissions (role) to check
+	 * @return true if all the permissions requested are enabled, false otherwise
+	 */
+	function _isOperatorInRole(address operator, uint256 required) internal view returns (bool) {
+		// delegate call to `__hasRole`, passing operator's permissions (role)
+		return __hasRole(getRole(operator), required);
+	}
+	/**
+	 * @dev Sets the `assignedRole` role to the operator, logs both `requestedRole` and `actualRole`
+	 *
+	 * @dev Unsafe:
+	 *      provides direct write access to `userRoles` mapping without any security checks,
+	 *      doesn't verify the executor (msg.sender) permissions,
+	 *      must be kept private at all times
+	 *
+	 * @param operator address of a user to alter permissions for,
+	 *       or self address to alter global features of the smart contract
+	 * @param requestedRole bitmask representing a set of permissions requested
+	 *      to be enabled/disabled for a user specified, used only to be logged into event
+	 * @param assignedRole bitmask representing a set of permissions to
+	 *      enable/disable for a user specified, used to update the mapping and to be logged into event
+	 */
+	function __setRole(address operator, uint256 requestedRole, uint256 assignedRole) private {
+		// assign the role to the operator
+		userRoles[operator] = assignedRole;
+		// fire an event
+		emit RoleUpdated(operator, requestedRole, assignedRole);
+	}
+	/**
+	 * @dev Checks if role `actual` contains all the permissions required `required`
+	 *
+	 * @param actual existent role
+	 * @param required required role
+	 * @return true if actual has required role (all permissions), false otherwise
+	 */
+	function __hasRole(uint256 actual, uint256 required) private pure returns (bool) {
+		// check the bitmask for the role required and return the result
+		return actual & required == required;
+	}
+}

package/contracts/AdapterFactory.sol CHANGED Viewed

@@ -1,5 +1,5 @@
 // SPDX-License-Identifier: MIT
-pragma solidity >=0.6.2;
+pragma solidity >=0.8.4;
 import "./OwnableToAccessControlAdapter.sol";

package/contracts/OwnableToAccessControlAdapter.sol CHANGED Viewed

@@ -1,5 +1,7 @@
 // SPDX-License-Identifier: MIT
-pragma solidity >=0.6.2; // breaking changes in .call() (0.5.0), allow .call{}() (0.6.2)
+// breaking changes in .call() (0.5.0)
+// allow .call{}() (0.6.2)
+pragma solidity >=0.8.4;
 import "./AccessControl.sol";
@@ -63,7 +65,7 @@ import "./AccessControl.sol";
  *
  * @author Basil Gorin
  */
-contract OwnableToAccessControlAdapter is AccessControl {
+contract OwnableToAccessControlAdapter is AccessControlCore {
 	/**
 	 * @dev Target OZ Ownable contract AccessControl Adapter executes the transactions on
 	 *
@@ -111,7 +113,7 @@ contract OwnableToAccessControlAdapter is AccessControl {
 	 * @param _target target OZ Ownable contract address
 	 * @param _owner smart contract owner having full privileges
 	 */
-	constructor(address _target, address _owner) public AccessControl(_owner, 0) {
+	constructor(address _target, address _owner) AccessControlCore(_owner, 0) { // visibility modifier is required to be compilable with 0.6.x
 		// verify the inputs
 		require(_target != address(0), "zero address");
@@ -148,7 +150,7 @@ contract OwnableToAccessControlAdapter is AccessControl {
 	 */
 	function updateAccessRole(bytes4 selector, uint256 role) public {
 		// verify the access permission
-		require(isSenderInRole(ROLE_ACCESS_ROLES_MANAGER), "access denied");
+		_requireSenderInRole(ROLE_ACCESS_ROLES_MANAGER);
 		// update the function access role
 		accessRoles[selector] = role;
@@ -190,7 +192,7 @@ contract OwnableToAccessControlAdapter is AccessControl {
 			require(roleRequired != 0, "access role not set");
 			// verify the access permission
-			require(isSenderInRole(roleRequired), "access denied");
+			_requireSenderInRole(roleRequired);
 		}
 		// execute the call on the target

