yii2 rbac phpManager defaultRole not working after update yii2 to 2.0.21

Question

Environment: os: mac mojave php: 7.2.9 yii2: 2.0.21 -basic template

firstly my yii2 app 2.0.5 and everything work ok. then php updated to 7.2.9. but application goes error

Fatal error: Cannot use 'Object' as class name as it is reserved

then yii2 updated to 2.0.21

then yii2 app run normally but all user can access all permission or role

this is my RbacController.php

<?php
namespace app\commands;

use Yii;
use yii\console\Controller;

class RbacController extends Controller
{
    public function actionInit()
    {
        $permissions = [
            /* template permission
            'nama_permission' => 'deskripsi',
            */
            'kelolaCuti' => 'Kelola Cuti',

            'kelolaStaff' => 'Kelola data staff',

        ];

        $roles = [
            /* template role
            'nama_role' => ['permission/role', ...],
            */
            'staff' => [
                'kelolaCuti'
            ],
            'admin' => [
                'staff',
                'kelolaStaff',
            ],
            'supervisor' => [
                'admin',
            ],
            'direksi'=>[
                'supervisor'
            ],
            'administrator' => [
                'direksi'
            ],
            'superuser' => [
                'administrator'
            ]
        ];

        // Siapkan authManager
        $auth = Yii::$app->authManager;
        $auth->removeAll();

        $rule = new \app\rbac\UserGroupRule;
        $auth->add($rule);

        // Tambahkan permission
        foreach($permissions as $name => $description) {
            $permission = $auth->createPermission($name);
            $permission->description = $description;
            $auth->add($permission);
        }

        // Tambahkan role
        foreach($roles as $name => $children) {
            $role = $auth->createRole($name);
            $auth->add($role);

            foreach($children as $child) {
                $auth->addChild($role, $auth->getItem($child));
            }
        }
    }
}

this is my rule

<?php
namespace app\rbac;

use Yii;
use yii\rbac\Rule;

class UserGroupRule extends Rule
{
    public $name = 'userGroup';

    public function execute($user, $item, $params)
    {
        /* kode ROLES dari app\models\Staff
        const ROLES = [
            1 => 'Super User',
            2 => 'Administrator',
            3 => 'Direksi',
            4 => 'Supervisor',
            5 => 'Admin',
            6 => 'Staff',
        ];
        */
        if(!Yii::$app->user->isGuest) {
            $group = Yii::$app->user->identity->role;

            if($item->name === 'superuser') {
                return $group == 1;
            } elseif($item->name === 'administrator') {
                return in_array($group, [1, 2]);
            } elseif($item->name === 'direksi') {
                return in_array($group, [1, 2, 3]);
            } elseif($item->name === 'supervisor') {
                return in_array($group, [1, 2, 3, 4]);
            } elseif($item->name === 'admin') {
                return in_array($group, [1, 2, 3, 4, 5]);
            } elseif($item->name === 'staff') {
                return in_array($group, [1, 2, 3, 4, 5, 6]);
            } 
        }

        return false;
    }
}

this is my config/web.php

...
'authManager' => [
            'class' => 'yii\rbac\PhpManager',
            'defaultRoles' => ['superuser', 'administrator', 'direksi', 'supervisor', 'admin', 'staff'],
        ],
...

there is role field in user table as group in rbac

like describe in code that role staff has no grant to access kelolaStaff but when user with role staff loggedin and checked with Yii::$app->user->can('kelolaStaff') return TRUE

Edited

as addviced by @Bizley below:

while to get my App work: 1. set defaultRole just staff

...
'authManager' => [
'class' => 'yii\rbac\PhpManager',
          'supervisor', 'admin', 'staff'],
            'defaultRoles' => ['staff'],
        ],
...

2. assign role manually after login

$auth = \Yii::$app->authManager;
        $auth->revokeAll($this->_user->id);
        switch ($this->_user->role) {
            case Staff::ROLE_SUPERUSER :
                if (!Yii::$app->user->can('superuser')){
                    $grantRole = $auth->getRole('superuser');
                    $auth->assign($grantRole, $this->_user->id);
                }
                break;

            case Staff::ROLE_ADMINISTRATOR :
                if (!Yii::$app->user->can('administrator')){
                    $grantRole = $auth->getRole('administrator');
                    $auth->assign($grantRole, $this->_user->id);
                }
                break;
            case Staff::ROLE_STAFF :
                if (!Yii::$app->user->can('staff')){
                    $grantRole = $auth->getRole('staff');
                    $auth->assign($grantRole, $this->_user->id);
                }
                break;
        }

Answer 1

The first part of your question has been answered by @Sfili_81 in comment but you took care of it by updating the Yii.

As for the second part:

Don't set all your roles in defaultRoles in config for authManager.

As described in Guide:

A default role is a role that is implicitly assigned to all users

So every user (including guests) has got all these roles by default with your config. Remove this config option and assign roles to users that should get them (details how to do it are described in linked Guide's section).