Hello all,

I’m having difficulties in solving my issue so I’m looking for some advice:

The app has 2 sections: clients, offers

I’m working at an app that uses yii2-user, yii2-rbac for user management.

I have defined 3 users: admin, company and user.

  • Admin should be able to view/edit/add/delete in company and user’s records

  • Company should be able to create child users, view/edit/add/delete own + child created records in clients, offers.

  • Users should be able to view/edit/add/delete own records in clients and offers.

So far I’ve managed to view the records that belong to own user, but this is not restricting the view/edit/add/delete of records that can be guessed(changing the id in browser).

So the question is how to restrict every user to view/edit/add/delete only own records? The Yii2 documentation doesn’t have anything related to my issue, any pointers will be helpful.

I don’t know how do you learn Yii ,but you should read the guide2 firstly : owner-rule

Example: User can create and modify his own post


RBAC in general: