RBAC Design for List Views

I created the following RBAC design to view files:


Screen Shot 2017-08-09 at 18.07.33.png

It is designed to check the access for a single file with the action: file/view?id=1 and works as following:


[*]Administrator -> Allowed to view all files

[*]Manager -> Allowed to view files of same application which are no system files

[*]Limited -> Allowed to view my own files which are no system files


I then started to create a filtered file list view with the action: file/index. Unfortunately, I don’t have a parameter to pass on to the rules, since I’m showing a list of them. I was thinking of implementing it as follows, but the rules obviously return false, since they have no file to check.

if ($user->can(Permissions::FILE_VIEW_NOSYSTEM)) {

    $query->andWhere(['!=', 'typeV', '-1']);


if ($user->can(Permissions::FILE_VIEW_OWN)) {

    $query->andWhere(['uploaded_by' => $user->id]);


The only design I was able to come up with, is to add a whole new set of permissions without rules for the list view. But it doesn’t seam right to me:


Screen Shot 2017-08-09 at 18.35.01.png

Does someone have an idea for a better RBAC design, which also works with lists?

I was approaching this the wrong way and was overthinking things. Side effect of two weeks vacation ;) I updated my RBAC design to a simpler one:


Screen Shot 2017-08-10 at 13.47.25.png

I removed the rules FileSameAppRule and FileNotSystemRule, but instead am using a custom File::findVisible:


 * @return \yii\db\ActiveQuery


public static function findVisible()


    $query = self::find()


        ->from('tbl_files f')

        ->innerJoin('map_users_apps ua', 'ua.appID = f.appID and ua.userID = :user', ['user' => Yii::$app->user->id]);

    $condition = ['and', ['f.appID' => PitApp::currentId()]];

    // premissions

    $user = Yii::$app->user;

    if (!$user->can(Permissions::FILE_VIEW_SYSTEM)) {

        $condition[] = ['!=', 'f.typeV', '-1'];


    if (!$user->can(Permissions::FILE_VIEW)) {

        $condition[] = ['f.uploaded_by' => $user->id];


    return $query->where($condition);