Access
Smart contract access utilities and implementations
Outdated Version
This directory provides ways to restrict who can access the functions of a contract or when they can do it.
AccessControl
provides a general role based access control mechanism. Multiple hierarchical roles can be created and assigned each to multiple accounts.Ownable
is a simpler mechanism with a single owner "role" that can be assigned to a single account. This simpler mechanism can be useful for quick tests but projects with production concerns are likely to outgrow it.
Authorization
AccessControlDefaultAdminRules
import "@openzeppelin/contracts/access/AccessControl.sol";
Contract module that allows children to implement role-based access
control mechanisms. This is a lightweight version that doesn't allow enumerating role
members except through off-chain means by accessing the contract event logs. Some
applications may benefit from on-chain enumerability, for those cases see
AccessControlEnumerable
.
Roles are referred to by their bytes32
identifier. These should be exposed
in the external API and be unique. The best way to achieve this is by
using public constant
hash digests:
bytes32 public constant MY_ROLE = keccak256("MY_ROLE");
Roles can be used to represent a set of permissions. To restrict access to a
function call, use AccessControl.hasRole
:
function foo() public {
require(hasRole(MY_ROLE, msg.sender));
...
}
Roles can be granted and revoked dynamically via the AccessControl.grantRole
and
AccessControl.revokeRole
functions. Each role has an associated admin role, and only
accounts that have a role's admin role can call AccessControl.grantRole
and AccessControl.revokeRole
.
By default, the admin role for all roles is DEFAULT_ADMIN_ROLE
, which means
that only accounts with this role will be able to grant or revoke other
roles. More complex role relationships can be created by using
AccessControl._setRoleAdmin
.
The DEFAULT_ADMIN_ROLE
is also its own admin: it has permission to
grant and revoke this role. Extra precautions should be taken to secure
accounts that have been granted it. We recommend using AccessControlDefaultAdminRules
to enforce additional security measures for this role.
Modifiers
Functions
- supportsInterface(interfaceId)
- hasRole(role, account)
- _checkRole(role)
- _checkRole(role, account)
- getRoleAdmin(role)
- grantRole(role, account)
- revokeRole(role, account)
- renounceRole(role, account)
- _setupRole(role, account)
- _setRoleAdmin(role, adminRole)
- _grantRole(role, account)
- _revokeRole(role, account)
- DEFAULT_ADMIN_ROLE()
ERC165
IERC165
IAccessControl
Events
onlyRole(bytes32 role)
internal
#Modifier that checks that an account has a specific role. Reverts with a standardized message including the required role.
The format of the revert reason is given by the following regular expression:
/^AccessControl: account (0x[0-9a-f]SafeCast.toUint240
) is missing role (0x[0-9a-f]Base64
)$/
Available since v4.1.
supportsInterface(bytes4 interfaceId) → bool
public
#hasRole(bytes32 role, address account) → bool
public
#Returns true
if account
has been granted role
.
_checkRole(bytes32 role)
internal
#Revert with a standard message if _msgSender()
is missing role
.
Overriding this function changes the behavior of the AccessControl.onlyRole
modifier.
Format of the revert message is described in AccessControl._checkRole
.
Available since v4.6.
_checkRole(bytes32 role, address account)
internal
#Revert with a standard message if account
is missing role
.
The format of the revert reason is given by the following regular expression:
/^AccessControl: account (0x[0-9a-f]SafeCast.toUint240
) is missing role (0x[0-9a-f]Base64
)$/
getRoleAdmin(bytes32 role) → bytes32
public
#Returns the admin role that controls role
. See AccessControl.grantRole
and
AccessControl.revokeRole
.
To change a role's admin, use AccessControl._setRoleAdmin
.
grantRole(bytes32 role, address account)
public
#Grants role
to account
.
If account
had not been already granted role
, emits a IAccessControl.RoleGranted
event.
Requirements:
- the caller must have
role
's admin role.
May emit a IAccessControl.RoleGranted
event.
revokeRole(bytes32 role, address account)
public
#Revokes role
from account
.
If account
had been granted role
, emits a IAccessControl.RoleRevoked
event.
Requirements:
- the caller must have
role
's admin role.
May emit a IAccessControl.RoleRevoked
event.
renounceRole(bytes32 role, address account)
public
#Revokes role
from the calling account.
Roles are often managed via AccessControl.grantRole
and AccessControl.revokeRole
: this function's
purpose is to provide a mechanism for accounts to lose their privileges
if they are compromised (such as when a trusted device is misplaced).
If the calling account had been revoked role
, emits a IAccessControl.RoleRevoked
event.
Requirements:
- the caller must be
account
.
May emit a IAccessControl.RoleRevoked
event.
_setupRole(bytes32 role, address account)
internal
#Grants role
to account
.
If account
had not been already granted role
, emits a IAccessControl.RoleGranted
event. Note that unlike AccessControl.grantRole
, this function doesn't perform any
checks on the calling account.
May emit a IAccessControl.RoleGranted
event.
[WARNING]
This function should only be called from the constructor when setting up the initial roles for the system.
Using this function in any other way is effectively circumventing the admin
system imposed by AccessControl
.
NOTE: This function is deprecated in favor of AccessControl._grantRole
.
_setRoleAdmin(bytes32 role, bytes32 adminRole)
internal
#Sets adminRole
as role
's admin role.
Emits a IAccessControl.RoleAdminChanged
event.
_grantRole(bytes32 role, address account)
internal
#Grants role
to account
.
Internal function without access restriction.
May emit a IAccessControl.RoleGranted
event.
_revokeRole(bytes32 role, address account)
internal
#Revokes role
from account
.
Internal function without access restriction.
May emit a IAccessControl.RoleRevoked
event.
DEFAULT_ADMIN_ROLE() → bytes32
public
#import "@openzeppelin/contracts/access/AccessControlCrossChain.sol";
An extension to AccessControl
with support for cross-chain access management.
For each role, is extension implements an equivalent "aliased" role that is used for
restricting calls originating from other chains.
For example, if a function myFunction
is protected by onlyRole(SOME_ROLE)
, and
if an address x
has role SOME_ROLE
, it would be able to call myFunction
directly.
A wallet or contract at the same address on another chain would however not be able
to call this function. In order to do so, it would require to have the role
_crossChainRoleAlias(SOME_ROLE)
.
This aliasing is required to protect against multiple contracts living at the same address on different chains but controlled by conflicting entities.
Available since v4.6.
Functions
CrossChainEnabled
AccessControl
- supportsInterface(interfaceId)
- hasRole(role, account)
- _checkRole(role, account)
- getRoleAdmin(role)
- grantRole(role, account)
- revokeRole(role, account)
- renounceRole(role, account)
- _setupRole(role, account)
- _setRoleAdmin(role, adminRole)
- _grantRole(role, account)
- _revokeRole(role, account)
- DEFAULT_ADMIN_ROLE()
ERC165
IERC165
IAccessControl
Events
_checkRole(bytes32 role)
internal
#_crossChainRoleAlias(bytes32 role) → bytes32
internal
#Returns the aliased role corresponding to role
.
CROSSCHAIN_ALIAS() → bytes32
public
#import "@openzeppelin/contracts/access/AccessControlDefaultAdminRules.sol";
Extension of AccessControl
that allows specifying special rules to manage
the DEFAULT_ADMIN_ROLE
holder, which is a sensitive role with special permissions
over other roles that may potentially have privileged rights in the system.
If a specific role doesn't have an admin role assigned, the holder of the
DEFAULT_ADMIN_ROLE
will have the ability to grant it and revoke it.
This contract implements the following risk mitigations on top of AccessControl
:
- Only one account holds the
DEFAULT_ADMIN_ROLE
since deployment until it's potentially renounced. - Enforces a 2-step process to transfer the
DEFAULT_ADMIN_ROLE
to another account. - Enforces a configurable delay between the two steps, with the ability to cancel before the transfer is accepted.
- The delay can be changed by scheduling, see
AccessControlDefaultAdminRules.changeDefaultAdminDelay
. - It is not possible to use another role to manage the
DEFAULT_ADMIN_ROLE
.
Example usage:
contract MyToken is AccessControlDefaultAdminRules {
constructor() AccessControlDefaultAdminRules(
3 days,
msg.sender // Explicit initial `DEFAULT_ADMIN_ROLE` holder
) {}
}
Available since v4.9.
