Let's start by having a look at how the User model is used in Yii.

You can open the file located at /models/User.php.

The first thing to notice is that the User class extends from a generic Yii Object class and implements IdentityInterface:

// User.php

namespace appmodels;

use yiiaseObject;
use yiiwebIdentityInterface;

class User extends Object implements IdentityInterface
{
    // ...

The yiiaseObject class is the parent class of all classes, which implements the concept of virtual attributes, with the use of dynamically invoked getters and setters, while yiiwebIdentityInterface provides the signature for methods we need to implement in our class to provide the authentication mechanism.

You will also notice by the private property $users that the model does not connect to a database; instead, it holds all the authentication data within the class itself. This has been done on purpose by the Yii developers, in order to have everything working without additional effort. This not only alleviates the problem of massive refactors in case you're not using any authentication in your app, but it's also a good starting point if you need to learn how the authentication works.

Authentication in Yii is not particularly straightforward, and a lot of the mechanism for authenticating a user is kept hidden from us; so, unless you need to implement some level of robustness in your application, you don't normally have to worry too much.

Instead, what is important to notice is that the authentication information is kept in an object, separate from the User model. This mechanism provides a separate and clean layer of security. From here, the authentication status is kept into a dynamically loaded class of the yiiwebUser type, which is accessible throughout the whole life of the application via Yii::$app->user. For instance, to check whether the user is logged in, we can do the following:

use Yii;

// check the user is logged in
if (!Yii::$app->user->isGuest) {
    // do something
}

This is actually used in several views, and it's clearly similar to what was happening before in Yii 1.

Having both static and private properties, as is the case with the $users variable in the User class, could make the job of testing our class quite hard, if not impossible, at times.

This is another reason why we need to modify the way it's defined entirely, and instead, the User class is extended from the ActiveRecord class and deals directly with the database. With this, we can make use of the fixtures that we can control without having to hardcode configuration settings or parameters in our tests, which could lead to unmaintainable tests, if not pointless ones.