Is there an easy way to restrict a controller action to the owner/creator of the post without using full blown RBAC?

Right now I'm doing this for every controller:

public function actionUpdate( $id ) {
    $model = $this->findModel( $id );
    if ( $model->user_id != Yii::$app->user->identity->id ) {
        throw new NotFoundHttpException( 'The requested page does not exist.' );
    }
}

But I think there must be a better way to restrict certain controllers to the users who created the $model thats being edited.

1) The recommended way is to use RBAC and rules. It's covered well in official docs in according dedicated section.

Example of rule that checks if author id matches current user id passed via params:

namespace app\rbac;

use yii\rbac\Rule;

/**
 * Checks if authorID matches user passed via params
 */
class AuthorRule extends Rule
{
    public $name = 'isAuthor';

    /**
     * @param string|integer $user the user ID.
     * @param Item $item the role or permission that this rule is associated with
     * @param array $params parameters passed to ManagerInterface::checkAccess().
     * @return boolean a value indicating whether the rule permits the role or permission it is associated with.
     */
    public function execute($user, $item, $params)
    {
        return isset($params['post']) ? $params['post']->createdBy == $user : false;
    }
}

Then you need to tie it with existing permission (can be done in migration or with extensions):

$auth = Yii::$app->authManager;

// add the rule
$rule = new \app\rbac\AuthorRule;
$auth->add($rule);

// add the "updateOwnPost" permission and associate the rule with it.
$updateOwnPost = $auth->createPermission('updateOwnPost');
$updateOwnPost->description = 'Update own post';
$updateOwnPost->ruleName = $rule->name;
$auth->add($updateOwnPost);

// "updateOwnPost" will be used from "updatePost"
$auth->addChild($updateOwnPost, $updatePost);

// allow "author" to update their own posts
$auth->addChild($author, $updateOwnPost);

Then you can check if you user can update post like this:

use yii\web\ForbiddenHttpException;
use Yii;

public function actionUpdate($id)
{
    $model = $this->findModel($id);
    if (!Yii::$app->user->can('updatePost', ['post' => $model])) {
        throw new ForbiddenHttpException('You are not allowed to edit this post');
    }

    ...
}

Also note that in case you found model first and user has no access to edit it, logically it's better to throw 403 Forbidden exception rather than 404, since it's found, but not allowed for editing.

Don't forget to include rule like that in AccessControl behavior:

[
    'allow' => true,
    'actions' => ['update'],
    'roles' => ['@'],
],

It means that update action of this controller can be only accessed by authorized users excluding guests.

2) If for some reason you don't want to use RBAC, you can use your approach:

use yii\web\ForbiddenHttpException;

public function actionUpdate($id)
{
    $model = $this->findModel($id);
    if ($model->user_id != Yii::$app->user->id ) {
        throw new ForbiddenHttpException('You are not allowed to edit this post.');
    }

    ...
}

To improve this you can abstract from this check by moving this logic to helper method:

namespace app\posts\components;

use Yii;

class PostPermission
{
    /**
     * @param $model Post
     * @return boolean
     */
    public static function allowedToUpdate($model)
    {
        return $model->user_id = Yii:$app->user->id;
    }
}

Then call it like that:

use app\posts\components\PostPermission;
use yii\web\ForbiddenHttpException;

if (!PostPermission::allowedToUpdate($model) {
    throw new ForbiddenHttpException('You are not allowed to edit this post.');
}

It's just an example, method doesn't have to be static, you can construct instance using $model.

You can just directly create method in Post model, but it's better to not pollute model with such logic.

3) Another alternative that I can advise is to restrict scope initially to current user when finding model:

use yii\web\NotFoundHttpException;

/**
 * @param integer $id
 * @return Post
 * @throws NotFoundHttpException
 */
protected function findModel($id)
{
    $model = Post::find(['id'=> $id, 'user_id' => Yii::$app->user->id])->one();
    if ($model) {
        return $model;
    } else {
        throw new NotFoundHttpException('This post does not exist.');
    }
}

This can be improved for site administrators:

use yii\web\NotFoundHttpException;

/**
 * @param integer $id
 * @return Post
 * @throws NotFoundHttpException
 */
protected function findModel($id)
{
    $query = Post::find()->where(['id' => $id]);
    if (!Yii::$app->user->is_admin) { // replace with your own check
        $query->andWhere(['user_id' => Yii::$app->user->id]);
    }
    $model = $query->one();
    if ($model) {
        return $model;
    } else {
        throw new NotFoundHttpException('This post does not exist.');
    }
}

Then you only write:

public function actionUpdate($id)
{
    $model = $this->findModel($id);
    ...
}

That way in both cases (model not found and not allowed for editing by current user), 404 Not Found exception will be raised. From other side, nothing is wrong with that, because technically for this user this model does not exist (since he is not author of it).

We can use

AccessControlFilter

for restricting controller action instead of RBAC. This below code will give access to the actionUpdate if it is only pass the denyCallback.

use yii\filters\AccessControl;

class SiteController extends Controller
{
    public function behaviors()
    {
        return [
            'access' => [
                'class' => AccessControl::className(),
                'only' => ['update','delete'],
                'rules' => [
                    [
                        'actions' => ['update'],
                        'allow' => false,
                        'denyCallback' => function ($rule, $action) { //PHP callable that should be called when this rule will deny the access.
                            //Write your logic here to deny the action
                            throw new \Exception('You are not allowed to access this page');
                        }
                    ],
                ],
            ],
        ];
    }

    public function actionUpdate()
    {
        return $this->render('update');
    }
}

For your reference https://github.com/yiisoft/yii2/blob/master/docs/guide/security-authorization.md