Functions
- constructor(initialDelay, initialDefaultAdmin)
- supportsInterface(interfaceId)
- owner()
- grantRole(role, account)
- revokeRole(role, account)
- renounceRole(role, account)
- _grantRole(role, account)
- _revokeRole(role, account)
- _setRoleAdmin(role, adminRole)
- defaultAdmin()
- pendingDefaultAdmin()
- defaultAdminDelay()
- pendingDefaultAdminDelay()
- defaultAdminDelayIncreaseWait()
- beginDefaultAdminTransfer(newAdmin)
- _beginDefaultAdminTransfer(newAdmin)
- cancelDefaultAdminTransfer()
- _cancelDefaultAdminTransfer()
- acceptDefaultAdminTransfer()
- _acceptDefaultAdminTransfer()
- changeDefaultAdminDelay(newDelay)
- _changeDefaultAdminDelay(newDelay)
- rollbackDefaultAdminDelay()
- _rollbackDefaultAdminDelay()
- _delayChangeWait(newDelay)
AccessControl
- hasRole(role, account)
- _checkRole(role)
- _checkRole(role, account)
- getRoleAdmin(role)
- _setupRole(role, account)
- DEFAULT_ADMIN_ROLE()
ERC165
IERC165
IERC5313
IAccessControlDefaultAdminRules
IAccessControl
Events
constructor(uint48 initialDelay, address initialDefaultAdmin)
internal
#Sets the initial values for AccessControlDefaultAdminRules.defaultAdminDelay
and AccessControlDefaultAdminRules.defaultAdmin
address.
supportsInterface(bytes4 interfaceId) → bool
public
#owner() → address
public
#See IERC5313.owner
.
grantRole(bytes32 role, address account)
public
#See AccessControl.grantRole
. Reverts for DEFAULT_ADMIN_ROLE
.
revokeRole(bytes32 role, address account)
public
#See AccessControl.revokeRole
. Reverts for DEFAULT_ADMIN_ROLE
.
renounceRole(bytes32 role, address account)
public
#See AccessControl.renounceRole
.
For the DEFAULT_ADMIN_ROLE
, it only allows renouncing in two steps by first calling
AccessControlDefaultAdminRules.beginDefaultAdminTransfer
to the address(0)
, so it's required that the AccessControlDefaultAdminRules.pendingDefaultAdmin
schedule
has also passed when calling this function.
After its execution, it will not be possible to call onlyRole(DEFAULT_ADMIN_ROLE)
functions.
NOTE: Renouncing DEFAULT_ADMIN_ROLE
will leave the contract without a AccessControlDefaultAdminRules.defaultAdmin
,
thereby disabling any functionality that is only available for it, and the possibility of reassigning a
non-administrated role.
_grantRole(bytes32 role, address account)
internal
#For DEFAULT_ADMIN_ROLE
, it only allows granting if there isn't already a AccessControlDefaultAdminRules.defaultAdmin
or if the
role has been previously renounced.
NOTE: Exposing this function through another mechanism may make the DEFAULT_ADMIN_ROLE
assignable again. Make sure to guarantee this is the expected behavior in your implementation.
_revokeRole(bytes32 role, address account)
internal
#_setRoleAdmin(bytes32 role, bytes32 adminRole)
internal
#See AccessControl._setRoleAdmin
. Reverts for DEFAULT_ADMIN_ROLE
.
defaultAdmin() → address
public
#Returns the address of the current DEFAULT_ADMIN_ROLE
holder.
pendingDefaultAdmin() → address newAdmin, uint48 schedule
public
#Returns a tuple of a newAdmin
and an accept schedule.
After the schedule
passes, the newAdmin
will be able to accept the AccessControlDefaultAdminRules.defaultAdmin
role
by calling AccessControlDefaultAdminRules.acceptDefaultAdminTransfer
, completing the role transfer.
A zero value only in acceptSchedule
indicates no pending admin transfer.
NOTE: A zero address newAdmin
means that AccessControlDefaultAdminRules.defaultAdmin
is being renounced.
defaultAdminDelay() → uint48
public
#Returns the delay required to schedule the acceptance of a AccessControlDefaultAdminRules.defaultAdmin
transfer started.
