fix: Pausing & Unpausing Have The Same Role

Author: oed

src/token/Hoku.sol

@@ -31,6 +31,7 @@ contract Hoku is
     bytes32 internal _itsSalt;
 
     bytes32 public constant ADMIN_ROLE = keccak256("ADMIN_ROLE"); // solhint-disable-line var-name-mixedcase
+    bytes32 public constant PAUSER_ROLE = keccak256("PAUSER_ROLE"); // solhint-disable-line var-name-mixedcase
     bytes32 public constant MINTER_ROLE = keccak256("MINTER_ROLE"); // solhint-disable-line var-name-mixedcase
 
     /// @custom:oz-upgrades-unsafe-allow constructor
@@ -55,7 +56,9 @@ contract Hoku is
 
         _grantRole(ADMIN_ROLE, msg.sender);
         _grantRole(MINTER_ROLE, msg.sender);
+        _grantRole(PAUSER_ROLE, msg.sender);
         _setRoleAdmin(MINTER_ROLE, ADMIN_ROLE);
+        _setRoleAdmin(PAUSER_ROLE, ADMIN_ROLE);
         _setRoleAdmin(ADMIN_ROLE, ADMIN_ROLE);
     }
 
@@ -67,7 +70,7 @@ contract Hoku is
     }
 
     /// @dev Pauses all token transfers
-    function pause() external onlyRole(ADMIN_ROLE) {
+    function pause() external onlyRole(PAUSER_ROLE) {
         _pause();
     }
 

test/Hoku.t.sol

@@ -156,4 +156,67 @@ contract HokuTest is Test {
         vm.prank(user);
         token.transfer(address(0x456), 100);
     }
+
+    function testPauserRolePermissions() public {
+        address pauser = address(0x789);
+        bytes32 pauserRole = token.PAUSER_ROLE();
+        bytes32 adminRole = token.ADMIN_ROLE();
+
+        // Grant PAUSER_ROLE to new address
+        vm.prank(TESTER);
+        token.grantRole(pauserRole, pauser);
+
+        // Pauser can pause
+        vm.prank(pauser);
+        token.pause();
+        assertTrue(token.paused());
+
+        // Pauser cannot unpause (only ADMIN can)
+        vm.prank(pauser);
+        vm.expectRevert(
+            abi.encodeWithSignature("AccessControlUnauthorizedAccount(address,bytes32)",
+                pauser,
+                adminRole
+            )
+        );
+        token.unpause();
+
+        // Random address cannot pause
+        vm.prank(user);
+        vm.expectRevert(
+            abi.encodeWithSignature("AccessControlUnauthorizedAccount(address,bytes32)",
+                user,
+                pauserRole
+            )
+        );
+        token.pause();
+
+        // Admin can unpause
+        vm.prank(TESTER);
+        token.unpause();
+        assertFalse(token.paused());
+    }
+
+    function testRemoveAdminPauserRole() public {
+        bytes32 pauserRole = token.PAUSER_ROLE();
+
+        // Initially admin can pause
+        vm.prank(TESTER);
+        token.pause();
+        assertTrue(token.paused());
+
+        // Remove PAUSER_ROLE from admin
+        vm.prank(TESTER);
+        token.revokeRole(pauserRole, TESTER);
+
+        // Admin can no longer pause after role removal
+        vm.prank(TESTER);
+        vm.expectRevert(
+            abi.encodeWithSignature("AccessControlUnauthorizedAccount(address,bytes32)",
+                TESTER,
+                pauserRole
+            )
+        );
+        token.pause();
+    }
 }