Use RBAC to control query results

Is there some way to use RBAC to control query results? Specifically - if I have a table where access control specifies a child rule, such as "isAuthor", is there an elegant way of using the RBAC rule to drive the results of a query so that the user only has access to records of which he is the author? My current way of doing this is to add a "viewAllAuthors" permission e.g.


 public function actionIndex()

    {

        $user = \Yii::$app->user;

        if ( !$user->can('viewItem') )  { throw new UnauthorizedHttpException(); } 

        $query = $user->can('viewAllItems') ? user::find() 

                 : user::find()->where(['authorID' => $user->identity->id]);


        $dataProvider = new ActiveDataProvider([ 'query' => $query, ]);


        return $this->render('index', [ 'dataProvider' => $dataProvider,   ]);

    }



But this is kind of clunky, inflexible and error prone. Since I run the risk of exposing client’s data to other clients, I’m looking for a more elegant solution

Maybe this could be inspiring:

http://www.yiiframework.com/wiki/603/a-multi-tenant-strategy-using-yii-and-mysql/

It’s Yii 1.1 but you’ll get the idea.

Thanks for that - definitely a useful approach for multi tenant. But I’m also looking for something a lot simpler. This use case appears in lots of situations other than multi tenant and it would be nice to be able to enter the RBAC data once and use that to drive the query so that the user only sees data the he/she is authorized for. I just can’t think of an elegant way of doing this.