This delay will be added to the current timestamp when calling AccessControlDefaultAdminRules.beginDefaultAdminTransfer
to set
the acceptance schedule.
NOTE: If a delay change has been scheduled, it will take effect as soon as the schedule passes, making this
function returns the new delay. See AccessControlDefaultAdminRules.changeDefaultAdminDelay
.
pendingDefaultAdminDelay() → uint48 newDelay, uint48 schedule
public
#Returns a tuple of newDelay
and an effect schedule.
After the schedule
passes, the newDelay
will get into effect immediately for every
new AccessControlDefaultAdminRules.defaultAdmin
transfer started with AccessControlDefaultAdminRules.beginDefaultAdminTransfer
.
A zero value only in effectSchedule
indicates no pending delay change.
NOTE: A zero value only for newDelay
means that the next AccessControlDefaultAdminRules.defaultAdminDelay
will be zero after the effect schedule.
defaultAdminDelayIncreaseWait() → uint48
public
#Maximum time in seconds for an increase to AccessControlDefaultAdminRules.defaultAdminDelay
(that is scheduled using AccessControlDefaultAdminRules.changeDefaultAdminDelay
)
to take effect. Default to 5 days.
When the AccessControlDefaultAdminRules.defaultAdminDelay
is scheduled to be increased, it goes into effect after the new delay has passed with
the purpose of giving enough time for reverting any accidental change (i.e. using milliseconds instead of seconds)
that may lock the contract. However, to avoid excessive schedules, the wait is capped by this function and it can
be overrode for a custom AccessControlDefaultAdminRules.defaultAdminDelay
increase scheduling.
Make sure to add a reasonable amount of time while overriding this value, otherwise, there's a risk of setting a high new delay that goes into effect almost immediately without the possibility of human intervention in the case of an input error (eg. set milliseconds instead of seconds).
beginDefaultAdminTransfer(address newAdmin)
public
#Starts a AccessControlDefaultAdminRules.defaultAdmin
transfer by setting a AccessControlDefaultAdminRules.pendingDefaultAdmin
scheduled for acceptance
after the current timestamp plus a AccessControlDefaultAdminRules.defaultAdminDelay
.
Requirements:
- Only can be called by the current
AccessControlDefaultAdminRules.defaultAdmin
.
Emits a DefaultAdminRoleChangeStarted event.
_beginDefaultAdminTransfer(address newAdmin)
internal
#See AccessControlDefaultAdminRules.beginDefaultAdminTransfer
.
Internal function without access restriction.
cancelDefaultAdminTransfer()
public
#Cancels a AccessControlDefaultAdminRules.defaultAdmin
transfer previously started with AccessControlDefaultAdminRules.beginDefaultAdminTransfer
.
A AccessControlDefaultAdminRules.pendingDefaultAdmin
not yet accepted can also be cancelled with this function.
Requirements:
- Only can be called by the current
AccessControlDefaultAdminRules.defaultAdmin
.
May emit a DefaultAdminTransferCanceled event.
_cancelDefaultAdminTransfer()
internal
#See AccessControlDefaultAdminRules.cancelDefaultAdminTransfer
.
Internal function without access restriction.
acceptDefaultAdminTransfer()
public
#Completes a AccessControlDefaultAdminRules.defaultAdmin
transfer previously started with AccessControlDefaultAdminRules.beginDefaultAdminTransfer
.
After calling the function:
DEFAULT_ADMIN_ROLE
should be granted to the caller.DEFAULT_ADMIN_ROLE
should be revoked from the previous holder.AccessControlDefaultAdminRules.pendingDefaultAdmin
should be reset to zero values.
Requirements:
- Only can be called by the
AccessControlDefaultAdminRules.pendingDefaultAdmin
'snewAdmin
. - The
AccessControlDefaultAdminRules.pendingDefaultAdmin
'sacceptSchedule
should've passed.
_acceptDefaultAdminTransfer()
internal
#See AccessControlDefaultAdminRules.acceptDefaultAdminTransfer
.
Internal function without access restriction.
changeDefaultAdminDelay(uint48 newDelay)
public
#Initiates a AccessControlDefaultAdminRules.defaultAdminDelay
update by setting a AccessControlDefaultAdminRules.pendingDefaultAdminDelay
scheduled for getting
into effect after the current timestamp plus a AccessControlDefaultAdminRules.defaultAdminDelay
.
