@lazy-sol/access-control 1.0.6 → 1.1.1

package/contracts/AccessControl.sol

@@ -1,5 +1,11 @@
 // SPDX-License-Identifier: MIT
-pragma solidity >=0.4.22; // require with message (0.4.22), pure/view modifiers (0.4.16), hardhat (0.4.11)
+// custom errors (0.8.4)
+// require with message (0.4.22)
+// pure/view modifiers (0.4.16)
+// hardhat (0.4.11)
+pragma solidity >=0.8.4;
+
+import "./AccessControlCore.sol";
 
 /**
  * @title Role-based Access Control (RBAC)
@@ -50,189 +56,14 @@ pragma solidity >=0.4.22; // require with message (0.4.22), pure/view modifiers
  *
  * @author Basil Gorin
  */
-abstract contract AccessControl {
-	/**
-	 * @dev Privileged addresses with defined roles/permissions
-	 * @dev In the context of ERC20/ERC721 tokens these can be permissions to
-	 *      allow minting or burning tokens, transferring on behalf and so on
-	 *
-	 * @dev Maps user address to the permissions bitmask (role), where each bit
-	 *      represents a permission
-	 * @dev Bitmask 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
-	 *      represents all possible permissions
-	 * @dev 'This' address mapping represents global features of the smart contract
-	 *
-	 * @dev We keep the mapping private to prevent direct writes to it from the inheriting
-	 *      contracts, `getRole()` and `updateRole()` functions should be used instead
-	 */
-	mapping(address => uint256) private userRoles;
-
-	/**
-	 * @notice Access manager is responsible for assigning the roles to users,
-	 *      enabling/disabling global features of the smart contract
-	 * @notice Access manager can add, remove and update user roles,
-	 *      remove and update global features
-	 *
-	 * @dev Role ROLE_ACCESS_MANAGER allows modifying user roles and global features
-	 * @dev Role ROLE_ACCESS_MANAGER has single bit at position 255 enabled
-	 */
-	uint256 public constant ROLE_ACCESS_MANAGER = 0x8000000000000000000000000000000000000000000000000000000000000000;
-
-	/**
-	 * @dev Bitmask representing all the possible permissions (super admin role)
-	 * @dev Has all the bits are enabled (2^256 - 1 value)
-	 */
-	uint256 internal constant FULL_PRIVILEGES_MASK = 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF;
-
-	/**
-	 * @dev Fired in updateRole() and updateFeatures()
-	 *
-	 * @param operator address which was granted/revoked permissions
-	 * @param requested permissions requested
-	 * @param assigned permissions effectively set
-	 */
-	event RoleUpdated(address indexed operator, uint256 requested, uint256 assigned);
-
-	/**
-	 * @notice Function modifier making a function defined as public behave as restricted
-	 *      (so that only a pre-configured set of accounts can execute it)
-	 *
-	 * @param role the role transaction executor is required to have;
-	 *      the function throws an "access denied" exception if this condition is not met
-	 */
-	modifier restrictedTo(uint256 role) {
-		// verify the access permission
-		require(isSenderInRole(role), "access denied");
-
-		// execute the rest of the function
-		_;
-	}
-
+abstract contract AccessControl is AccessControlCore {
 	/**
 	 * @notice Creates an access control instance, setting the contract owner to have full privileges
 	 *
 	 * @param _owner smart contract owner having full privileges, can be zero
 	 * @param _features initial features mask of the contract, can be zero
 	 */
-	constructor(address _owner, uint256 _features) internal { // visibility modifier is required to be compilable with 0.6.x
-		// grant owner full privileges
-		__setRole(_owner, FULL_PRIVILEGES_MASK, FULL_PRIVILEGES_MASK);
-		// update initial features bitmask
-		__setRole(address(this), _features, _features);
-	}
-
-	/**
-	 * @notice Retrieves globally set of features enabled
-	 *
-	 * @dev Effectively reads userRoles role for the contract itself
-	 *
-	 * @return 256-bit bitmask of the features enabled
-	 */
-	function features() public view returns (uint256) {
-		// features are stored in 'this' address mapping of `userRoles`
-		return getRole(address(this));
-	}
-
-	/**
-	 * @notice Updates set of the globally enabled features (`features`),
-	 *      taking into account sender's permissions
-	 *
-	 * @dev Requires transaction sender to have `ROLE_ACCESS_MANAGER` permission
-	 * @dev Function is left for backward compatibility with older versions
-	 *
-	 * @param _mask bitmask representing a set of features to enable/disable
