617 lines
24 KiB
Solidity
617 lines
24 KiB
Solidity
// SPDX-License-Identifier: MIT
|
|
|
|
pragma solidity ^0.8.20;
|
|
|
|
import {IAccessManager} from "./IAccessManager.sol";
|
|
import {IManaged} from "./IManaged.sol";
|
|
import {IAuthority} from "./IAuthority.sol";
|
|
import {AccessManagedAdapter} from "./utils/AccessManagedAdapter.sol";
|
|
import {Address} from "../../utils/Address.sol";
|
|
import {Context} from "../../utils/Context.sol";
|
|
import {Multicall} from "../../utils/Multicall.sol";
|
|
import {Time} from "../../utils/types/Time.sol";
|
|
|
|
/**
|
|
* @dev AccessManager is a central contract to store the permissions of a system.
|
|
*
|
|
* The smart contracts under the control of an AccessManager instance will have a set of "restricted" functions, and the
|
|
* exact details of how access is restricted for each of those functions is configurable by the admins of the instance.
|
|
* These restrictions are expressed in terms of "groups".
|
|
*
|
|
* An AccessManager instance will define a set of groups. Accounts can be added into any number of these groups. Each of
|
|
* them defines a role, and may confer access to some of the restricted functions in the system, as configured by admins
|
|
* through the use of {setFunctionAllowedGroup}.
|
|
*
|
|
* Note that a function in a target contract may become permissioned in this way only when: 1) said contract is
|
|
* {AccessManaged} and is connected to this contract as its manager, and 2) said function is decorated with the
|
|
* `restricted` modifier.
|
|
*
|
|
* There is a special group defined by default named "public" which all accounts automatically have.
|
|
*
|
|
* Contracts where functions are mapped to groups are said to be in a "custom" mode, but contracts can also be
|
|
* configured in two special modes: 1) the "open" mode, where all functions are allowed to the "public" group, and 2)
|
|
* the "closed" mode, where no function is allowed to any group.
|
|
*
|
|
* Since all the permissions of the managed system can be modified by the admins of this instance, it is expected that
|
|
* they will be highly secured (e.g., a multisig or a well-configured DAO).
|
|
*
|
|
* NOTE: This contract implements a form of the {IAuthority} interface, but {canCall} has additional return data so it
|
|
* doesn't inherit `IAuthority`. It is however compatible with the `IAuthority` interface since the first 32 bytes of
|
|
* the return data are a boolean as expected by that interface.
|
|
*/
|
|
contract AccessManager is Context, Multicall, IAccessManager {
|
|
using Time for *;
|
|
|
|
uint256 public constant ADMIN_GROUP = type(uint256).min; // 0
|
|
uint256 public constant PUBLIC_GROUP = type(uint256).max; // 2**256-1
|
|
|
|
mapping(address target => AccessMode mode) private _contractMode;
|
|
mapping(address target => mapping(bytes4 selector => uint256 groupId)) private _allowedGroups;
|
|
mapping(uint256 groupId => Group) private _groups;
|
|
mapping(bytes32 operationId => uint48 schedule) private _schedules;
|
|
|
|
// This should be transcient storage when supported by the EVM.
|
|
bytes32 private _relayIdentifier;
|
|
|
|
/**
|
|
* @dev Check that the caller has a given permission level (`groupId`). Note that this does NOT consider execution
|
|
* delays that may be associated to that group.
|
|
*/
|
|
modifier onlyGroup(uint256 groupId) {
|
|
address msgsender = _msgSender();
|
|
if (!hasGroup(groupId, msgsender)) {
|
|
revert AccessControlUnauthorizedAccount(msgsender, groupId);
|
|
}
|
|
_;
|
|
}
|
|
|
|
constructor(address initialAdmin) {
|
|
// admin is active immediately and without any execution delay.
