The befit to the _form.php is that it can be used multiple places (controller>actionCreate / controller > actionUpdate) without writing the form code twice.
Since in the case above is for the same model information the fields would be the same making the update and create form the same.
Sometimes this is not useful but overall it reduces the programming load on the programmers which is useful.
This also has nothing to do with Pjax. Pjax is for use with ajax and updating information client side vs php server-side
Pjax Docs
Also, the example has nothing to do with access control, In Yii and Yii2 (as well as in general) this is controlled by some sort of RBAC (module, extension, plugin, ext, or built in feature in most frameworks (Yii included)). In Yii and Yii2 you would do this in the controller under the access section
public function behaviors() {
return [
'access' => [
'class' => AccessControl::className(),
'only' => ['logout', 'signup'],
'rules' => [
[
'actions' => ['signup'],
'allow' => true,
'roles' => ['?'],
],
[
'actions' => ['logout'],
'allow' => true,
'roles' => ['@'],
],
],
],
'verbs' => [
'class' => VerbFilter::className(),
'actions' => [
'logout' => ['post'],
],
],
];
}
Yii2 RBAC Wiki
I did not read this but you can use the wiki area, forums, docs and stack overflow for good Yii and Yii2 info.
This would be the best place to start with Yii2
