AccessControlTemporalMod

Manages time-bound role assignments in a diamond

Key Features

• Manages roles with specific expiry timestamps.
• Provides requireValidRole for immediate validation and reverts on expiry or lack of role.
• All functions are internal, intended for use within facets.
• Integrates with the diamond storage pattern.

Module Usage

This module provides internal functions for use in your custom facets. Import it to access shared logic and storage.

Overview

This module provides functionality to grant roles with specific expiry timestamps. Facets can use this module to enforce time-limited access control, ensuring that roles automatically become invalid after their designated expiry. It leverages the diamond storage pattern for shared state across facets.

---

Storage

AccessControlStorage

Definition

struct AccessControlStorage {
  mapping(address account => mapping(bytes32 role => bool hasRole)) hasRole;
  mapping(bytes32 role => bytes32 adminRole) adminRole;
}

---

AccessControlTemporalStorage

Definition

struct AccessControlTemporalStorage {
  mapping(address account => mapping(bytes32 role => uint256 expiryTimestamp)) roleExpiry;
}

State Variables

Property	Type	Description
ACCESS_CONTROL_STORAGE_POSITION	bytes32	Diamond storage slot position for this module (Value: keccak256("compose.accesscontrol"))
TEMPORAL_STORAGE_POSITION	bytes32	Diamond storage slot position for this module (Value: keccak256("compose.accesscontrol.temporal"))

Functions

getAccessControlStorage

Returns the storage for AccessControl.

function getAccessControlStorage() pure returns (AccessControlStorage storage s);

Returns:

Property	Type	Description
s	AccessControlStorage	The AccessControl storage struct.

---

getRoleExpiry

function to get the expiry timestamp for a role assignment.

function getRoleExpiry(bytes32 _role, address _account) view returns (uint256);

Parameters:

Property	Type	Description
_role	bytes32	The role to check.
_account	address	The account to check.

Returns:

Property	Type	Description
-	uint256	The expiry timestamp, or 0 if no expiry is set.

---

getStorage

Returns the storage for AccessControlTemporal.

function getStorage() pure returns (AccessControlTemporalStorage storage s);

Returns:

Property	Type	Description
s	AccessControlTemporalStorage	The AccessControlTemporal storage struct.

---

grantRoleWithExpiry

function to grant a role with an expiry timestamp.

function grantRoleWithExpiry(bytes32 _role, address _account, uint256 _expiresAt) returns (bool);

Parameters:

Property	Type	Description
_role	bytes32	The role to grant.
_account	address	The account to grant the role to.
_expiresAt	uint256	The timestamp when the role should expire.

Returns:

Property	Type	Description
-	bool	True if the role was granted, false otherwise.

---

isRoleExpired

function to check if a role assignment has expired.

function isRoleExpired(bytes32 _role, address _account) view returns (bool);

Parameters:

Property	Type	Description
_role	bytes32	The role to check.
_account	address	The account to check.

Returns:

Property	Type	Description
-	bool	True if the role has expired or doesn't exist, false if still valid.

---

requireValidRole

function to check if an account has a valid (non-expired) role. Notes: - Reverts with AccessControlUnauthorizedAccount If the account does not have the role. - Reverts with AccessControlRoleExpired If the role has expired.

function requireValidRole(bytes32 _role, address _account) view;

Parameters:

Property	Type	Description
_role	bytes32	The role to check.
_account	address	The account to check the role for.

---

revokeTemporalRole

function to revoke a temporal role.

function revokeTemporalRole(bytes32 _role, address _account) returns (bool);

Parameters:

Property	Type	Description
_role	bytes32	The role to revoke.
_account	address	The account to revoke the role from.

Returns:

Property	Type	Description
-	bool	True if the role was revoked, false otherwise.

Events

Event emitted when a role is granted with an expiry timestamp.

Signature:

event RoleGrantedWithExpiry(
bytes32 indexed _role, address indexed _account, uint256 _expiresAt, address indexed _sender
);

Parameters:

Property	Type	Description
_role	bytes32	The role that was granted.
_account	address	The account that was granted the role.
_expiresAt	uint256	The timestamp when the role expires.
_sender	address	The account that granted the role.

Event emitted when a temporal role is revoked.

Signature:

event TemporalRoleRevoked(bytes32 indexed _role, address indexed _account, address indexed _sender);

Parameters:

Property	Type	Description
_role	bytes32	The role that was revoked.
_account	address	The account from which the role was revoked.
_sender	address	The account that revoked the role.

Errors

Thrown when a role has expired.

Signature:

error AccessControlRoleExpired(bytes32 _role, address _account);

Thrown when the account does not have a specific role.

Signature:

error AccessControlUnauthorizedAccount(address _account, bytes32 _role);

Best Practices

Best Practice

• Call requireValidRole before executing sensitive operations to ensure the caller's role is still active.
• Use grantRoleWithExpiry to define clear time boundaries for role permissions.
• Handle AccessControlRoleExpired and AccessControlUnauthorizedAccount errors returned by requireValidRole.

Integration Notes

Shared Storage

This module interacts with diamond storage at the ACCESS_CONTROL_STORAGE_POSITION, which is determined by keccak256("compose.accesscontrol"). It utilizes the AccessControlTemporalStorage struct. All state modifications are managed through internal functions, ensuring consistency and visibility across all facets that access the same storage slot.

Related Documentation

💎

AccessControlTemporalFacet

Facet using AccessControlTemporalMod

📦

OwnerTwoStepsMod

Related module in access

📦

AccessControlPausableMod

Related module in access

Was this helpful?

Last updated:December 30, 2025