|
|
_grantGroup(ADMIN_GROUP, initialAdmin, 0, 0);
|
|
}
|
|
|
|
// =================================================== GETTERS ====================================================
|
|
/**
|
|
* @dev Check if an address (`caller`) is authorised to call a given function on a given contract directly (with
|
|
* no restriction). Additionally, it returns the delay needed to perform the call indirectly through the {schedule}
|
|
* & {relay} workflow.
|
|
*
|
|
* This function is usually called by the targeted contract to control immediate execution of restricted functions.
|
|
* Therefore we only return true is the call can be performed without any delay. If the call is subject to a delay,
|
|
* then the function should return false, and the caller should schedule the operation for future execution.
|
|
*
|
|
* We may be able to hash the operation, and check if the call was scheduled, but we would not be able to cleanup
|
|
* the schedule, leaving the possibility of multiple executions. Maybe this function should not be view?
|
|
*
|
|
* NOTE: The IAuthority interface does not include the `uint32` delay. This is an extension of that interface that
|
|
* is backward compatible. Some contract may thus ignore the second return argument. In that case they will fail
|
|
* to identify the indirect workflow, and will consider call that require a delay to be forbidden.
|
|
*/
|
|
function canCall(address caller, address target, bytes4 selector) public view virtual returns (bool, uint32) {
|
|
AccessMode mode = getContractMode(target);
|
|
if (mode == AccessMode.Open) {
|
|
return (true, 0);
|
|
} else if (mode == AccessMode.Closed) {
|
|
return (false, 0);
|
|
} else if (caller == address(this)) {
|
|
// Caller is AccessManager => call was relayed. In that case the relay already checked permissions. We
|
|
// verify that the call "identifier", which is set during the relay call, is correct.
|
|
return (_relayIdentifier == keccak256(abi.encodePacked(target, selector)), 0);
|
|
} else {
|
|
uint256 groupId = getFunctionAllowedGroup(target, selector);
|
|
bool inGroup = hasGroup(groupId, caller);
|
|
uint32 executeDelay = inGroup ? getAccess(groupId, caller).delay.get() : 0;
|
|
return (inGroup && executeDelay == 0, executeDelay);
|
|
}
|
|
}
|
|
|
|
/**
|
|
* @dev Get the mode under which a contract is operating.
|
|
*/
|
|
function getContractMode(address target) public view virtual returns (AccessMode) {
|
|
return _contractMode[target];
|
|
}
|
|
|
|
/**
|
|
* @dev Get the permission level (group) required to call a function. This only applies for contract that are
|
|
* operating under the `Custom` mode.
|
|
*/
|
|
function getFunctionAllowedGroup(address target, bytes4 selector) public view virtual returns (uint256) {
|
|
return _allowedGroups[target][selector];
|
|
}
|
|
|
|
/**
|
|
* @dev Get the id of the group that acts as an admin for given group.
|
|
*
|
|
* The admin permission is required to grant the group, revoke the group and update the execution delay to execute
|
|
* an operation that is restricted to this group.
|
|
*/
|
|
function getGroupAdmin(uint256 groupId) public view virtual returns (uint256) {
|
|
return _groups[groupId].admin;
|
|
}
|
|
|
|
/**
|
|
* @dev Get the group that acts as a guardian for a given group.
|
|
*
|
|
* The guardian permission allows canceling operations that have been scheduled under the group.
|
|
*/
|
|
function getGroupGuardian(uint256 groupId) public view virtual returns (uint256) {
|
|
return _groups[groupId].guardian;
|
|
}
|
|
|
|
/**
|
|
* @dev Get the group current grant delay, that value may change at any point, without an event emitted, following
|
|
* a call to {setGrantDelay}. Changes to this value, including effect timepoint are notified by the
|
|
* {GroupGrantDelayChanged} event.