package/contracts/mocks/AccessControlMock.sol CHANGED Viewed

@@ -1,5 +1,5 @@
 // SPDX-License-Identifier: MIT
-pragma solidity >=0.4.22;
+pragma solidity >=0.8.4;
 import "../AccessControl.sol";
@@ -11,4 +11,10 @@ contract AccessControlMock is AccessControl {
 	function restricted() public restrictedTo(RESTRICTED_ROLE) {
 		emit Restricted();
 	}
+	function requireSenderInRole(uint256 required) public view {
+		_requireSenderInRole(required);
+	}
+	function requireAccessCondition(bool condition) public pure {
+		_requireAccessCondition(condition);
+	}
 }

package/hardhat.config.js CHANGED Viewed

@@ -1,6 +1,6 @@
 /**
  * default Hardhat configuration which uses account mnemonic to derive accounts
- * script expects following environment variables to be set:
+ * script supports the following environment variables set:
  *   - P_KEY1 – mainnet private key, should start with 0x
  *     or
  *   - MNEMONIC1 – mainnet mnemonic, 12 words
@@ -53,6 +53,10 @@
  *     or
  *   - MNEMONIC84532 – Base Sepolia (testnet) Optimistic Rollup (L2) mnemonic, 12 words
  *
+ *   - P_KEY – Custom network (defined by its JSON-RPC) private key, should start with 0x
+ *     or
+ *   - MNEMONIC – Custom network (defined by its JSON-RPC) mnemonic, 12 words
+ *
  *   - ALCHEMY_KEY – Alchemy API key
  *     or
  *   - INFURA_KEY – Infura API key (Project ID)
@@ -85,6 +89,13 @@ require("hardhat-gas-reporter");
 // https://www.npmjs.com/package/hardhat-deploy
 require("hardhat-deploy");
+// automatically generate TypeScript bindings for smart contracts while using Hardhat
+// TypeScript bindings help IDEs to properly recognize compiled contracts' ABIs
+// https://github.com/dethcrypto/TypeChain/tree/master/packages/hardhat
+// npm install -D typechain @typechain/hardhat @typechain/truffle-v5
+// run: npx hardhat typechain
+// require("@typechain/hardhat");
 // verify environment setup, display warning if required, replace missing values with fakes
 const FAKE_MNEMONIC = "test test test test test test test test test test test junk";
 if(!process.env.MNEMONIC1 && !process.env.P_KEY1) {
@@ -185,19 +196,26 @@ else if(process.env.P_KEY84531 && !process.env.P_KEY84531.startsWith("0x")) {
 }
 if(!process.env.MNEMONIC84532 && !process.env.P_KEY84532) {
 	console.warn("neither MNEMONIC84532 nor P_KEY84532 is not set. Base Sepolia (testnet) deployments won't be available");
-	process.env.MNEMONIC84531 = FAKE_MNEMONIC;
+	process.env.MNEMONIC84532 = FAKE_MNEMONIC;
 }
 else if(process.env.P_KEY84532 && !process.env.P_KEY84532.startsWith("0x")) {
 	console.warn("P_KEY84532 doesn't start with 0x. Appended 0x");
 	process.env.P_KEY84532 = "0x" + process.env.P_KEY84532;
 }
+if(!process.env.MNEMONIC && !process.env.P_KEY) {
+	process.env.MNEMONIC = FAKE_MNEMONIC;
+}
+else if(process.env.P_KEY && !process.env.P_KEY.startsWith("0x")) {
+	console.warn("P_KEY doesn't start with 0x. Appended 0x");
+	process.env.P_KEY = "0x" + process.env.P_KEY;
+}
 if(!process.env.INFURA_KEY && !process.env.ALCHEMY_KEY) {
 	console.warn("neither INFURA_KEY nor ALCHEMY_KEY is not set. Deployments may not be available");
 	process.env.INFURA_KEY = "";
