Is there some way to use RBAC to control query results? Specifically - if I have a table where access control specifies a child rule, such as "isAuthor", is there an elegant way of using the RBAC rule to drive the results of a query so that the user only has access to records of which he is the author? My current way of doing this is to add a "viewAllAuthors" permission e.g.
public function actionIndex()
{
$user = \Yii::$app->user;
if ( !$user->can('viewItem') ) { throw new UnauthorizedHttpException(); }
$query = $user->can('viewAllItems') ? user::find()
: user::find()->where(['authorID' => $user->identity->id]);
$dataProvider = new ActiveDataProvider([ 'query' => $query, ]);
return $this->render('index', [ 'dataProvider' => $dataProvider, ]);
}
But this is kind of clunky, inflexible and error prone. Since I run the risk of exposing client’s data to other clients, I’m looking for a more elegant solution