|
|
*/
|
|
function getGroupGrantDelay(uint256 groupId) public view virtual returns (uint32) {
|
|
return _groups[groupId].delay.get();
|
|
}
|
|
|
|
/**
|
|
* @dev Get the access details for a given account in a given group. These details include the timepoint at which
|
|
* membership becomes active, and the delay applied to all operation by this user that require this permission
|
|
* level.
|
|
*/
|
|
function getAccess(uint256 groupId, address account) public view virtual returns (Access memory) {
|
|
return _groups[groupId].members[account];
|
|
}
|
|
|
|
/**
|
|
* @dev Check if a given account currently had the permission level corresponding to a given group. Note that this
|
|
* permission might be associated with a delay. {getAccess} can provide more details.
|
|
*/
|
|
function hasGroup(uint256 groupId, address account) public view virtual returns (bool) {
|
|
return groupId == PUBLIC_GROUP || getAccess(groupId, account).since.isSetAndPast(Time.timestamp());
|
|
}
|
|
|
|
// =============================================== GROUP MANAGEMENT ===============================================
|
|
/**
|
|
* @dev Give a label to a group, for improved group discoverabily by UIs.
|
|
*
|
|
* Emits a {GroupLabel} event.
|
|
*/
|
|
function labelGroup(uint256 groupId, string calldata label) public virtual onlyGroup(ADMIN_GROUP) {
|
|
emit GroupLabel(groupId, label);
|
|
}
|
|
|
|
/**
|
|
* @dev Give permission to an account to execute function restricted to a group. Optionally, a delay can be
|
|
* enforced for any function call, byt this user, that require this level of permission. This call is only
|
|
* effective after a grant delay that is specific to the group being granted.
|
|
*
|
|
* Requirements:
|
|
*
|
|
* - the caller must be in the group's admins
|
|
*
|
|
* Emits a {GroupGranted} event
|
|
*/
|
|
function grantGroup(
|
|
uint256 groupId,
|
|
address account,
|
|
uint32 executionDelay
|
|
) public virtual onlyGroup(getGroupAdmin(groupId)) {
|
|
_grantGroup(groupId, account, getGroupGrantDelay(groupId), executionDelay);
|
|
}
|
|
|
|
/**
|
|
* @dev Remove an account for a group, with immediate effect.
|
|
*
|
|
* Requirements:
|
|
*
|
|
* - the caller must be in the group's admins
|
|
*
|
|
* Emits a {GroupRevoked} event
|
|
*/
|
|
function revokeGroup(uint256 groupId, address account) public virtual onlyGroup(getGroupAdmin(groupId)) {
|
|
_revokeGroup(groupId, account);
|
|
}
|
|
|
|
/**
|
|
* @dev Renounce group permissions for the calling account, with immediate effect.
|
|
*
|
|
* Requirements:
|
|
*
|
|
* - the caller must be `callerConfirmation`.
|
|
*
|
|
* Emits a {GroupRevoked} event
|
|
*/
|
|
function renounceGroup(uint256 groupId, address callerConfirmation) public virtual {
|
|
if (callerConfirmation != _msgSender()) {
|
|
revert AccessManagerBadConfirmation();
|
|
}
|
|
_revokeGroup(groupId, callerConfirmation);
|
|
}
|
|
|
|
/**
|
|
* @dev Set the execution delay for a given account in a given group. This update is not immediate and follows the
|
|
* delay rules. For example, If a user currently has a delay of 3 hours, and this is called to reduce that delay to
|
|
* 1 hour, the new delay will take some time to take effect, enforcing that any operation executed in the 3 hours
|
|
* that follows this update was indeed scheduled before this update.
|
|
*
|
|
* Requirements:
|
|
*
|
|
* - the caller must be in the group's admins
|
|
*
|
|
* Emits a {GroupExecutionDelayUpdate} event
|
|
*/
|
|
function setExecuteDelay(
|
|
uint256 groupId,
|
|
address account,
|
|
uint32 newDelay
|
|
) public virtual onlyGroup(getGroupAdmin(groupId)) {
|
|
_setExecuteDelay(groupId, account, newDelay);
|
|
}
|
|
|
|
/**
|
|
* @dev Change admin group for a given group.
|
|
*
|
|
* Requirements:
|
|
*
|
|
* - the caller must be a global admin
|
|
*
|
|
* Emits a {GroupAdminChanged} event
|
|
*/
|
|
function setGroupAdmin(uint256 groupId, uint256 admin) public virtual onlyGroup(ADMIN_GROUP) {
|
|
_setGroupAdmin(groupId, admin);
|
|
}
|
|
|
|
/**
|
|
* @dev Change guardian group for a given group.
|
|
*
|
|
* Requirements:
|
|
*
|
|
* - the caller must be a global admin
|
|
*
|
|
* Emits a {GroupGuardianChanged} event
|
|
*/
|
|
function setGroupGuardian(uint256 groupId, uint256 guardian) public virtual onlyGroup(ADMIN_GROUP) {
|
|
_setGroupGuardian(groupId, guardian);
|
|
}
|
|
|
|
/**
|
|
* @dev Update the .
|
|
*
|
|
* Requirements:
|
|
*
|
|
* - the caller must be a global admin
|
|
*
|
|
* Emits a {GroupGrantDelayChanged} event
|
|
*/
|
|
function setGrantDelay(uint256 groupId, uint32 newDelay) public virtual onlyGroup(ADMIN_GROUP) {
|
|
_setGrantDelay(groupId, newDelay);
|
|
}
|
|
|
|
/**
|
|
* @dev Internal version of {grantGroup} without access control.
|
|
*
|
|
* Emits a {GroupGranted} event
|
|
*/
|
|
function _grantGroup(uint256 groupId, address account, uint32 grantDelay, uint32 executionDelay) internal virtual {
|
|
if (groupId == PUBLIC_GROUP) {
|
|
revert AccessManagerLockedGroup(groupId);
|
|
} else if (_groups[groupId].members[account].since != 0) {
|
|
revert AccessManagerAcountAlreadyInGroup(groupId, account);
|
|
}
|
|
|
|
uint48 since = Time.timestamp() + grantDelay;
|
|
_groups[groupId].members[account] = Access({since: since, delay: executionDelay.toDelay()});
|
|
|
|
emit GroupGranted(groupId, account, since, executionDelay);
|
|
}
|
|
|
|
/**
|
|
* @dev Internal version of {revokeGroup} without access control. This logic is also used by {renounceGroup}.
|
|
*
|
|
* Emits a {GroupRevoked} event
|
|
*/
|
|
function _revokeGroup(uint256 groupId, address account) internal virtual {
|
|
if (groupId == PUBLIC_GROUP) {
|
|
revert AccessManagerLockedGroup(groupId);
|
|
} else if (_groups[groupId].members[account].since == 0) {
|
|
revert AccessManagerAcountNotInGroup(groupId, account);
|
|
}
|
|
|
|
delete _groups[groupId].members[account];
|
|
|
|
emit GroupRevoked(groupId, account);
|
|
}
|
|
|
|
/**
|
|
* @dev Internal version of {setExecuteDelay} without access control.
|
|
*
|
|
* Emits a {GroupExecutionDelayUpdate} event
|
|
*/
|
|
function _setExecuteDelay(uint256 groupId, address account, uint32 newDuration) internal virtual {
|
|
if (groupId == PUBLIC_GROUP) {
|
|
revert AccessManagerLockedGroup(groupId);
|
|
} else if (_groups[groupId].members[account].since == 0) {
|
|
revert AccessManagerAcountNotInGroup(groupId, account);
|
|
}
|
|
|
|
Time.Delay newDelay = _groups[groupId].members[account].delay.update(newDuration, 0); // TODO: minsetback ?
