Uploading files in a webapp can be extremely tricky and sometimes the quickest way to do it is to store the file directly in the webserver or into a DNS (like Amazon S3) and then to save the link and the metadata inside a table in the DB. The thing is that you'll have to deal with file permissions, server storage, file management and so on (which is perfectly fine, by the way).
This HowTo assumes that you have a smattering of ACL in general and of how the acl-extension works basically. It will introduce you into the abstract and give you a hint on how to use Business-Rules. If you have in-depth questions, please refer to the extension documentation.
Using ACL in an RBAC-manner cannot and should never obscure the fact that the underlying system is still ACL-based. In fact, the Business-Rules are just another layer in the permission-check plan.
The tips here are for advanced usages of composer and its assumed you have read about using composer and have a knowledge of your vendor packages to be updated. Let's consider, you want to update only one specific yii2 vendor library, without updating all the other extension packages?