This function guarantees that any call to AccessControlDefaultAdminRules.beginDefaultAdminTransfer
done between the timestamp this
method is called and the AccessControlDefaultAdminRules.pendingDefaultAdminDelay
effect schedule will use the current AccessControlDefaultAdminRules.defaultAdminDelay
set before calling.
The AccessControlDefaultAdminRules.pendingDefaultAdminDelay
's effect schedule is defined in a way that waiting until the schedule and then
calling AccessControlDefaultAdminRules.beginDefaultAdminTransfer
with the new delay will take at least the same as another AccessControlDefaultAdminRules.defaultAdmin
complete transfer (including acceptance).
The schedule is designed for two scenarios:
- When the delay is changed for a larger one the schedule is
block.timestamp + newDelay
capped byAccessControlDefaultAdminRules.defaultAdminDelayIncreaseWait
. - When the delay is changed for a shorter one, the schedule is
block.timestamp + (current delay - new delay)
.
A AccessControlDefaultAdminRules.pendingDefaultAdminDelay
that never got into effect will be canceled in favor of a new scheduled change.
Requirements:
- Only can be called by the current
AccessControlDefaultAdminRules.defaultAdmin
.
Emits a DefaultAdminDelayChangeScheduled event and may emit a DefaultAdminDelayChangeCanceled event.
_changeDefaultAdminDelay(uint48 newDelay)
internal
#See AccessControlDefaultAdminRules.changeDefaultAdminDelay
.
Internal function without access restriction.
rollbackDefaultAdminDelay()
public
#Cancels a scheduled AccessControlDefaultAdminRules.defaultAdminDelay
change.
Requirements:
- Only can be called by the current
AccessControlDefaultAdminRules.defaultAdmin
.
May emit a DefaultAdminDelayChangeCanceled event.
_rollbackDefaultAdminDelay()
internal
#See AccessControlDefaultAdminRules.rollbackDefaultAdminDelay
.
Internal function without access restriction.
_delayChangeWait(uint48 newDelay) → uint48
internal
#Returns the amount of seconds to wait after the newDelay
will
become the new AccessControlDefaultAdminRules.defaultAdminDelay
.
The value returned guarantees that if the delay is reduced, it will go into effect after a wait that honors the previously set delay.
See AccessControlDefaultAdminRules.defaultAdminDelayIncreaseWait
.
import "@openzeppelin/contracts/access/AccessControlEnumerable.sol";
Extension of AccessControl
that allows enumerating the members of each role.
Functions
- supportsInterface(interfaceId)
- getRoleMember(role, index)
- getRoleMemberCount(role)
- _grantRole(role, account)
- _revokeRole(role, account)
AccessControl
- hasRole(role, account)
- _checkRole(role)
- _checkRole(role, account)
- getRoleAdmin(role)
- grantRole(role, account)
- revokeRole(role, account)
- renounceRole(role, account)
- _setupRole(role, account)
- _setRoleAdmin(role, adminRole)
- DEFAULT_ADMIN_ROLE()
ERC165
IERC165
IAccessControlEnumerable
IAccessControl
Events
supportsInterface(bytes4 interfaceId) → bool
public
#getRoleMember(bytes32 role, uint256 index) → address
public
#Returns one of the accounts that have role
. index
must be a
value between 0 and AccessControlEnumerable.getRoleMemberCount
, non-inclusive.
Role bearers are not sorted in any particular way, and their ordering may change at any point.
When using AccessControlEnumerable.getRoleMember
and AccessControlEnumerable.getRoleMemberCount
, make sure
you perform all queries on the same block. See the following
forum post
for more information.
getRoleMemberCount(bytes32 role) → uint256
public
#Returns the number of accounts that have role
. Can be used
together with AccessControlEnumerable.getRoleMember
to enumerate all bearers of a role.
_grantRole(bytes32 role, address account)
internal
#Overload AccessControl._grantRole
to track enumerable memberships
_revokeRole(bytes32 role, address account)
internal
#Overload AccessControl._revokeRole
to track enumerable memberships
import "@openzeppelin/contracts/access/IAccessControl.sol";
External interface of AccessControl declared to support ERC165 detection.