|
|
_groups[groupId].members[account].delay = newDelay;
|
|
|
|
(, , uint48 effectPoint) = newDelay.split();
|
|
emit GroupExecutionDelayUpdate(groupId, account, newDuration, effectPoint);
|
|
}
|
|
|
|
/**
|
|
* @dev Internal version of {setGroupAdmin} without access control.
|
|
*
|
|
* Emits a {GroupAdminChanged} event
|
|
*/
|
|
function _setGroupAdmin(uint256 groupId, uint256 admin) internal virtual {
|
|
if (groupId == ADMIN_GROUP || groupId == PUBLIC_GROUP) {
|
|
revert AccessManagerLockedGroup(groupId);
|
|
}
|
|
|
|
_groups[groupId].admin = admin;
|
|
|
|
emit GroupAdminChanged(groupId, admin);
|
|
}
|
|
|
|
/**
|
|
* @dev Internal version of {setGroupGuardian} without access control.
|
|
*
|
|
* Emits a {GroupGuardianChanged} event
|
|
*/
|
|
function _setGroupGuardian(uint256 groupId, uint256 guardian) internal virtual {
|
|
if (groupId == ADMIN_GROUP || groupId == PUBLIC_GROUP) {
|
|
revert AccessManagerLockedGroup(groupId);
|
|
}
|
|
|
|
_groups[groupId].guardian = guardian;
|
|
|
|
emit GroupGuardianChanged(groupId, guardian);
|
|
}
|
|
|
|
/**
|
|
* @dev Internal version of {setGrantDelay} without access control.
|
|
*
|
|
* Emits a {GroupGrantDelayChanged} event
|
|
*/
|
|
function _setGrantDelay(uint256 groupId, uint32 newDelay) internal virtual {
|
|
if (groupId == PUBLIC_GROUP) {
|
|
revert AccessManagerLockedGroup(groupId);
|
|
}
|
|
|
|
Time.Delay updated = _groups[groupId].delay.update(newDelay, 0); // TODO: minsetback ?
|
|
_groups[groupId].delay = updated;
|
|
|
|
(, , uint48 effect) = updated.split();
|
|
emit GroupGrantDelayChanged(groupId, newDelay, effect);
|
|
}
|
|
|
|
// ============================================= FUNCTION MANAGEMENT ==============================================
|
|
/**
|
|
* @dev Set the level of permission (`group`) required to call functions identified by the `selectors` in the
|
|
* `target` contract.
|
|
*
|
|
* Requirements:
|
|
*
|
|
* - the caller must be a global admin
|
|
*
|
|
* Emits a {FunctionAllowedGroupUpdated} event per selector
|
|
*/
|
|
function setFunctionAllowedGroup(
|
|
address target,
|
|
bytes4[] calldata selectors,
|
|
uint256 groupId
|
|
) public virtual onlyGroup(ADMIN_GROUP) {
|
|
// todo set delay or document risks
|
|
for (uint256 i = 0; i < selectors.length; ++i) {
|
|
_setFunctionAllowedGroup(target, selectors[i], groupId);
|
|
}
|
|
}
|
|
|
|
/**
|
|
* @dev Internal version of {setFunctionAllowedGroup} without access control.
|
|
*
|
|
* Emits a {FunctionAllowedGroupUpdated} event
|
|
*/
|
|
function _setFunctionAllowedGroup(address target, bytes4 selector, uint256 groupId) internal virtual {
|
|
_allowedGroups[target][selector] = groupId;
|
|
emit FunctionAllowedGroupUpdated(target, selector, groupId);
|
|
}
|
|
|
|
// =============================================== MODE MANAGEMENT ================================================
|
|
/**
|
|
* @dev Set the operating mode of a contract to Custom. This enables the group mechanism for per-function access
|
|
* restriction and delay enforcement.
|
|
*
|
|
* Requirements:
|
|
*
|
|
* - the caller must be a global admin
|
|
*
|
|
* Emits a {AccessModeUpdated} event.