-	 */
-	function updateFeatures(uint256 _mask) public {
-		// delegate call to `updateRole`
-		updateRole(address(this), _mask);
-	}
-
-	/**
-	 * @notice Reads the permissions (role) for a given user from the `userRoles` mapping
-	 *      (privileged addresses with defined roles/permissions)
-	 * @notice In the context of ERC20/ERC721 tokens these can be permissions to
-	 *      allow minting or burning tokens, transferring on behalf and so on
-	 *
-	 * @dev Having a simple getter instead of making the mapping public
-	 *      allows enforcing the encapsulation of the mapping and protects from
-	 *      writing to it directly in the inheriting smart contracts
-	 *
-	 * @param operator address of a user to read permissions for,
-	 *      or self address to read global features of the smart contract
-	 */
-	function getRole(address operator) public view returns(uint256) {
-		// read the value from `userRoles` and return
-		return userRoles[operator];
-	}
-
-	/**
-	 * @notice Updates set of permissions (role) for a given user,
-	 *      taking into account sender's permissions.
-	 *
-	 * @dev Setting role to zero is equivalent to removing an all permissions
-	 * @dev Setting role to `FULL_PRIVILEGES_MASK` is equivalent to
-	 *      copying senders' permissions (role) to the user
-	 * @dev Requires transaction sender to have `ROLE_ACCESS_MANAGER` permission
-	 *
-	 * @param operator address of a user to alter permissions for,
-	 *       or self address to alter global features of the smart contract
-	 * @param role bitmask representing a set of permissions to
-	 *      enable/disable for a user specified
-	 */
-	function updateRole(address operator, uint256 role) public {
-		// caller must have a permission to update user roles
-		require(isSenderInRole(ROLE_ACCESS_MANAGER), "access denied");
-
-		// evaluate the role and reassign it
-		__setRole(operator, role, _evaluateBy(msg.sender, getRole(operator), role));
-	}
-
-	/**
-	 * @notice Determines the permission bitmask an operator can set on the
-	 *      target permission set
-	 * @notice Used to calculate the permission bitmask to be set when requested
-	 *     in `updateRole` and `updateFeatures` functions
-	 *
-	 * @dev Calculated based on:
-	 *      1) operator's own permission set read from userRoles[operator]
-	 *      2) target permission set - what is already set on the target
-	 *      3) desired permission set - what do we want set target to
-	 *
-	 * @dev Corner cases:
-	 *      1) Operator is super admin and its permission set is `FULL_PRIVILEGES_MASK`:
-	 *        `desired` bitset is returned regardless of the `target` permission set value
-	 *        (what operator sets is what they get)
-	 *      2) Operator with no permissions (zero bitset):
-	 *        `target` bitset is returned regardless of the `desired` value
-	 *        (operator has no authority and cannot modify anything)
-	 *
-	 * @dev Example:
-	 *      Consider an operator with the permissions bitmask     00001111
-	 *      is about to modify the target permission set          01010101
-	 *      Operator wants to set that permission set to          00110011
-	 *      Based on their role, an operator has the permissions
-	 *      to update only lowest 4 bits on the target, meaning that
-	 *      high 4 bits of the target set in this example is left
-	 *      unchanged and low 4 bits get changed as desired:      01010011
-	 *
-	 * @param operator address of the contract operator which is about to set the permissions
-	 * @param target input set of permissions to operator is going to modify
-	 * @param desired desired set of permissions operator would like to set
-	 * @return resulting set of permissions given operator will set
-	 */
-	function _evaluateBy(address operator, uint256 target, uint256 desired) internal view returns (uint256) {
-		// read operator's permissions
-		uint256 p = getRole(operator);
-
-		// taking into account operator's permissions,
-		// 1) enable the permissions desired on the `target`
-		target |= p & desired;
-		// 2) disable the permissions desired on the `target`
-		target &= FULL_PRIVILEGES_MASK ^ (p & (FULL_PRIVILEGES_MASK ^ desired));
-
-		// return calculated result
-		return target;
-	}
+	constructor(address _owner, uint256 _features) AccessControlCore(_owner, _features) {} // visibility modifier is required to be compilable with 0.6.x
 
 	/**
 	 * @notice Checks if requested set of features is enabled globally on the contract
@@ -241,8 +72,8 @@ abstract contract AccessControl {
 	 * @return true if all the features requested are enabled, false otherwise
 	 */
 	function isFeatureEnabled(uint256 required) public view returns (bool) {
-		// delegate call to `__hasRole`, passing `features` property
-		return __hasRole(features(), required);
+		// delegate to internal `_isFeatureEnabled`
+		return _isFeatureEnabled(required);
 	}
 
 	/**
@@ -252,8 +83,8 @@ abstract contract AccessControl {
 	 * @return true if all the permissions requested are enabled, false otherwise
 	 */
 	function isSenderInRole(uint256 required) public view returns (bool) {
-		// delegate call to `isOperatorInRole`, passing transaction sender
-		return isOperatorInRole(msg.sender, required);
+		// delegate to internal `_isSenderInRole`
+		return _isSenderInRole(required);
 	}
 
 	/**
@@ -264,42 +95,7 @@ abstract contract AccessControl {
 	 * @return true if all the permissions requested are enabled, false otherwise
 	 */
 	function isOperatorInRole(address operator, uint256 required) public view returns (bool) {
-		// delegate call to `__hasRole`, passing operator's permissions (role)
-		return __hasRole(getRole(operator), required);
-	}
-
-	/**
-	 * @dev Sets the `assignedRole` role to the operator, logs both `requestedRole` and `actualRole`
-	 *
-	 * @dev Unsafe:
-	 *      provides direct write access to `userRoles` mapping without any security checks,
-	 *      doesn't verify the executor (msg.sender) permissions,
-	 *      must be kept private at all times
-	 *
-	 * @param operator address of a user to alter permissions for,
-	 *       or self address to alter global features of the smart contract
-	 * @param requestedRole bitmask representing a set of permissions requested
-	 *      to be enabled/disabled for a user specified, used only to be logged into event
-	 * @param assignedRole bitmask representing a set of permissions to
-	 *      enable/disable for a user specified, used to update the mapping and to be logged into event
-	 */
-	function __setRole(address operator, uint256 requestedRole, uint256 assignedRole) private {
-		// assign the role to the operator
-		userRoles[operator] = assignedRole;
-
-		// fire an event
-		emit RoleUpdated(operator, requestedRole, assignedRole);
-	}
-
-	/**
-	 * @dev Checks if role `actual` contains all the permissions required `required`
-	 *
-	 * @param actual existent role
-	 * @param required required role
-	 * @return true if actual has required role (all permissions), false otherwise
-	 */
-	function __hasRole(uint256 actual, uint256 required) private pure returns (bool) {
-		// check the bitmask for the role required and return the result
-		return actual & required == required;
+		// delegate to internal `_isOperatorInRole`
+		return _isOperatorInRole(operator, required);
 	}
 }