Functions
Events
hasRole(bytes32 role, address account) → bool
external
#Returns true
if account
has been granted role
.
getRoleAdmin(bytes32 role) → bytes32
external
#Returns the admin role that controls role
. See AccessControl.grantRole
and
AccessControl.revokeRole
.
To change a role's admin, use AccessControl._setRoleAdmin
.
grantRole(bytes32 role, address account)
external
#Grants role
to account
.
If account
had not been already granted role
, emits a IAccessControl.RoleGranted
event.
Requirements:
- the caller must have
role
's admin role.
revokeRole(bytes32 role, address account)
external
#Revokes role
from account
.
If account
had been granted role
, emits a IAccessControl.RoleRevoked
event.
Requirements:
- the caller must have
role
's admin role.
renounceRole(bytes32 role, address account)
external
#Revokes role
from the calling account.
Roles are often managed via AccessControl.grantRole
and AccessControl.revokeRole
: this function's
purpose is to provide a mechanism for accounts to lose their privileges
if they are compromised (such as when a trusted device is misplaced).
If the calling account had been granted role
, emits a IAccessControl.RoleRevoked
event.
Requirements:
- the caller must be
account
.
RoleAdminChanged(bytes32 indexed role, bytes32 indexed previousAdminRole, bytes32 indexed newAdminRole)
event
#Emitted when newAdminRole
is set as role
's admin role, replacing previousAdminRole
DEFAULT_ADMIN_ROLE
is the starting admin for all roles, despite
IAccessControl.RoleAdminChanged
not being emitted signaling this.
Available since v3.1.
RoleGranted(bytes32 indexed role, address indexed account, address indexed sender)
event
#Emitted when account
is granted role
.
sender
is the account that originated the contract call, an admin role
bearer except when using AccessControl._setupRole
.
RoleRevoked(bytes32 indexed role, address indexed account, address indexed sender)
event
#Emitted when account
is revoked role
.
sender
is the account that originated the contract call:
- if using
revokeRole
, it is the admin role bearer - if using
renounceRole
, it is the role bearer (i.e.account
)
import "@openzeppelin/contracts/access/IAccessControlDefaultAdminRules.sol";
External interface of AccessControlDefaultAdminRules declared to support ERC165 detection.
Available since v4.9.
Functions
Events
defaultAdmin() → address
external
#Returns the address of the current DEFAULT_ADMIN_ROLE
holder.
pendingDefaultAdmin() → address newAdmin, uint48 acceptSchedule
external
#Returns a tuple of a newAdmin
and an accept schedule.
After the schedule
passes, the newAdmin
will be able to accept the AccessControlDefaultAdminRules.defaultAdmin
role
by calling AccessControlDefaultAdminRules.acceptDefaultAdminTransfer
, completing the role transfer.
A zero value only in acceptSchedule
indicates no pending admin transfer.
NOTE: A zero address newAdmin
means that AccessControlDefaultAdminRules.defaultAdmin
is being renounced.
defaultAdminDelay() → uint48
external
#Returns the delay required to schedule the acceptance of a AccessControlDefaultAdminRules.defaultAdmin
transfer started.
This delay will be added to the current timestamp when calling AccessControlDefaultAdminRules.beginDefaultAdminTransfer
to set
the acceptance schedule.
NOTE: If a delay change has been scheduled, it will take effect as soon as the schedule passes, making this
function returns the new delay. See AccessControlDefaultAdminRules.changeDefaultAdminDelay
.
pendingDefaultAdminDelay() → uint48 newDelay, uint48 effectSchedule
external
#Returns a tuple of newDelay
and an effect schedule.
After the schedule
passes, the newDelay
will get into effect immediately for every
new AccessControlDefaultAdminRules.defaultAdmin
transfer started with AccessControlDefaultAdminRules.beginDefaultAdminTransfer
.
A zero value only in effectSchedule
indicates no pending delay change.
NOTE: A zero value only for newDelay
means that the next AccessControlDefaultAdminRules.defaultAdminDelay
will be zero after the effect schedule.
beginDefaultAdminTransfer(address newAdmin)
external
#Starts a AccessControlDefaultAdminRules.defaultAdmin
transfer by setting a AccessControlDefaultAdminRules.pendingDefaultAdmin
scheduled for acceptance
after the current timestamp plus a AccessControlDefaultAdminRules.defaultAdminDelay
.