 	process.env.ALCHEMY_KEY = "";
 }
 if(!process.env.ETHERSCAN_KEY) {
-	console.warn("ETHERSCAN_KEY is not set. Deployed smart contract code verification won't be available");
+	console.warn("ETHERSCAN_KEY is not set. Deployed smart contract code verification won't be available on etherscan");
 	process.env.ETHERSCAN_KEY = "";
 }
 if(!process.env.POLYSCAN_KEY) {
@@ -210,6 +228,7 @@ if(!process.env.BSCSCAN_KEY) {
 }
 if(!process.env.BASESCAN_KEY) {
 	console.warn("BASESCAN_KEY is not set. Deployed smart contract code verification won't be available on BaseScan");
+	process.env.BASESCAN_KEY = "";
 }
 /**
@@ -303,6 +322,10 @@ module.exports = {
 			url: get_endpoint_url("base_sepolia"),
 			accounts: get_accounts(process.env.P_KEY84532, process.env.MNEMONIC84532),
 		},
+		custom: {
+			url: get_endpoint_url(),
+			accounts: get_accounts(process.env.P_KEY, process.env.MNEMONIC),
+		},
 	},
 	// Configure Solidity compiler
@@ -348,6 +371,12 @@ module.exports = {
 		]
 	},
+	// configure typechain to generate Truffle v5 bindings
+	typechain: {
+		outDir: "typechain",
+		target: "truffle-v5",
+	},
 	// Set default mocha options here, use special reporters etc.
 	mocha: {
 		// timeout: 100000,
@@ -424,12 +453,12 @@ function get_endpoint_url(network_name) {
 	// create a key: https://www.alchemy.com/
 	if(process.env.ALCHEMY_KEY) {
 		switch(network_name) {
-			case "mainnet": return "https://eth-mainnet.alchemyapi.io/v2/" + process.env.ALCHEMY_KEY;
-			case "ropsten": return "https://eth-ropsten.alchemyapi.io/v2/" + process.env.ALCHEMY_KEY;
-			case "rinkeby": return "https://eth-rinkeby.alchemyapi.io/v2/" + process.env.ALCHEMY_KEY;
-			case "kovan": return "https://eth-kovan.alchemyapi.io/v2/" + process.env.ALCHEMY_KEY;
-			case "goerli": return "https://eth-goerli.alchemyapi.io/v2/" + process.env.ALCHEMY_KEY;
-			case "sepolia": return "https://eth-sepolia.alchemyapi.io/v2/" + process.env.ALCHEMY_KEY;
+			case "mainnet": return "https://eth-mainnet.g.alchemyapi.io/v2/" + process.env.ALCHEMY_KEY;
+			case "ropsten": return "https://eth-ropsten.g.alchemyapi.io/v2/" + process.env.ALCHEMY_KEY;
+			case "rinkeby": return "https://eth-rinkeby.g.alchemyapi.io/v2/" + process.env.ALCHEMY_KEY;
+			case "kovan": return "https://eth-kovan.g.alchemyapi.io/v2/" + process.env.ALCHEMY_KEY;
+			case "goerli": return "https://eth-goerli.g.alchemyapi.io/v2/" + process.env.ALCHEMY_KEY;
+			case "sepolia": return "https://eth-sepolia.g.alchemyapi.io/v2/" + process.env.ALCHEMY_KEY;
 			case "polygon": return "https://polygon-mainnet.g.alchemy.com/v2/" + process.env.ALCHEMY_KEY;
 			case "mumbai": return "https://polygon-mumbai.g.alchemy.com/v2/" + process.env.ALCHEMY_KEY;
 			case "base_mainnet": return "https://base-mainnet.g.alchemy.com/v2/" + process.env.ALCHEMY_KEY;

package/index.js CHANGED Viewed

@@ -9,6 +9,9 @@ const {
 	not,
 } = require("./scripts/include/features_roles");
+// RBAC behaviours
+const {behavesLikeRBAC} = require("./test/include/rbac.behaviour");
 // Re-export the functions
 module.exports = {
 	ROLE_ACCESS_MANAGER,
@@ -16,4 +19,5 @@ module.exports = {
 	FULL_PRIVILEGES_MASK,
 	or,
 	not,
+	behavesLikeRBAC,
 };

