feat: Add RBAC permissions API support (#337)

csrbarber · claude · gjtorikian · web-flow · commit dd7dca27d244 · 2026-03-06T16:40:01.000-05:00
Co-authored-by: Claude Opus 4.6 &lt;noreply@anthropic.com&gt;
Co-authored-by: Garen J. Torikian &lt;gjtorikian@users.noreply.github.com&gt;
diff --git a/lib/Client.php b/lib/Client.php
@@ -13,6 +13,7 @@ class Client
     public const METHOD_POST = "post";
     public const METHOD_DELETE = "delete";
     public const METHOD_PUT = "put";
+    public const METHOD_PATCH = "patch";
 
     private static $_requestClient;
 
diff --git a/lib/RBAC.php b/lib/RBAC.php
@@ -0,0 +1,151 @@
+<?php
+
+namespace WorkOS;
+
+class RBAC
+{
+    public const DEFAULT_PAGE_SIZE = 10;
+
+    /**
+     * Create a Permission.
+     *
+     * @param string $slug The slug of the Permission
+     * @param string $name The name of the Permission
+     * @param null|string $description The description of the Permission
+     * @param null|string $resourceTypeSlug The resource type slug of the Permission
+     *
+     * @throws Exception\WorkOSException
+     *
+     * @return Resource\Permission
+     */
+    public function createPermission(
+        string $slug,
+        string $name,
+        ?string $description = null,
+        ?string $resourceTypeSlug = null
+    ) {
+        $path = "authorization/permissions";
+
+        $params = [
+            "slug" => $slug,
+            "name" => $name,
+        ];
+
+        if (isset($description)) {
+            $params["description"] = $description;
+        }
+        if (isset($resourceTypeSlug)) {
+            $params["resource_type_slug"] = $resourceTypeSlug;
+        }
+
+        $response = Client::request(Client::METHOD_POST, $path, null, $params, true);
+
+        return Resource\Permission::constructFromResponse($response);
+    }
+
+    /**
+     * List Permissions.
+     *
+     * @param int $limit Maximum number of records to return
+     * @param null|string $before Permission ID to look before
+     * @param null|string $after Permission ID to look after
+     * @param null|string $order The order in which to paginate records
+     *
+     * @throws Exception\WorkOSException
+     *
+     * @return array{?string, ?string, Resource\Permission[]}
+     */
+    public function listPermissions(
+        int $limit = self::DEFAULT_PAGE_SIZE,
+        ?string $before = null,
+        ?string $after = null,
+        ?string $order = null
+    ) {
+        $path = "authorization/permissions";
+
+        $params = [
+            "limit" => $limit,
+            "before" => $before,
+            "after" => $after,
+            "order" => $order,
+        ];
+
+        $response = Client::request(Client::METHOD_GET, $path, null, $params, true);
+
+        $permissions = [];
+        list($before, $after) = Util\Request::parsePaginationArgs($response);
+        foreach ($response["data"] as $responseData) {
+            \array_push($permissions, Resource\Permission::constructFromResponse($responseData));
+        }
+
+        return [$before, $after, $permissions];
+    }
+
+    /**
+     * Get a Permission.
+     *
+     * @param string $slug The slug of the Permission
+     *
+     * @throws Exception\WorkOSException
+     *
+     * @return Resource\Permission
+     */
+    public function getPermission(string $slug)
+    {
+        $path = "authorization/permissions/{$slug}";
+
+        $response = Client::request(Client::METHOD_GET, $path, null, null, true);
+
+        return Resource\Permission::constructFromResponse($response);
+    }
+
+    /**
+     * Update a Permission.
+     *
+     * @param string $slug The slug of the Permission to update
+     * @param null|string $name The updated name of the Permission
+     * @param null|string $description The updated description of the Permission
+     *
+     * @throws Exception\WorkOSException
+     *
+     * @return Resource\Permission
+     */
+    public function updatePermission(
+        string $slug,
+        ?string $name = null,
+        ?string $description = null
+    ) {
+        $path = "authorization/permissions/{$slug}";
+
+        $params = [];
+
+        if (isset($name)) {
+            $params["name"] = $name;
+        }
+        if (isset($description)) {
+            $params["description"] = $description;
+        }
+
+        $response = Client::request(Client::METHOD_PATCH, $path, null, $params, true);
+
+        return Resource\Permission::constructFromResponse($response);
+    }
+
+    /**
+     * Delete a Permission.
+     *
+     * @param string $slug The slug of the Permission to delete
+     *
+     * @throws Exception\WorkOSException
+     *
+     * @return array
+     */
+    public function deletePermission(string $slug)
+    {
+        $path = "authorization/permissions/{$slug}";
+
+        $response = Client::request(Client::METHOD_DELETE, $path, null, null, true);
+
+        return $response;
+    }
+}
diff --git a/lib/RequestClient/CurlRequestClient.php b/lib/RequestClient/CurlRequestClient.php
@@ -71,6 +71,15 @@ public function request($method, $url, ?array $headers = null, ?array $params =
                 }
 
                 break;
+
+            case Client::METHOD_PATCH:
+                \array_push($headers, "Content-Type: application/json");
+                $opts[\CURLOPT_CUSTOMREQUEST] = 'PATCH';
+                $opts[\CURLOPT_POST] = 1;
+                if (!empty($params)) {
+                    $opts[\CURLOPT_POSTFIELDS] = \json_encode($params);
+                }
+                break;
         }
 
         $opts[\CURLOPT_HTTPHEADER] = $headers;
diff --git a/lib/Resource/Permission.php b/lib/Resource/Permission.php
@@ -0,0 +1,43 @@
+<?php
+
+namespace WorkOS\Resource;
+
+/**
+ * Class Permission.
+ *
+ * @property string $id
+ * @property string $slug
+ * @property string $name
+ * @property string $description
+ * @property string $resource_type_slug
+ * @property bool $system
+ * @property string $created_at
+ * @property string $updated_at
+ */
+
+class Permission extends BaseWorkOSResource
+{
+    public const RESOURCE_TYPE = "permission";
+
+    public const RESOURCE_ATTRIBUTES = [
+        "id",
+        "slug",
+        "name",
+        "description",
+        "resource_type_slug",
+        "system",
+        "created_at",
+        "updated_at"
+    ];
+
+    public const RESPONSE_TO_RESOURCE_KEY = [
+        "id" => "id",
+        "slug" => "slug",
+        "name" => "name",
+        "description" => "description",
+        "resource_type_slug" => "resource_type_slug",
+        "system" => "system",
+        "created_at" => "created_at",
+        "updated_at" => "updated_at"
+    ];
+}
diff --git a/tests/WorkOS/RBACTest.php b/tests/WorkOS/RBACTest.php

Original file line number	Diff line number	Diff line change
`@@ -71,6 +71,15 @@ public function request($method, $url, ?array $headers = null, ?array $params =`
`71`	`71`	`}`
`72`	`72`
`73`	`73`	`break;`
	`74`	`+`
	`75`	`+ case Client::METHOD_PATCH:`
	`76`	`+ \array_push($headers, "Content-Type: application/json");`
	`77`	`+ $opts[\CURLOPT_CUSTOMREQUEST] = 'PATCH';`
	`78`	`+ $opts[\CURLOPT_POST] = 1;`
	`79`	`+ if (!empty($params)) {`
	`80`	`+ $opts[\CURLOPT_POSTFIELDS] = \json_encode($params);`
	`81`	`+ }`
	`82`	`+ break;`
`74`	`83`	`}`
`75`	`84`
`76`	`85`	`$opts[\CURLOPT_HTTPHEADER] = $headers;`