package/contracts/AccessControlCore.sol

@@ -0,0 +1,353 @@
+// SPDX-License-Identifier: MIT
+// custom errors (0.8.4)
+// require with message (0.4.22)
+// pure/view modifiers (0.4.16)
+// hardhat (0.4.11)
+pragma solidity >=0.8.4;
+
+/**
+ * @title Role-based Access Control Core (RBAC-C)
+ *
+ * @notice Access control smart contract provides an API to check
+ *      if a specific operation is permitted globally and/or
+ *      if a particular user has a permission to execute it.
+ *
+ * @notice This contract is inherited by other contracts requiring the role-based access control (RBAC)
+ *      protection for the restricted access functions
+ *
+ * @notice It deals with two main entities: features and roles.
+ *
+ * @notice Features are designed to be used to enable/disable public functions
+ *      of the smart contract (used by a wide audience).
+ * @notice User roles are designed to control the access to restricted functions
+ *      of the smart contract (used by a limited set of maintainers).
+ *
+ * @notice Terms "role", "permissions" and "set of permissions" have equal meaning
+ *      in the documentation text and may be used interchangeably.
+ * @notice Terms "permission", "single permission" implies only one permission bit set.
+ *
+ * @notice Access manager is a special role which allows to grant/revoke other roles.
+ *      Access managers can only grant/revoke permissions which they have themselves.
+ *      As an example, access manager with no other roles set can only grant/revoke its own
+ *      access manager permission and nothing else.
+ *
+ * @notice Access manager permission should be treated carefully, as a super admin permission:
+ *      Access manager with even no other permission can interfere with another account by
+ *      granting own access manager permission to it and effectively creating more powerful
+ *      permission set than its own.
+ *
+ * @dev Both current and OpenZeppelin AccessControl implementations feature a similar API
+ *      to check/know "who is allowed to do this thing".
+ * @dev Zeppelin implementation is more flexible:
+ *      - it allows setting unlimited number of roles, while current is limited to 256 different roles
+ *      - it allows setting an admin for each role, while current allows having only one global admin
+ * @dev Current implementation is more lightweight:
+ *      - it uses only 1 bit per role, while Zeppelin uses 256 bits
+ *      - it allows setting up to 256 roles at once, in a single transaction, while Zeppelin allows
+ *        setting only one role in a single transaction
+ *
+ * @dev This smart contract is designed to be inherited by other
+ *      smart contracts which require access control management capabilities.
+ *
+ * @dev Access manager permission has a bit 255 set.
+ *      This bit must not be used by inheriting contracts for any other permissions/features.
+ *
+ * @dev The 'core' version of the RBAC contract hides three rarely used external functions from the public ABI,
+ *      making them internal and thus reducing the overall compiled implementation size.
+ *      isFeatureEnabled() public -> _isFeatureEnabled() internal
+ *      isSenderInRole() public -> _isSenderInRole() internal
+ *      isOperatorInRole() public -> _isOperatorInRole() internal
+ *
+ * @custom:since 1.1.0
+ *
+ * @author Basil Gorin
+ */
+abstract contract AccessControlCore {
+	/**
+	 * @dev Privileged addresses with defined roles/permissions
+	 * @dev In the context of ERC20/ERC721 tokens these can be permissions to
+	 *      allow minting or burning tokens, transferring on behalf and so on
+	 *
+	 * @dev Maps user address to the permissions bitmask (role), where each bit
+	 *      represents a permission
+	 * @dev Bitmask 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+	 *      represents all possible permissions
+	 * @dev 'This' address mapping represents global features of the smart contract
+	 *
+	 * @dev We keep the mapping private to prevent direct writes to it from the inheriting
+	 *      contracts, `getRole()` and `updateRole()` functions should be used instead
+	 */
+	mapping(address => uint256) private userRoles;
+
+	/**
+	 * @notice Access manager is responsible for assigning the roles to users,
+	 *      enabling/disabling global features of the smart contract
+	 * @notice Access manager can add, remove and update user roles,
+	 *      remove and update global features
+	 *
+	 * @dev Role ROLE_ACCESS_MANAGER allows modifying user roles and global features
+	 * @dev Role ROLE_ACCESS_MANAGER has single bit at position 255 enabled
+	 */
+	uint256 public constant ROLE_ACCESS_MANAGER = 0x8000000000000000000000000000000000000000000000000000000000000000;
+
+	/**
+	 * @dev Bitmask representing all the possible permissions (super admin role)
+	 * @dev Has all the bits are enabled (2^256 - 1 value)
+	 */
+	uint256 internal constant FULL_PRIVILEGES_MASK = 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF;
+
+	/**
+	 * @notice Thrown when a function is executed by an account that does not have
+	 *      the required access permission(s) (role)
+	 *