|
|
*/
|
|
function setContractModeCustom(address target) public virtual onlyGroup(ADMIN_GROUP) {
|
|
// todo set delay or document risks
|
|
_setContractMode(target, AccessMode.Custom);
|
|
}
|
|
|
|
/**
|
|
* @dev Set the operating mode of a contract to Open. This allows anyone to call any `restricted()` function with
|
|
* no delay.
|
|
*
|
|
* Requirements:
|
|
*
|
|
* - the caller must be a global admin
|
|
*
|
|
* Emits a {AccessModeUpdated} event.
|
|
*/
|
|
function setContractModeOpen(address target) public virtual onlyGroup(ADMIN_GROUP) {
|
|
// todo set delay or document risks
|
|
_setContractMode(target, AccessMode.Open);
|
|
}
|
|
|
|
/**
|
|
* @dev Set the operating mode of a contract to Close. This prevents anyone from calling any `restricted()`
|
|
* function.
|
|
*
|
|
* Requirements:
|
|
*
|
|
* - the caller must be a global admin
|
|
*
|
|
* Emits a {AccessModeUpdated} event.
|
|
*/
|
|
function setContractModeClosed(address target) public virtual onlyGroup(ADMIN_GROUP) {
|
|
// todo set delay or document risks
|
|
_setContractMode(target, AccessMode.Closed);
|
|
}
|
|
|
|
/**
|
|
* @dev Set the operating mode of a contract. This is an internal setter with no access restrictions.
|
|
*
|
|
* Emits a {AccessModeUpdated} event.
|
|
*/
|
|
function _setContractMode(address target, AccessMode mode) internal virtual {
|
|
_contractMode[target] = mode;
|
|
emit AccessModeUpdated(target, mode);
|
|
}
|
|
|
|
// ============================================== DELAYED OPERATIONS ==============================================
|
|
/**
|
|
* @dev Return the timepoint at which a scheduled operation will be ready for execution. This returns 0 if the
|
|
* operation is not yet scheduled, was executed or was canceled.
|
|
*/
|
|
function getSchedule(bytes32 id) public view virtual returns (uint48) {
|
|
return _schedules[id];
|
|
}
|
|
|
|
/**
|
|
* @dev Schedule a delayed operation, and return the operation identifier.
|
|
*
|
|
* Emits a {Scheduled} event.
|
|
*/
|
|
function schedule(address target, bytes calldata data) public virtual returns (bytes32) {
|
|
address caller = _msgSender();
|
|
bytes4 selector = bytes4(data[0:4]);
|
|
|
|
// Fetch restriction to that apply to the caller on the targeted function
|
|
(bool allowed, uint32 setback) = canCall(caller, target, selector);
|
|
|
|
// If caller is not authorised, revert
|
|
if (!allowed && setback == 0) {
|
|
revert AccessManagerUnauthorizedCall(caller, target, selector);
|
|
}
|
|
|
|
// If caller is authorised, schedule operation
|
|
bytes32 operationId = _hashOperation(caller, target, data);
|
|
if (_schedules[operationId] != 0) {
|
|
revert AccessManagerAlreadyScheduled(operationId);
|
|
}
|
|
_schedules[operationId] = Time.timestamp() + setback;
|
|
|
|
emit Scheduled(operationId, caller, target, data);
|
|
return operationId;
|
|
}
|
|
|
|
/**
|
|
* @dev Execute a function that is delay restricted, provided it was properly scheduled beforehand, or the
|
|
* execution delay is 0.
|
|
*
|
|
* Emits a {Executed} event if the call was scheduled. Unscheduled call (with no delay) do not emit that event.
|
|
*/
|
|
function relay(address target, bytes calldata data) public payable virtual {
|
|
relayViaAdapter(target, data, address(0));
|
|
}
|
|
|
|
/**
|
|
* @dev Execute a function that is delay restricted in the same way as {relay} but through an
|
|
* {AccessManagedAdapter}.