Requirements:
- Only can be called by the current
AccessControlDefaultAdminRules.defaultAdmin
.
Emits a DefaultAdminRoleChangeStarted event.
cancelDefaultAdminTransfer()
external
#Cancels a AccessControlDefaultAdminRules.defaultAdmin
transfer previously started with AccessControlDefaultAdminRules.beginDefaultAdminTransfer
.
A AccessControlDefaultAdminRules.pendingDefaultAdmin
not yet accepted can also be cancelled with this function.
Requirements:
- Only can be called by the current
AccessControlDefaultAdminRules.defaultAdmin
.
May emit a DefaultAdminTransferCanceled event.
acceptDefaultAdminTransfer()
external
#Completes a AccessControlDefaultAdminRules.defaultAdmin
transfer previously started with AccessControlDefaultAdminRules.beginDefaultAdminTransfer
.
After calling the function:
DEFAULT_ADMIN_ROLE
should be granted to the caller.DEFAULT_ADMIN_ROLE
should be revoked from the previous holder.AccessControlDefaultAdminRules.pendingDefaultAdmin
should be reset to zero values.
Requirements:
- Only can be called by the
AccessControlDefaultAdminRules.pendingDefaultAdmin
'snewAdmin
. - The
AccessControlDefaultAdminRules.pendingDefaultAdmin
'sacceptSchedule
should've passed.
changeDefaultAdminDelay(uint48 newDelay)
external
#Initiates a AccessControlDefaultAdminRules.defaultAdminDelay
update by setting a AccessControlDefaultAdminRules.pendingDefaultAdminDelay
scheduled for getting
into effect after the current timestamp plus a AccessControlDefaultAdminRules.defaultAdminDelay
.
This function guarantees that any call to AccessControlDefaultAdminRules.beginDefaultAdminTransfer
done between the timestamp this
method is called and the AccessControlDefaultAdminRules.pendingDefaultAdminDelay
effect schedule will use the current AccessControlDefaultAdminRules.defaultAdminDelay
set before calling.
The AccessControlDefaultAdminRules.pendingDefaultAdminDelay
's effect schedule is defined in a way that waiting until the schedule and then
calling AccessControlDefaultAdminRules.beginDefaultAdminTransfer
with the new delay will take at least the same as another AccessControlDefaultAdminRules.defaultAdmin
complete transfer (including acceptance).
The schedule is designed for two scenarios:
- When the delay is changed for a larger one the schedule is
block.timestamp + newDelay
capped byAccessControlDefaultAdminRules.defaultAdminDelayIncreaseWait
. - When the delay is changed for a shorter one, the schedule is
block.timestamp + (current delay - new delay)
.
A AccessControlDefaultAdminRules.pendingDefaultAdminDelay
that never got into effect will be canceled in favor of a new scheduled change.
Requirements:
- Only can be called by the current
AccessControlDefaultAdminRules.defaultAdmin
.
Emits a DefaultAdminDelayChangeScheduled event and may emit a DefaultAdminDelayChangeCanceled event.
rollbackDefaultAdminDelay()
external
#Cancels a scheduled AccessControlDefaultAdminRules.defaultAdminDelay
change.
Requirements:
- Only can be called by the current
AccessControlDefaultAdminRules.defaultAdmin
.
May emit a DefaultAdminDelayChangeCanceled event.
defaultAdminDelayIncreaseWait() → uint48
external
#Maximum time in seconds for an increase to AccessControlDefaultAdminRules.defaultAdminDelay
(that is scheduled using AccessControlDefaultAdminRules.changeDefaultAdminDelay
)
to take effect. Default to 5 days.
When the AccessControlDefaultAdminRules.defaultAdminDelay
is scheduled to be increased, it goes into effect after the new delay has passed with
the purpose of giving enough time for reverting any accidental change (i.e. using milliseconds instead of seconds)
that may lock the contract. However, to avoid excessive schedules, the wait is capped by this function and it can
be overrode for a custom AccessControlDefaultAdminRules.defaultAdminDelay
increase scheduling.
