Cake Auth Policies advice

I’m familiar with entity policy (canAdd, canEdit) but I’m not sure how to apply canView in a (possibly) non standard case where my data isn’t an entity (or rather, has been transformed after retrieval).

I have a scenario where the user requests

/report/{code}/{date}

the logic is:

$result = $this→Reports→find()→where(
    [‘report.code‘ => $code, ‘report.date’ => $date]
)→all();
if(empty($result) { 
    return $this→generateBlankTemplate(); 
    // a custom array of preset defined values.
} 
return $result;

Now I could do

if($user→code === $code) { // the user is able to continue

in my controller – but that doesn’t seem to make use of the policy logic very well

Because my template code doesn’t use an entity, I’m not sure what to pass in to

$this->Authorization->authorize other than creating a blank entity?

$this->Authorization->authorize($result[‘code’]); // won’t work

Will your find query be returning multiple results? If so, what is the intention of the authorization? To confirm that the user has access to all of them? Eliminate the ones they don’t have access to? Pass if they have access to at least one, and let the view decide which to show them?