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@lazy-sol/access-control",
-  "version": "1.0.5",
+  "version": "1.1.0",
   "description": "Enable the modular plug and play (PnP) architecture for your dapp by incorporating the role-based access control (RBAC) into the smart contracts",
   "main": "index.js",
   "scripts": {
@@ -22,18 +22,22 @@
   "author": "Basil Gorin",
   "license": "MIT",
   "dependencies": {
-    "@lazy-sol/a-missing-gem": "^1.0.4",
+    "@lazy-sol/a-missing-gem": "^1.0.9",
     "@nomiclabs/hardhat-truffle5": "^2.0.7",
-    "hardhat": "^2.22.4",
+    "hardhat": "^2.22.9",
     "hardhat-deploy": "^0.11.45"
   },
   "devDependencies": {
-    "@lazy-sol/zeppelin-test-helpers": "^1.0.0",
+    "@lazy-sol/zeppelin-test-helpers": "^1.0.5",
     "hardhat-gas-reporter": "^1.0.10",
-    "solidity-coverage": "^0.8.12"
+    "solidity-coverage": "^0.8.13"
   },
   "overrides": {
+    "axios": ">=1.7.5",
+    "micromatch": "^4.0.8",
+    "tar": "^6.2.1",
     "tough-cookie": "^4.1.3",
-    "yargs-parser": "^5.0.1"
+    "yargs-parser": "^5.0.1",
+    "ws": "^8.0.0"
   }
 }

package/test/include/rbac.behaviour.js CHANGED Viewed

@@ -15,16 +15,17 @@ const {
 	MAX_UINT256,
 } = constants;
-// BN utils
+// BN constants and utilities
 const {
 	random_bn255,
 	random_bn256,
-} = require("@lazy-sol/a-missing-gem/bn_utils");
+} = require("@lazy-sol/a-missing-gem");
 // RBAC core features and roles
 const {
 	not,
-	ROLE_ACCESS_MANAGER, FULL_PRIVILEGES_MASK,
+	ROLE_ACCESS_MANAGER,
+	FULL_PRIVILEGES_MASK,
 } = require("../../scripts/include/features_roles");
 /**
@@ -40,6 +41,18 @@ function behavesLikeRBAC(deployment_fn, a0, a1, a2) {
 	const by = a1;
 	const to = a2;
+	describe("requireAccessCondition(condition) pure function", function() {
+		let access_control;
+		beforeEach(async function() {
+			access_control = await deployment_fn.call(this, a0, ZERO_ADDRESS, 0);
+		});
+		it("throws if condition is false", async function() {
+			await expectRevert(access_control.requireAccessCondition(false, {from: a0}), "AccessDenied()");
+		});
+		it("succeeds if condition is true", async function() {
+			await access_control.requireAccessCondition(true, {from: a0});
+		});
+	});
 	describe("deployment and initial state", function() {
 		function deploy_and_check(owner, features) {
 			let access_control;
@@ -81,7 +94,7 @@ function behavesLikeRBAC(deployment_fn, a0, a1, a2) {
 			deploy_and_check(a1, random_bn256());
 		});
 	});
-	describe("when deployed with not initial features", function() {
+	describe("when deployed with no initial features", function() {
 		let access_control;
 		beforeEach(async function() {
 			access_control = await deployment_fn.call(this, a0);
@@ -92,7 +105,7 @@ function behavesLikeRBAC(deployment_fn, a0, a1, a2) {
 				beforeEach(async function() {
 					await access_control.updateRole(by, ROLE_ACCESS_MANAGER, {from: a0});
 				});
-				describe("when ACCESS_MANAGER has full set of permissions", function() {
+				describe("when ACCESS_MANAGER has the full set of permissions", function() {
 					beforeEach(async function() {
 						await access_control.updateRole(by, MAX_UINT256, {from: a0});
 					});
@@ -271,6 +284,7 @@ function behavesLikeRBAC(deployment_fn, a0, a1, a2) {
 					it("operator becomes an ACCESS_MANAGER", async function() {
 						expect(await access_control.isOperatorInRole(to, ROLE_ACCESS_MANAGER), "operator").to.be.true;
 						expect(await access_control.isSenderInRole(ROLE_ACCESS_MANAGER, {from: to}), "sender").to.be.true;
+						await access_control.requireSenderInRole(ROLE_ACCESS_MANAGER, {from: to});
 					});
 				});
 				describe("when ACCESS_MANAGER revokes ACCESS_MANAGER permission from itself", function() {
@@ -280,15 +294,16 @@ function behavesLikeRBAC(deployment_fn, a0, a1, a2) {
 					it("operator ceases to be an ACCESS_MANAGER", async function() {
 						expect(await access_control.isOperatorInRole(by, ROLE_ACCESS_MANAGER), "operator").to.be.false;
 						expect(await access_control.isSenderInRole(ROLE_ACCESS_MANAGER, {from: by}), "sender").to.be.false;
+						await expectRevert(access_control.requireSenderInRole(ROLE_ACCESS_MANAGER, {from: to}), "AccessDenied()");
 					});
 				});
 			});
 			describe("otherwise (no ACCESS_MANAGER permission)", function() {
 				it("updateFeatures reverts", async function() {
-					await expectRevert(access_control.updateFeatures(1, {from: by}), "access denied");
+					await expectRevert(access_control.updateFeatures(1, {from: by}), "AccessDenied()");
 				});
 				it("updateRole reverts", async function() {
-					await expectRevert(access_control.updateRole(to, 1, {from: by}), "access denied");
+					await expectRevert(access_control.updateRole(to, 1, {from: by}), "AccessDenied()");
 				});
 			});
 		}

