How to deny permissions to everyone except the owner?

The project accesses are controlled by rbac, behaver. There is a payment information page where you can download a contract. Also uploaded the contract then you can download. The problem is that the download link has a type site/attachments/file/download?id=43. Use widget nemmo/yii2-attachments. The table with the files that have fields itemId (the model to which the file is loaded) and iserId - actually, downloaded the contract user. So, how behavure or anywhere else you can register the condition for the possibility of downloading the contract only for the owner? Something like File->userId !== Yii::$app->user->identity->getId(), but how it correctly to register?
March 19th 20 at 08:59
1 answer
March 19th 20 at 09:01
are controlled by rbac, bicavera

specific? Where is the link to that behavior or the code?

how it correctly to register?

Your no one knows the behaviour - only a fortune teller can help.
But out of the box for this is the rules:
https://www.yiiframework.com/doc/guide/2.0/ru/secu...
http://yii.internetsite.com.ua/blog/rbac#использов...

Find more questions by tags Yii