diff --git a/framework/filters/AccessControl.php b/framework/filters/AccessControl.php
index e75b012..29d0659 100644
--- a/framework/filters/AccessControl.php
+++ b/framework/filters/AccessControl.php
@@ -65,8 +65,8 @@ class AccessControl extends ActionFilter
      * function ($rule, $action)
      * ~~~
      *
-     * where `$rule` is this rule, and `$action` is the current [[Action|action]] object.
-     * `$rule` will be `null` if access is denied because none of the rules matched.
+     * where `$rule` is the rule that denies the user, and `$action` is the current [[Action|action]] object.
+     * `$rule` can be `null` if access is denied because none of the rules matched.
      */
     public $denyCallback;
     /**
diff --git a/framework/rbac/BaseManager.php b/framework/rbac/BaseManager.php
index 96356af..cd3dbaf 100644
--- a/framework/rbac/BaseManager.php
+++ b/framework/rbac/BaseManager.php
@@ -190,19 +190,21 @@ abstract class BaseManager extends Component implements ManagerInterface
      * If the item does not specify a rule, this method will return true. Otherwise, it will
      * return the value of [[Rule::execute()]].
      *
+     * @param string|integer $user the user ID. This should be either an integer or a string representing
+     * the unique identifier of a user. See [[\yii\web\User::id]].
      * @param Item $item the auth item that needs to execute its rule
      * @param array $params parameters passed to [[ManagerInterface::checkAccess()]] and will be passed to the rule
      * @return boolean the return value of [[Rule::execute()]]. If the auth item does not specify a rule, true will be returned.
      * @throws InvalidConfigException if the auth item has an invalid rule.
      */
-    protected function executeRule($item, $params)
+    protected function executeRule($user, $item, $params)
     {
         if ($item->ruleName === null) {
             return true;
         }
         $rule = $this->getRule($item->ruleName);
         if ($rule instanceof Rule) {
-            return $rule->execute($item, $params);
+            return $rule->execute($user, $item, $params);
         } else {
             throw new InvalidConfigException("Rule not found: {$item->ruleName}");
         }
diff --git a/framework/rbac/Rule.php b/framework/rbac/Rule.php
index 7d2c1da..4a9dd54 100644
--- a/framework/rbac/Rule.php
+++ b/framework/rbac/Rule.php
@@ -35,8 +35,8 @@ abstract class Rule extends Object
      *
      * @param string|integer $user the user ID. This should be either an integer or a string representing
      * the unique identifier of a user. See [[\yii\web\User::id]].
-     * @param Item $item the auth item that this rule is associated with
-     * @param array $params parameters passed to [[ManagerInterface::allow()]].
+     * @param Item $item the role or permission that this rule is associated with
+     * @param array $params parameters passed to [[ManagerInterface::checkAccess()]].
      * @return boolean a value indicating whether the rule permits the auth item it is associated with.
      */
     abstract public function execute($user, $item, $params);