/** * @inheritdoc */ public function checkAccess($action, $model = null, $params = []) { parent::checkAccess($action, $model, $params); if (in_array($action, ['update', 'delete']) && $model->author_id != \Yii::$app->user->identity->id) { throw new ForbiddenHttpException(); } }