The project accesses are controlled by rbac, behaver. There is a payment information page where you can download a contract. Also uploaded the contract then you can download. The problem is that the download link has a type site/attachments/file/download?id=43.
Use widget nemmo/yii2-attachments. The table with the files that have fields itemId (the model to which the file is loaded) and iserId - actually, downloaded the contract user. So, how behavure or anywhere else you can register the condition for the possibility of downloading the contract only for the owner? Something like File->userId !== Yii::$app->user->identity->getId()
, but how it correctly to register?