+	 * @dev This error is used to enforce role-based access control (RBAC) restrictions
+	 */
+	error AccessDenied();
+
+	/**
+	 * @dev Fired in updateRole() and updateFeatures()
+	 *
+	 * @param operator address which was granted/revoked permissions
+	 * @param requested permissions requested
+	 * @param assigned permissions effectively set
+	 */
+	event RoleUpdated(address indexed operator, uint256 requested, uint256 assigned);
+
+	/**
+	 * @notice Function modifier making a function defined as public behave as restricted
+	 *      (so that only a pre-configured set of accounts can execute it)
+	 *
+	 * @param role the role transaction executor is required to have;
+	 *      the function throws an "access denied" exception if this condition is not met
+	 */
+	modifier restrictedTo(uint256 role) {
+		// verify the access permission
+		_requireSenderInRole(role);
+
+		// execute the rest of the function
+		_;
+	}
+
+	/**
+	 * @notice Creates an access control instance, setting the contract owner to have full privileges
+	 *
+	 * @param _owner smart contract owner having full privileges, can be zero
+	 * @param _features initial features mask of the contract, can be zero
+	 */
+	constructor(address _owner, uint256 _features) { // visibility modifier is required to be compilable with 0.6.x
+		// grant owner full privileges
+		__setRole(_owner, FULL_PRIVILEGES_MASK, FULL_PRIVILEGES_MASK);
+		// update initial features bitmask
+		__setRole(address(this), _features, _features);
+	}
+
+	/**
+	 * @notice Retrieves globally set of features enabled
+	 *
+	 * @dev Effectively reads userRoles role for the contract itself
+	 *
+	 * @return 256-bit bitmask of the features enabled
+	 */
+	function features() public view returns (uint256) {
+		// features are stored in 'this' address mapping of `userRoles`
+		return getRole(address(this));
+	}
+
+	/**
+	 * @notice Updates set of the globally enabled features (`features`),
+	 *      taking into account sender's permissions
+	 *
+	 * @dev Requires transaction sender to have `ROLE_ACCESS_MANAGER` permission
+	 * @dev Function is left for backward compatibility with older versions
+	 *
+	 * @param _mask bitmask representing a set of features to enable/disable
+	 */
+	function updateFeatures(uint256 _mask) public {
+		// delegate call to `updateRole`
+		updateRole(address(this), _mask);
+	}
+
+	/**
+	 * @notice Reads the permissions (role) for a given user from the `userRoles` mapping
+	 *      (privileged addresses with defined roles/permissions)
+	 * @notice In the context of ERC20/ERC721 tokens these can be permissions to
+	 *      allow minting or burning tokens, transferring on behalf and so on
+	 *
+	 * @dev Having a simple getter instead of making the mapping public
+	 *      allows enforcing the encapsulation of the mapping and protects from
+	 *      writing to it directly in the inheriting smart contracts
+	 *
+	 * @param operator address of a user to read permissions for,
+	 *      or self address to read global features of the smart contract
+	 */
+	function getRole(address operator) public view returns(uint256) {
+		// read the value from `userRoles` and return
+		return userRoles[operator];
+	}
+
+	/**
+	 * @notice Updates set of permissions (role) for a given user,
+	 *      taking into account sender's permissions.
+	 *
+	 * @dev Setting role to zero is equivalent to removing an all permissions
+	 * @dev Setting role to `FULL_PRIVILEGES_MASK` is equivalent to
+	 *      copying senders' permissions (role) to the user
+	 * @dev Requires transaction sender to have `ROLE_ACCESS_MANAGER` permission
+	 *
+	 * @param operator address of a user to alter permissions for,
+	 *       or self address to alter global features of the smart contract
+	 * @param role bitmask representing a set of permissions to
+	 *      enable/disable for a user specified
+	 */
+	function updateRole(address operator, uint256 role) public {
+		// caller must have a permission to update user roles
+		_requireSenderInRole(ROLE_ACCESS_MANAGER);
+
+		// evaluate the role and reassign it
+		__setRole(operator, role, _evaluateBy(msg.sender, getRole(operator), role));
+	}
+
+	/**
+	 * @notice Determines the permission bitmask an operator can set on the
+	 *      target permission set
+	 * @notice Used to calculate the permission bitmask to be set when requested
+	 *     in `updateRole` and `updateFeatures` functions
+	 *
+	 * @dev Calculated based on:
+	 *      1) operator's own permission set read from userRoles[operator]
+	 *      2) target permission set - what is already set on the target
+	 *      3) desired permission set - what do we want set target to
+	 *
+	 * @dev Corner cases:
+	 *      1) Operator is super admin and its permission set is `FULL_PRIVILEGES_MASK`:
+	 *        `desired` bitset is returned regardless of the `target` permission set value
+	 *        (what operator sets is what they get)
+	 *      2) Operator with no permissions (zero bitset):
+	 *        `target` bitset is returned regardless of the `desired` value
+	 *        (operator has no authority and cannot modify anything)
+	 *
+	 * @dev Example:
+	 *      Consider an operator with the permissions bitmask     00001111