Make sure to add a reasonable amount of time while overriding this value, otherwise, there's a risk of setting a high new delay that goes into effect almost immediately without the possibility of human intervention in the case of an input error (eg. set milliseconds instead of seconds).
DefaultAdminTransferScheduled(address indexed newAdmin, uint48 acceptSchedule)
event
#Emitted when a AccessControlDefaultAdminRules.defaultAdmin
transfer is started, setting newAdmin
as the next
address to become the AccessControlDefaultAdminRules.defaultAdmin
by calling AccessControlDefaultAdminRules.acceptDefaultAdminTransfer
only after acceptSchedule
passes.
DefaultAdminTransferCanceled()
event
#Emitted when a AccessControlDefaultAdminRules.pendingDefaultAdmin
is reset if it was never accepted, regardless of its schedule.
DefaultAdminDelayChangeScheduled(uint48 newDelay, uint48 effectSchedule)
event
#Emitted when a AccessControlDefaultAdminRules.defaultAdminDelay
change is started, setting newDelay
as the next
delay to be applied between default admin transfer after effectSchedule
has passed.
DefaultAdminDelayChangeCanceled()
event
#Emitted when a AccessControlDefaultAdminRules.pendingDefaultAdminDelay
is reset if its schedule didn't pass.
import "@openzeppelin/contracts/access/IAccessControlEnumerable.sol";
External interface of AccessControlEnumerable declared to support ERC165 detection.
Functions
Events
getRoleMember(bytes32 role, uint256 index) → address
external
#Returns one of the accounts that have role
. index
must be a
value between 0 and AccessControlEnumerable.getRoleMemberCount
, non-inclusive.
Role bearers are not sorted in any particular way, and their ordering may change at any point.
When using AccessControlEnumerable.getRoleMember
and AccessControlEnumerable.getRoleMemberCount
, make sure
you perform all queries on the same block. See the following
forum post
for more information.
getRoleMemberCount(bytes32 role) → uint256
external
#Returns the number of accounts that have role
. Can be used
together with AccessControlEnumerable.getRoleMember
to enumerate all bearers of a role.
import "@openzeppelin/contracts/access/Ownable.sol";
Contract module which provides a basic access control mechanism, where there is an account (an owner) that can be granted exclusive access to specific functions.
By default, the owner account will be the one that deploys the contract. This
can later be changed with Ownable.transferOwnership
.
This module is used through inheritance. It will make available the modifier
onlyOwner
, which can be applied to your functions to restrict their use to
the owner.
Modifiers
Functions
onlyOwner()
internal
#Throws if called by any account other than the owner.
constructor()
internal
#Initializes the contract setting the deployer as the initial owner.
owner() → address
public
#Returns the address of the current owner.
_checkOwner()
internal
#Throws if the sender is not the owner.
renounceOwnership()
public
#Leaves the contract without owner. It will not be possible to call
onlyOwner
functions. Can only be called by the current owner.
NOTE: Renouncing ownership will leave the contract without an owner, thereby disabling any functionality that is only available to the owner.
transferOwnership(address newOwner)
public
#Transfers ownership of the contract to a new account (newOwner
).
Can only be called by the current owner.
_transferOwnership(address newOwner)
internal
#Transfers ownership of the contract to a new account (newOwner
).
Internal function without access restriction.
OwnershipTransferred(address indexed previousOwner, address indexed newOwner)
event
#import "@openzeppelin/contracts/access/Ownable2Step.sol";
Contract module which provides access control mechanism, where there is an account (an owner) that can be granted exclusive access to specific functions.
By default, the owner account will be the one that deploys the contract. This
can later be changed with Ownable.transferOwnership
and Ownable2Step.acceptOwnership
.
This module is used through inheritance. It will make available all functions from parent (Ownable).
Functions
Events
pendingOwner() → address
public
#Returns the address of the pending owner.
transferOwnership(address newOwner)
public
#Starts the ownership transfer of the contract to a new account. Replaces the pending transfer if there is one. Can only be called by the current owner.
_transferOwnership(address newOwner)
internal
#Transfers ownership of the contract to a new account (newOwner
) and deletes any pending owner.
Internal function without access restriction.
acceptOwnership()
public
#The new owner accepts the ownership transfer.
OwnershipTransferStarted(address indexed previousOwner, address indexed newOwner)
event
#