|
|
*/
|
|
function relayViaAdapter(address target, bytes calldata data, address adapter) public payable virtual {
|
|
address caller = _msgSender();
|
|
bytes4 selector = bytes4(data[0:4]);
|
|
|
|
// Fetch restriction to that apply to the caller on the targeted function
|
|
(bool allowed, uint32 setback) = canCall(caller, target, selector);
|
|
|
|
// If caller is not authorised, revert
|
|
if (!allowed && setback == 0) {
|
|
revert AccessManagerUnauthorizedCall(caller, target, selector);
|
|
}
|
|
|
|
// If caller is authorised, check operation was scheduled early enough
|
|
bytes32 operationId = _hashOperation(caller, target, data);
|
|
uint48 timepoint = _schedules[operationId];
|
|
if (setback != 0) {
|
|
if (timepoint == 0) {
|
|
revert AccessManagerNotScheduled(operationId);
|
|
} else if (timepoint > Time.timestamp()) {
|
|
revert AccessManagerNotReady(operationId);
|
|
}
|
|
}
|
|
if (timepoint != 0) {
|
|
delete _schedules[operationId];
|
|
emit Executed(operationId);
|
|
}
|
|
|
|
// Mark the target and selector as authorised
|
|
bytes32 relayIdentifierBefore = _relayIdentifier;
|
|
_relayIdentifier = keccak256(abi.encodePacked(target, selector));
|
|
|
|
if (adapter != address(0)) {
|
|
// Perform call through adapter
|
|
AccessManagedAdapter(adapter).relay{value: msg.value}(target, data);
|
|
} else {
|
|
// Perform call directly
|
|
Address.functionCallWithValue(target, data, msg.value);
|
|
}
|
|
|
|
// Reset relay identifier
|
|
_relayIdentifier = relayIdentifierBefore;
|
|
}
|
|
|
|
/**
|
|
* @dev Cancel a scheduled (delayed) operation.
|
|
*
|
|
* Requirements:
|
|
*
|
|
* - the caller must be the proposer, or a guardian of the targeted function
|
|
*
|
|
* Emits a {Canceled} event.
|
|
*/
|
|
function cancel(address caller, address target, bytes calldata data) public virtual {
|
|
address msgsender = _msgSender();
|
|
bytes4 selector = bytes4(data[0:4]);
|
|
|
|
bytes32 operationId = _hashOperation(caller, target, data);
|
|
if (_schedules[operationId] == 0) {
|
|
revert AccessManagerNotScheduled(operationId);
|
|
} else if (
|
|
caller != msgsender &&
|
|
!hasGroup(ADMIN_GROUP, msgsender) &&
|
|
!hasGroup(getGroupGuardian(getFunctionAllowedGroup(target, selector)), msgsender)
|
|
) {
|
|
// calls can only be canceled by the account that scheduled them, a global admin, or by a guardian of the required group.
|
|
revert AccessManagerCannotCancel(msgsender, caller, target, selector);
|
|
}
|
|
|
|
delete _schedules[operationId];
|
|
emit Canceled(operationId);
|
|
}
|
|
|
|
/**
|
|
* @dev Hashing function for delayed operations
|
|
*/
|
|
function _hashOperation(address caller, address target, bytes calldata data) private pure returns (bytes32) {
|
|
return keccak256(abi.encode(caller, target, data));
|
|
}
|
|
|
|
// ==================================================== OTHERS ====================================================
|
|
/**
|
|
* @dev Change the AccessManager instance used by a contract that correctly uses this instance.
|
|
*
|
|
* Requirements:
|
|
*
|
|
* - the caller must be a global admin
|
|
*/
|
|
function updateAuthority(IManaged target, address newAuthority) public virtual onlyGroup(ADMIN_GROUP) {
|
|
// todo set delay or document risks
|
|
target.setAuthority(newAuthority);
|
|
}
|
|
}
|