How to prevent an action for everyone except the owner?

In the project, accesses are regulated using the rbac-behaver. There is a payment information page to which you can download the contract. Also, the downloaded contract can then be downloaded. The problem is that the download link looks like site/attachments/file/download?id=43. I'm using the nemmo/yii2-attachments widget. The table with files has the fields itemId (the model to which the file is loaded) and iserId - in fact, the user who downloaded the contract. So, how can a condition be written in a behaver or somewhere else for the possibility of downloading a contract only for its owner? Something like File->userId !== Yii::$app->user->identity->getId() , but what is the right way to write it?