Web3Novalabs
diff --git a/‎contract/contracts/predifi-contract/Cargo.toml‎
Lines changed: 1 addition & 0 deletions b/‎contract/contracts/predifi-contract/Cargo.toml‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎contract/contracts/predifi-contract/src/lib.rs‎
Lines changed: 92 additions & 5 deletions b/‎contract/contracts/predifi-contract/src/lib.rs‎
Lines changed: 92 additions & 5 deletions
@@ -10,6 +10,7 @@ crate-type = ["cdylib", "lib"]
 [dependencies]
 soroban-sdk = { workspace = true }
 predifi-errors = { workspace = true }
+access-control = { path = "../access-control" }
 
 [dev-dependencies]
 soroban-sdk = { workspace = true, features = ["testutils"] }
@@ -1,4 +1,5 @@
 #![no_std]
+use access_control::Role;
 use predifi_errors::PrediFiError;
 use soroban_sdk::{contract, contractevent, contractimpl, contracttype, token, Address, Env};
 
@@ -70,6 +71,7 @@ pub enum DataKey {
     FeeBps,                            // Fee in basis points (1/100 of a percent)
     Treasury,                          // Protocol treasury address
     CollectedFees(u64),                // PoolId -> Collected fee amount
+    AccessControlAddress,              // Access control contract address
 }
 
 #[contracttype]
@@ -84,6 +86,49 @@ pub struct PredifiContract;
 
 #[contractimpl]
 impl PredifiContract {
+    /// Get the access control contract address
+    ///
+    /// # Returns
+    /// The address of the access control contract
+    ///
+    /// # Errors
+    /// * `NotInitialized` - If access control contract is not set
+    fn get_access_control_address(env: &Env) -> Result<Address, PrediFiError> {
+        env.storage()
+            .instance()
+            .get(&DataKey::AccessControlAddress)
+            .ok_or(PrediFiError::NotInitialized)
+    }
+
+    /// Get the access control client
+    ///
+    /// # Returns
+    /// The AccessControlClient instance
+    fn get_access_control_client(env: &Env) -> access_control::AccessControlClient<'_> {
+        let access_control_addr = Self::get_access_control_address(env).unwrap();
+        access_control::AccessControlClient::new(env, &access_control_addr)
+    }
+
+    /// Set the access control contract address (only callable once)
+    ///
+    /// # Arguments
+    /// * `access_control_address` - The address of the access control contract
+    ///
+    /// # Errors
+    /// * `AlreadyInitialized` - If access control contract is already set
+    pub fn set_access_control(
+        env: Env,
+        access_control_address: Address,
+    ) -> Result<(), PrediFiError> {
+        if env.storage().instance().has(&DataKey::AccessControlAddress) {
+            return Err(PrediFiError::AlreadyInitialized);
+        }
+        env.storage()
+            .instance()
+            .set(&DataKey::AccessControlAddress, &access_control_address);
+        Ok(())
+    }
+
     /// Initialize the contract.
     ///
     /// Sets up the initial pool ID counter, fee basis points, and treasury address.
@@ -107,14 +152,24 @@ impl PredifiContract {
     /// Set the protocol fee in basis points.
     ///
     /// # Arguments
+    /// * `caller` - The address calling the function
     /// * `fee_bps` - Fee in basis points (e.g., 100 = 1%)
-    pub fn set_fee_bps(env: Env, fee_bps: u32) {
-        // TODO: Add access control to restrict who can call this
+    ///
+    /// # Errors
+    /// * `InsufficientPermissions` - If caller doesn't have Admin role
+    pub fn set_fee_bps(env: Env, caller: Address, fee_bps: u32) -> Result<(), PrediFiError> {
+        // Check if caller has Admin role
+        let access_control_client = Self::get_access_control_client(&env);
+        if !access_control_client.has_role(&caller, &Role::Admin) {
+            return Err(PrediFiError::InsufficientPermissions);
+        }
+
         env.storage().instance().set(&DataKey::FeeBps, &fee_bps);
         SetFeeBpsEvent {
             new_fee_bps: fee_bps,
         }
         .publish(&env);
+        Ok(())
     }
 
     /// Get the current protocol fee in basis points.
@@ -128,14 +183,24 @@ impl PredifiContract {
     /// Set the treasury address.
     ///
     /// # Arguments
+    /// * `caller` - The address calling the function
     /// * `treasury` - New treasury address
-    pub fn set_treasury(env: Env, treasury: Address) {
-        // TODO: Add access control to restrict who can call this
+    ///
+    /// # Errors
+    /// * `InsufficientPermissions` - If caller doesn't have Admin role
+    pub fn set_treasury(env: Env, caller: Address, treasury: Address) -> Result<(), PrediFiError> {
+        // Check if caller has Admin role
+        let access_control_client = Self::get_access_control_client(&env);
+        if !access_control_client.has_role(&caller, &Role::Admin) {
+            return Err(PrediFiError::InsufficientPermissions);
+        }
+
         env.storage().instance().set(&DataKey::Treasury, &treasury);
         SetTreasuryEvent {
             new_treasury: treasury.clone(),
         }
         .publish(&env);
+        Ok(())
     }
 
     /// Get the treasury address.
@@ -221,6 +286,7 @@ impl PredifiContract {
     /// Resolve a prediction pool with the final outcome.
     ///
     /// # Arguments
+    /// * `caller` - The address calling the function
     /// * `pool_id` - ID of the pool to resolve
     /// * `outcome` - The winning outcome number
     ///
@@ -229,7 +295,19 @@ impl PredifiContract {
     /// * `PoolAlreadyResolved` - If the pool has already been resolved
     /// * `PoolNotExpired` - If the pool end time hasn't been reached
     /// * `ResolutionWindowExpired` - If the resolution window has passed
-    pub fn resolve_pool(env: Env, pool_id: u64, outcome: u32) -> Result<(), PrediFiError> {
+    /// * `InsufficientPermissions` - If caller doesn't have Oracle role
+    pub fn resolve_pool(
+        env: Env,
+        caller: Address,
+        pool_id: u64,
+        outcome: u32,
+    ) -> Result<(), PrediFiError> {
+        // Check if caller has Oracle role
+        let access_control_client = Self::get_access_control_client(&env);
+        if !access_control_client.has_role(&caller, &Role::Oracle) {
+            return Err(PrediFiError::InsufficientPermissions);
+        }
+
         let mut pool: Pool = env
             .storage()
             .instance()
@@ -278,6 +356,7 @@ impl PredifiContract {
     /// Place a prediction on a pool.
     ///
     /// # Arguments
+    /// * `caller` - The address calling the function (should match user)
     /// * `user` - Address of the user placing the prediction
     /// * `pool_id` - ID of the pool
     /// * `amount` - Amount to stake (must be positive)
@@ -289,13 +368,21 @@ impl PredifiContract {
     /// * `PredictionTooLate` - If pool has already ended
     /// * `PoolAlreadyResolved` - If pool is already resolved
     /// * `PredictionAlreadyExists` - If user already has a prediction on this pool
+    /// * `InsufficientPermissions` - If caller doesn't have User role or doesn't match user
     pub fn place_prediction(
         env: Env,
+        caller: Address,
         user: Address,
         pool_id: u64,
         amount: i128,
         outcome: u32,
     ) -> Result<(), PrediFiError> {
+        // Check if caller has User role and matches the user address
+        let access_control_client = Self::get_access_control_client(&env);
+        if !access_control_client.has_role(&caller, &Role::User) || caller != user {
+            return Err(PrediFiError::InsufficientPermissions);
+        }
+
         user.require_auth();
 
         // Validate amount