Symfony 3.4 Access Denied - API REST (Check Profile)

Question

Hello i am trying to create an api rest with symfony 3.4.

And when i try to GET in http://localhost:8000/users/3 (token entered for sure) that's tell me : access denied ... but when i delete "@Security("is_granted('show', 'theUser')", message="Access denied")"- of UserController that works but you can check all profiles not only yours...

USER CONTROLLER (get user action):

 */
private $passwordEncoder;

/**
 * @var JWTEncoderInterface
 */
private $jwtEncoder;

public function __construct(UserPasswordEncoderInterface $passwordEncoder, JWTEncoderInterface $jwtEncoder)
{
    $this->passwordEncoder = $passwordEncoder;
    $this->jwtEncoder = $jwtEncoder;
}

/**
 * @Rest\View()
 * @Security("is_granted('show', 'theUser')", message="Access denied")
 */
public function getUserAction(User $theUser)
{
    if (null === $theUser) {
        throw new NotFoundHttpException();
    }

    return $theUser;
}

/**
 *
 * @Rest\Post(
 *     path = "/users",
 *     name = "users_add"
 * )
 * @Rest\View(StatusCode=201)
 * @ParamConverter(
 *     "user",
 *     converter="fos_rest.request_body",
 *     options={"deserializationContent"={"groups"={"Deserialize"}}}
 * )
 */
public function postUserAction(User $user, ConstraintViolationListInterface $violations)
{
    if (count($violations) > 0) {
        $message = 'The user is not valid: ';
        foreach ($violations as $violation) {
            $message .= sprintf(
                "Field %s: %s ",
                $violation->getPropertyPath(),
                $violation->getMessage()
            );
        }

        throw new ResourceValidationException($message);
    }

    $user->setPassword(
        $this->passwordEncoder->encodePassword(
            $user,
            $user->getPassword()
        )
    );
    $user->setRoles([User::ROLE_USER]);

    $em = $this->getDoctrine()->getManager();
    $em->persist($user);
    $em->flush();

    return $user;
}

}`

USERVOTER: const SHOW = 'show';

/**
 * Determines if the attribute and subject are supported by this voter.
 *
 * @param string $attribute An attribute
 * @param mixed $subject The subject to secure, e.g. an object the user wants to access or any other PHP type
 *
 * @return bool True if the attribute and subject are supported, false otherwise
 */
protected function supports($attribute, $subject)
{
    if (!in_array($attribute, [self::SHOW])) {
        return false;
    }

    if (!$subject instanceof User) {
        return false;
    }

    return true;
}

/**
 * Perform a single access check operation on a given attribute, subject and token.
 * It is safe to assume that $attribute and $subject already passed the "supports()" method check.
 *
 * @param string $attribute
 * @param mixed $subject
 * @param TokenInterface $token
 *
 * @return bool
 */
protected function voteOnAttribute($attribute, $subject, TokenInterface $token)
{
    switch ($attribute) {
        case self::SHOW:
            return $this->isUserHimself(
                $subject,
                $token);
    }

    return false;
}

/**
 * @param $subject
 * @param TokenInterface $token
 * @return bool
 */
protected function isUserHimself($subject, TokenInterface $token)
{
    $authenticatedUser = $token->getUser();

        if (!$authenticatedUser instanceof User) {
        return false;
    }

    /**
     * @var User $user
     */
    $user = $subject;

    return $authenticatedUser->getId() === $user->getId();
}

}

Answer 1

Ok that's all good !!! I just delete the quotes in : * @Security("is_granted('show', 'theUser')", message="Access denied") to * @Security("is_granted('show', theUser)", message="Access denied")

If someone can explain what the difference in @Sercurity when you put quotes or not thx :)