+	 *      is about to modify the target permission set          01010101
+	 *      Operator wants to set that permission set to          00110011
+	 *      Based on their role, an operator has the permissions
+	 *      to update only lowest 4 bits on the target, meaning that
+	 *      high 4 bits of the target set in this example is left
+	 *      unchanged and low 4 bits get changed as desired:      01010011
+	 *
+	 * @param operator address of the contract operator which is about to set the permissions
+	 * @param target input set of permissions to operator is going to modify
+	 * @param desired desired set of permissions operator would like to set
+	 * @return resulting set of permissions given operator will set
+	 */
+	function _evaluateBy(address operator, uint256 target, uint256 desired) internal view returns (uint256) {
+		// read operator's permissions
+		uint256 p = getRole(operator);
+
+		// taking into account operator's permissions,
+		// 1) enable the permissions desired on the `target`
+		target |= p & desired;
+		// 2) disable the permissions desired on the `target`
+		target &= FULL_PRIVILEGES_MASK ^ (p & (FULL_PRIVILEGES_MASK ^ desired));
+
+		// return calculated result
+		return target;
+	}
+
+	/**
+	 * @notice Ensures that the transaction sender has the required access permission(s) (role)
+	 *
+	 * @dev Reverts with an `AccessDenied` error if the sender does not have the required role
+	 *
+	 * @param required the set of permissions (role) that the transaction sender is required to have
+	 */
+	function _requireSenderInRole(uint256 required) internal view {
+		// check if the transaction has the required permission(s),
+		// reverting with the "access denied" error if not
+		_requireAccessCondition(_isSenderInRole(required));
+	}
+
+	/**
+	 * @notice Ensures that a specific condition is met
+	 *
+	 * @dev Reverts with an `AccessDenied` error if the condition is not met
+	 *
+	 * @param condition the condition that needs to be true for the function to proceed
+	 */
+	function _requireAccessCondition(bool condition) internal pure {
+		// check if the condition holds
+		if(!condition) {
+			// revert with the "access denied" error if not
+			revert AccessDenied();
+		}
+	}
+
+	/**
+	 * @notice Checks if requested set of features is enabled globally on the contract
+	 *
+	 * @param required set of features to check against
+	 * @return true if all the features requested are enabled, false otherwise
+	 */
+	function _isFeatureEnabled(uint256 required) internal view returns (bool) {
+		// delegate call to `__hasRole`, passing `features` property
+		return __hasRole(features(), required);
+	}
+
+	/**
+	 * @notice Checks if transaction sender `msg.sender` has all the permissions required
+	 *
+	 * @param required set of permissions (role) to check against
+	 * @return true if all the permissions requested are enabled, false otherwise
+	 */
+	function _isSenderInRole(uint256 required) internal view returns (bool) {
+		// delegate call to `isOperatorInRole`, passing transaction sender
+		return _isOperatorInRole(msg.sender, required);
+	}
+
+	/**
+	 * @notice Checks if operator has all the permissions (role) required
+	 *
+	 * @param operator address of the user to check role for
+	 * @param required set of permissions (role) to check
+	 * @return true if all the permissions requested are enabled, false otherwise
+	 */
+	function _isOperatorInRole(address operator, uint256 required) internal view returns (bool) {
+		// delegate call to `__hasRole`, passing operator's permissions (role)
+		return __hasRole(getRole(operator), required);
+	}
+
+	/**
+	 * @dev Sets the `assignedRole` role to the operator, logs both `requestedRole` and `actualRole`
+	 *
+	 * @dev Unsafe:
+	 *      provides direct write access to `userRoles` mapping without any security checks,
+	 *      doesn't verify the executor (msg.sender) permissions,
+	 *      must be kept private at all times
+	 *
+	 * @param operator address of a user to alter permissions for,
+	 *       or self address to alter global features of the smart contract
+	 * @param requestedRole bitmask representing a set of permissions requested
+	 *      to be enabled/disabled for a user specified, used only to be logged into event
+	 * @param assignedRole bitmask representing a set of permissions to
+	 *      enable/disable for a user specified, used to update the mapping and to be logged into event
+	 */
+	function __setRole(address operator, uint256 requestedRole, uint256 assignedRole) private {
+		// assign the role to the operator
+		userRoles[operator] = assignedRole;
+
+		// fire an event
+		emit RoleUpdated(operator, requestedRole, assignedRole);
+	}
+
+	/**
+	 * @dev Checks if role `actual` contains all the permissions required `required`
+	 *
+	 * @param actual existent role
+	 * @param required required role
+	 * @return true if actual has required role (all permissions), false otherwise
+	 */
+	function __hasRole(uint256 actual, uint256 required) private pure returns (bool) {
+		// check the bitmask for the role required and return the result
+		return actual & required == required;
+	}
+}