package/test/ownable_to_rbac_adapter.js CHANGED Viewed

@@ -72,7 +72,7 @@ contract("OwnableToAccessControlAdapter tests", function(accounts) {
 					from: a1,
 					to: adapter.address,
 					data: target.contract.methods.transferOwnership(a2).encodeABI(),
-				}), "access denied");
+				}), "AccessDenied()");
 			});
 			describe("once an account has authorization to execute transferOwnership function", function() {
 				beforeEach(async function() {

package/test/ownable_to_rbac_adapter_rbac.js CHANGED Viewed

@@ -43,12 +43,12 @@ contract("OwnableToAccessControlAdapter: RBAC tests", function(accounts) {
 			({target, adapter} = await deploy_ownable_to_ac_adapter(a0));
 		});
-		it("it is impossible to configure the access role from unauthorized account", async function() {
+		it("it is impossible to configure the access role from an unauthorized account", async function() {
 			const operator = a1;
 			await adapter.updateRole(operator, not(ROLE_ACCESS_ROLES_MANAGER), {from: a0});
-			await expectRevert(adapter.updateAccessRole("1", 1, {from: operator}), "access denied");
+			await expectRevert(adapter.updateAccessRole("1", 1, {from: operator}), "AccessDenied()");
 		});
-		it("it is possible to configure the access role from authorized account", async function() {
+		it("it is possible to configure the access role from the authorized account", async function() {
 			const operator = a1;
 			await adapter.updateRole(operator, ROLE_ACCESS_ROLES_MANAGER, {from: a0});
 			adapter.updateAccessRole("1", 1, {from: operator});

package/test/rbac_modifier.js CHANGED Viewed

@@ -38,7 +38,7 @@ contract('AccessControl (RBAC) "restrictedTo" Modifier tests', function(accounts
 			access_control = await deploy_access_control(a0);
 		});
 		it("function protected with restrictedTo modifier fails when run not by an admin", async function() {
-			await expectRevert(access_control.restricted({from: a1}), "access denied");
+			await expectRevert(access_control.restricted({from: a1}), "AccessDenied()");
 		});
 		describe("function protected with restrictedTo modifier succeeds when run by admin", async function() {
 			let receipt;