From 37ad8823987cc837027b4c81fe6abb3b91d07e04 Mon Sep 17 00:00:00 2001 From: 0xisk <0xisk@proton.me> Date: Thu, 9 Apr 2026 16:16:49 +0200 Subject: [PATCH] fix: l-04 misleading documentations regarding default admin role --- contracts/src/access/AccessControl.compact | 17 ++++++++++++----- .../access/test/mocks/MockAccessControl.compact | 6 +++++- 2 files changed, 17 insertions(+), 6 deletions(-) diff --git a/contracts/src/access/AccessControl.compact b/contracts/src/access/AccessControl.compact index 021d2e43..4f72c7d3 100644 --- a/contracts/src/access/AccessControl.compact +++ b/contracts/src/access/AccessControl.compact @@ -37,11 +37,10 @@ pragma language_version >= 0.21.0; * {revokeRole} circuits. Each role has an associated admin role, and only * accounts that have a role's admin role can call {grantRole} and {revokeRole}. * - * By default, the admin role for all roles is `DEFAULT_ADMIN_ROLE`, which means + * By default, the admin role for all roles is `DEFAULT_ADMIN_ROLE` (zero bytes), which means * that only accounts with this role will be able to grant or revoke other * roles. More complex role relationships can be created by using - * {_setRoleAdmin}. To set a custom `DEFAULT_ADMIN_ROLE`, implement the `Initializable` - * module and set `DEFAULT_ADMIN_ROLE` in the `initialize()` circuit. + * {_setRoleAdmin}. * * WARNING: The `DEFAULT_ADMIN_ROLE` is also its own admin: it has permission to * grant and revoke this role. Extra precautions should be taken to secure @@ -93,7 +92,15 @@ module AccessControl {  */ export ledger _adminRoles: Map, Bytes<32>>; - export ledger DEFAULT_ADMIN_ROLE: Bytes<32>; + /** + * @description The default admin role for all roles. Only accounts with this role will be able + * to grant or revoke other roles unless custom admin roles are created via {_setRoleAdmin}. + * + * @return {Bytes<32>} - The default admin role identifier (zero bytes). + */ + export pure circuit DEFAULT_ADMIN_ROLE(): Bytes<32> { + return default>; + } /** * @description Returns `true` if `account` has been granted `roleId`. @@ -167,7 +174,7 @@ module AccessControl { if (_adminRoles.member(disclose(roleId))) { return _adminRoles.lookup(disclose(roleId)); } - return default>; + return DEFAULT_ADMIN_ROLE(); } /** diff --git a/contracts/src/access/test/mocks/MockAccessControl.compact b/contracts/src/access/test/mocks/MockAccessControl.compact index 273121cc..b16313ea 100644 --- a/contracts/src/access/test/mocks/MockAccessControl.compact +++ b/contracts/src/access/test/mocks/MockAccessControl.compact @@ -6,7 +6,11 @@ import CompactStandardLibrary; import "../../AccessControl" prefix AccessControl_; -export { ZswapCoinPublicKey, ContractAddress, Either, Maybe, AccessControl_DEFAULT_ADMIN_ROLE }; +export { ZswapCoinPublicKey, ContractAddress, Either, Maybe }; + +export pure circuit DEFAULT_ADMIN_ROLE(): Bytes<32> { + return AccessControl_DEFAULT_ADMIN_ROLE(); +} export circuit hasRole(roleId: Bytes<32>, account: Either): Boolean { return AccessControl_hasRole(roleId, account);