package/contracts/AdapterFactory.sol

@@ -1,5 +1,5 @@
 // SPDX-License-Identifier: MIT
-pragma solidity >=0.6.2;
+pragma solidity >=0.8.4;
 
 import "./OwnableToAccessControlAdapter.sol";
 

package/contracts/OwnableToAccessControlAdapter.sol

@@ -1,5 +1,7 @@
 // SPDX-License-Identifier: MIT
-pragma solidity >=0.6.2; // breaking changes in .call() (0.5.0), allow .call{}() (0.6.2)
+// breaking changes in .call() (0.5.0)
+// allow .call{}() (0.6.2)
+pragma solidity >=0.8.4;
 
 import "./AccessControl.sol";
 
@@ -63,7 +65,7 @@ import "./AccessControl.sol";
  *
  * @author Basil Gorin
  */
-contract OwnableToAccessControlAdapter is AccessControl {
+contract OwnableToAccessControlAdapter is AccessControlCore {
 	/**
 	 * @dev Target OZ Ownable contract AccessControl Adapter executes the transactions on
 	 *
@@ -111,7 +113,7 @@ contract OwnableToAccessControlAdapter is AccessControl {
 	 * @param _target target OZ Ownable contract address
 	 * @param _owner smart contract owner having full privileges
 	 */
-	constructor(address _target, address _owner) public AccessControl(_owner, 0) {
+	constructor(address _target, address _owner) AccessControlCore(_owner, 0) { // visibility modifier is required to be compilable with 0.6.x
 		// verify the inputs
 		require(_target != address(0), "zero address");
 
@@ -148,7 +150,7 @@ contract OwnableToAccessControlAdapter is AccessControl {
 	 */
 	function updateAccessRole(bytes4 selector, uint256 role) public {
 		// verify the access permission
-		require(isSenderInRole(ROLE_ACCESS_ROLES_MANAGER), "access denied");
+		_requireSenderInRole(ROLE_ACCESS_ROLES_MANAGER);
 
 		// update the function access role
 		accessRoles[selector] = role;
@@ -190,7 +192,7 @@ contract OwnableToAccessControlAdapter is AccessControl {
 			require(roleRequired != 0, "access role not set");
 
 			// verify the access permission
-			require(isSenderInRole(roleRequired), "access denied");
+			_requireSenderInRole(roleRequired);
 		}
 
 		// execute the call on the target